Repository: nccgroup/ScoutSuite Branch: master Commit: 7909f2fc6186 Files: 1474 Total size: 4.0 MB Directory structure: gitextract_u53o_x4_/ ├── .coveragerc ├── .flake8 ├── .github/ │ ├── ISSUE_TEMPLATE/ │ │ ├── bug_report.md │ │ └── feature_request.md │ ├── PULL_REQUEST_TEMPLATE.md │ └── workflows/ │ ├── frontend-build.yml │ └── testing.yml ├── .gitignore ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── MANIFEST.in ├── README.md ├── ScoutSuite/ │ ├── __init__.py │ ├── __main__.py │ ├── core/ │ │ ├── __init__.py │ │ ├── cli_parser.py │ │ ├── conditions.py │ │ ├── console.py │ │ ├── exceptions.py │ │ ├── fs.py │ │ ├── processingengine.py │ │ ├── rule.py │ │ ├── rule_definition.py │ │ ├── ruleset.py │ │ ├── server.py │ │ └── utils.py │ ├── data/ │ │ ├── aws/ │ │ │ └── ip-ranges/ │ │ │ ├── aws-in-ec2.json │ │ │ ├── aws-in-us.json │ │ │ └── aws.json │ │ ├── icmp_message_types.json │ │ └── protocols.json │ ├── output/ │ │ ├── __init__.py │ │ ├── data/ │ │ │ ├── html/ │ │ │ │ ├── conditionals/ │ │ │ │ │ ├── json_format.html │ │ │ │ │ └── sqlite_format.html │ │ │ │ ├── partials/ │ │ │ │ │ ├── about_scoutsuite.html │ │ │ │ │ ├── accordion.html │ │ │ │ │ ├── accordion_policy.html │ │ │ │ │ ├── aliyun/ │ │ │ │ │ │ ├── left_menu_for_aliyun_region.html │ │ │ │ │ │ ├── services.actiontrail.trails.html │ │ │ │ │ │ ├── services.ecs.regions.id.instances.html │ │ │ │ │ │ ├── services.kms.regions.id.keys.html │ │ │ │ │ │ ├── services.oss.buckets.html │ │ │ │ │ │ ├── services.ram.groups.html │ │ │ │ │ │ ├── services.ram.policies.html │ │ │ │ │ │ ├── services.ram.roles.html │ │ │ │ │ │ ├── services.ram.users.html │ │ │ │ │ │ ├── services.rds.regions.id.instances.html │ │ │ │ │ │ └── services.vpc.regions.id.vpcs.html │ │ │ │ │ ├── aws/ │ │ │ │ │ │ ├── left_menu_for_region.html │ │ │ │ │ │ ├── left_menu_for_vpc.html │ │ │ │ │ │ ├── services.acm.regions.id.certificates.html │ │ │ │ │ │ ├── services.awslambda.regions.id.functions.html │ │ │ │ │ │ ├── services.cloudformation.regions.id.stacks.html │ │ │ │ │ │ ├── services.cloudfront.distributions.html │ │ │ │ │ │ ├── services.cloudtrail.regions.html │ │ │ │ │ │ ├── services.cloudtrail.regions.id.trails.html │ │ │ │ │ │ ├── services.cloudwatch.regions.id.alarms.html │ │ │ │ │ │ ├── services.cloudwatch.regions.id.metric_filters.html │ │ │ │ │ │ ├── services.config.regions.html │ │ │ │ │ │ ├── services.config.regions.id.recorders.html │ │ │ │ │ │ ├── services.config.regions.id.rules.html │ │ │ │ │ │ ├── services.dynamodb.regions.id.tables.html │ │ │ │ │ │ ├── services.ec2.regions.id.regional_settings.html │ │ │ │ │ │ ├── services.ec2.regions.id.snapshots.html │ │ │ │ │ │ ├── services.ec2.regions.id.volumes.html │ │ │ │ │ │ ├── services.ec2.regions.id.vpcs.id.images.html │ │ │ │ │ │ ├── services.ec2.regions.id.vpcs.id.instances.html │ │ │ │ │ │ ├── services.ec2.regions.id.vpcs.id.security_groups.html │ │ │ │ │ │ ├── services.ec2.regions.vpcs.security_groups.resource_list.html │ │ │ │ │ │ ├── services.ec2.regions.vpcs.security_groups.rule_list.html │ │ │ │ │ │ ├── services.elasticache.regions.id.parameter_groups.html │ │ │ │ │ │ ├── services.elasticache.regions.id.security_groups.html │ │ │ │ │ │ ├── services.elasticache.regions.id.subnet_groups.html │ │ │ │ │ │ ├── services.elasticache.regions.id.vpcs.id.clusters.html │ │ │ │ │ │ ├── services.elb.regions.id.elb_policies.html │ │ │ │ │ │ ├── services.elb.regions.id.vpcs.id.elbs.html │ │ │ │ │ │ ├── services.elb.regions.id.vpcs.id.elbs.linked_resources.html │ │ │ │ │ │ ├── services.elb.regions.id.vpcs.id.elbs.listener.html │ │ │ │ │ │ ├── services.elb.regions.id.vpcsid.elbs.linked_policy.html │ │ │ │ │ │ ├── services.elbv2.regions.id.vpcs.id.elbs.html │ │ │ │ │ │ ├── services.emr.regions.id.vpcs.id.clusters.html │ │ │ │ │ │ ├── services.iam.credential_reports.html │ │ │ │ │ │ ├── services.iam.groups.html │ │ │ │ │ │ ├── services.iam.inline_policies.html │ │ │ │ │ │ ├── services.iam.managed_policies.html │ │ │ │ │ │ ├── services.iam.managed_policies_list.html │ │ │ │ │ │ ├── services.iam.roles.html │ │ │ │ │ │ ├── services.iam.users.html │ │ │ │ │ │ ├── services.kms.regions.id.keys.html │ │ │ │ │ │ ├── services.rds.regions.id.parameter_groups.html │ │ │ │ │ │ ├── services.rds.regions.id.security_groups.html │ │ │ │ │ │ ├── services.rds.regions.id.vpcs.id.instances.html │ │ │ │ │ │ ├── services.rds.regions.id.vpcs.id.snapshots.html │ │ │ │ │ │ ├── services.rds.regions.id.vpcs.id.subnet_groups.html │ │ │ │ │ │ ├── services.redshift.regions.id.parameter_groups.html │ │ │ │ │ │ ├── services.redshift.regions.id.vpcs.id.clusters.html │ │ │ │ │ │ ├── services.redshift.regions.id.vpcs.id.security_groups.html │ │ │ │ │ │ ├── services.redshift.regions.vpcs.cluster_nodes.html │ │ │ │ │ │ ├── services.route53.regions.id.domains.html │ │ │ │ │ │ ├── services.route53.regions.id.hosted_zones.html │ │ │ │ │ │ ├── services.s3.acls.html │ │ │ │ │ │ ├── services.s3.bucket_iam_policies.html │ │ │ │ │ │ ├── services.s3.buckets.html │ │ │ │ │ │ ├── services.s3.buckets.objects.html │ │ │ │ │ │ ├── services.s3.public_access_block_configuration.html │ │ │ │ │ │ ├── services.secretsmanager.regions.id.secrets.html │ │ │ │ │ │ ├── services.ses.regions.id.identities.html │ │ │ │ │ │ ├── services.sns.regions.id.topics.html │ │ │ │ │ │ ├── services.sqs.regions.id.queues.html │ │ │ │ │ │ ├── services.stackdriverlogging.sinks.html │ │ │ │ │ │ ├── services.vpc.regions.id.flow_logs.html │ │ │ │ │ │ ├── services.vpc.regions.id.peering_connections.html │ │ │ │ │ │ ├── services.vpc.regions.id.vpcs.html │ │ │ │ │ │ ├── services.vpc.regions.id.vpcs.id.network_acls.html │ │ │ │ │ │ ├── services.vpc.regions.id.vpcs.id.peering_connections.html │ │ │ │ │ │ └── services.vpc.regions.id.vpcs.id.subnets.html │ │ │ │ │ ├── azure/ │ │ │ │ │ │ ├── details_for_subscription.html │ │ │ │ │ │ ├── left_menu_for_subscription.html │ │ │ │ │ │ ├── services.aad.applications.html │ │ │ │ │ │ ├── services.aad.groups.html │ │ │ │ │ │ ├── services.aad.policies.html │ │ │ │ │ │ ├── services.aad.service_principals.html │ │ │ │ │ │ ├── services.aad.users.html │ │ │ │ │ │ ├── services.appservice.subscriptions.id.web_apps.html │ │ │ │ │ │ ├── services.keyvault.subscriptions.id.vaults.html │ │ │ │ │ │ ├── services.loggingmonitoring.subscriptions.id.diagnostic_settings.html │ │ │ │ │ │ ├── services.loggingmonitoring.subscriptions.id.log_alerts.html │ │ │ │ │ │ ├── services.loggingmonitoring.subscriptions.id.log_profiles.html │ │ │ │ │ │ ├── services.loggingmonitoring.subscriptions.id.resources_logging.html │ │ │ │ │ │ ├── services.mysqldatabase.subscriptions.id.servers.html │ │ │ │ │ │ ├── services.network.subscriptions.id.application_security_groups.html │ │ │ │ │ │ ├── services.network.subscriptions.id.network_interfaces.html │ │ │ │ │ │ ├── services.network.subscriptions.id.security_groups.html │ │ │ │ │ │ ├── services.network.subscriptions.id.virtual_networks.html │ │ │ │ │ │ ├── services.network.subscriptions.id.virtual_networks.id.subnets.html │ │ │ │ │ │ ├── services.network.subscriptions.id.watchers.html │ │ │ │ │ │ ├── services.postgresqldatabase.subscriptions.id.servers.html │ │ │ │ │ │ ├── services.rbac.subscriptions.id.custom_roles_report.html │ │ │ │ │ │ ├── services.rbac.subscriptions.id.roles.html │ │ │ │ │ │ ├── services.securitycenter.subscriptions.id.auto_provisioning_settings.html │ │ │ │ │ │ ├── services.securitycenter.subscriptions.id.compliance_results.html │ │ │ │ │ │ ├── services.securitycenter.subscriptions.id.pricings.html │ │ │ │ │ │ ├── services.securitycenter.subscriptions.id.regulatory_compliance_results.html │ │ │ │ │ │ ├── services.securitycenter.subscriptions.id.security_contacts.html │ │ │ │ │ │ ├── services.securitycenter.subscriptions.id.settings.html │ │ │ │ │ │ ├── services.sqldatabase.subscriptions.id.servers.html │ │ │ │ │ │ ├── services.storageaccounts.subscriptions.id.storage_accounts.html │ │ │ │ │ │ ├── services.virtualmachines.subscriptions.id.disks.html │ │ │ │ │ │ ├── services.virtualmachines.subscriptions.id.images.html │ │ │ │ │ │ ├── services.virtualmachines.subscriptions.id.instances.html │ │ │ │ │ │ └── services.virtualmachines.subscriptions.id.snapshots.html │ │ │ │ │ ├── count_badge.html │ │ │ │ │ ├── dashboard.html │ │ │ │ │ ├── details.html │ │ │ │ │ ├── details_for_region.html │ │ │ │ │ ├── details_for_vpc.html │ │ │ │ │ ├── do/ │ │ │ │ │ │ ├── services.database.databases.html │ │ │ │ │ │ ├── services.droplet.droplets.html │ │ │ │ │ │ ├── services.kubernetes.cluster.html │ │ │ │ │ │ ├── services.networking.domains.html │ │ │ │ │ │ ├── services.networking.firewalls.html │ │ │ │ │ │ ├── services.networking.load_balancers.html │ │ │ │ │ │ └── services.spaces.buckets.html │ │ │ │ │ ├── ec2_grants.html │ │ │ │ │ ├── filters.html │ │ │ │ │ ├── gcp/ │ │ │ │ │ │ ├── details_for_gcp_region.html │ │ │ │ │ │ ├── details_for_gcp_zone.html │ │ │ │ │ │ ├── details_for_project.html │ │ │ │ │ │ ├── left_menu_for_gcp_region.html │ │ │ │ │ │ ├── left_menu_for_gcp_zone.html │ │ │ │ │ │ ├── left_menu_for_project.html │ │ │ │ │ │ ├── services.bigquery.projects.id.datasets.html │ │ │ │ │ │ ├── services.cloudmemorystore.projects.id.redis_instances.html │ │ │ │ │ │ ├── services.cloudsql.projects.id.instances.html │ │ │ │ │ │ ├── services.cloudstorage.projects.id.buckets.html │ │ │ │ │ │ ├── services.computeengine.projects.id.firewalls.html │ │ │ │ │ │ ├── services.computeengine.projects.id.global_forwarding_rules.html │ │ │ │ │ │ ├── services.computeengine.projects.id.networks.html │ │ │ │ │ │ ├── services.computeengine.projects.id.regions.id.forwarding_rules.html │ │ │ │ │ │ ├── services.computeengine.projects.id.regions.id.subnetworks.html │ │ │ │ │ │ ├── services.computeengine.projects.id.snapshots.html │ │ │ │ │ │ ├── services.computeengine.projects.id.zones.id.instances.html │ │ │ │ │ │ ├── services.dns.projects.id.managed_zones.html │ │ │ │ │ │ ├── services.functions.projects.id.functions_v1.html │ │ │ │ │ │ ├── services.functions.projects.id.functions_v2.html │ │ │ │ │ │ ├── services.iam.projects.id.bindings.html │ │ │ │ │ │ ├── services.iam.projects.id.bindings_separation_duties.html │ │ │ │ │ │ ├── services.iam.projects.id.domains.html │ │ │ │ │ │ ├── services.iam.projects.id.groups.html │ │ │ │ │ │ ├── services.iam.projects.id.service_accounts.html │ │ │ │ │ │ ├── services.iam.projects.id.users.html │ │ │ │ │ │ ├── services.kms.projects.id.keyrings.html │ │ │ │ │ │ ├── services.kubernetesengine.clusters.html │ │ │ │ │ │ ├── services.stackdriverlogging.projects.id.logging_metrics.html │ │ │ │ │ │ ├── services.stackdriverlogging.projects.id.metrics.html │ │ │ │ │ │ ├── services.stackdriverlogging.projects.id.sinks.html │ │ │ │ │ │ ├── services.stackdrivermonitoring.projects.id.alert_policies.html │ │ │ │ │ │ ├── services.stackdrivermonitoring.projects.id.monitoring_alert_policies.html │ │ │ │ │ │ └── services.stackdrivermonitoring.projects.id.uptime_checks.html │ │ │ │ │ ├── generic_object.html │ │ │ │ │ ├── ip_grants.html │ │ │ │ │ ├── kubernetes/ │ │ │ │ │ │ ├── details_for_kubernetes_resource.html │ │ │ │ │ │ ├── details_for_project.html │ │ │ │ │ │ ├── details_for_subscription.html │ │ │ │ │ │ ├── kubernetes_code.html │ │ │ │ │ │ ├── kubernetes_container_security_context.html │ │ │ │ │ │ ├── kubernetes_data.html │ │ │ │ │ │ ├── kubernetes_object.html │ │ │ │ │ │ ├── kubernetes_pod_security_context.html │ │ │ │ │ │ ├── kubernetes_resource_containers.html │ │ │ │ │ │ ├── kubernetes_resource_host.html │ │ │ │ │ │ ├── kubernetes_resource_limits.html │ │ │ │ │ │ ├── left_menu_for_kubernetes_resource.html │ │ │ │ │ │ ├── left_menu_for_project.html │ │ │ │ │ │ ├── left_menu_for_subscription.html │ │ │ │ │ │ ├── services.eks.encryption.html │ │ │ │ │ │ ├── services.eks.logging.html │ │ │ │ │ │ ├── services.kubernetesengine.clusters.html │ │ │ │ │ │ ├── services.loggingmonitoring.subscriptions.id.diagnostic_settings.html │ │ │ │ │ │ ├── services.loggingmonitoring.subscriptions.id.log_alerts.html │ │ │ │ │ │ ├── services.loggingmonitoring.subscriptions.id.log_profiles.html │ │ │ │ │ │ ├── services.loggingmonitoring.subscriptions.id.resources_logging.html │ │ │ │ │ │ ├── services.version.details.html │ │ │ │ │ │ └── utils.html │ │ │ │ │ ├── last_run_details.html │ │ │ │ │ ├── left_menu.html │ │ │ │ │ ├── metadata.html │ │ │ │ │ ├── modal.html │ │ │ │ │ ├── network_interface.html │ │ │ │ │ ├── oci/ │ │ │ │ │ │ ├── services.identity.groups.html │ │ │ │ │ │ ├── services.identity.policies.html │ │ │ │ │ │ ├── services.identity.users.html │ │ │ │ │ │ ├── services.kms.keyvaults.html │ │ │ │ │ │ └── services.objectstorage.buckets.html │ │ │ │ │ ├── policy.html │ │ │ │ │ ├── report_footer.html │ │ │ │ │ ├── resource_link.html │ │ │ │ │ ├── resources_details.html │ │ │ │ │ └── singles.html │ │ │ │ ├── report.html │ │ │ │ └── summaries/ │ │ │ │ ├── aliyun/ │ │ │ │ │ ├── services.ram.password_policy.html │ │ │ │ │ └── services.ram.security_policy.html │ │ │ │ ├── attack_surface.html │ │ │ │ ├── aws/ │ │ │ │ │ ├── services.ec2.external_attack_surface.html │ │ │ │ │ ├── services.elb.external_attack_surface.html │ │ │ │ │ ├── services.elbv2.external_attack_surface.html │ │ │ │ │ ├── services.iam.password_policy.html │ │ │ │ │ ├── services.iam.permissions.html │ │ │ │ │ ├── services.rds.external_attack_surface.html │ │ │ │ │ └── services.redshift.external_attack_surface.html │ │ │ │ ├── azure/ │ │ │ │ │ └── .keep │ │ │ │ ├── do/ │ │ │ │ │ └── .gitkeep │ │ │ │ ├── gcp/ │ │ │ │ │ └── .keep │ │ │ │ ├── kubernetes/ │ │ │ │ │ ├── services.kubernetes_workload.images.html │ │ │ │ │ ├── services.rbac.dangerous_grants.html │ │ │ │ │ ├── services.rbac.dodgy_subjects.html │ │ │ │ │ └── services.rbac.permissive_bindings.html │ │ │ │ ├── oci/ │ │ │ │ │ └── services.identity.password_policy.html │ │ │ │ ├── service_groups.compute.summaries.external_attack_surface.html │ │ │ │ └── service_groups.database.summaries.external_attack_surface.html │ │ │ ├── inc-scoutsuite/ │ │ │ │ ├── css/ │ │ │ │ │ ├── modal.css │ │ │ │ │ ├── scoutsuite-dark.css │ │ │ │ │ ├── scoutsuite-light.css │ │ │ │ │ └── scoutsuite.css │ │ │ │ ├── helpers.js │ │ │ │ ├── pagination.js │ │ │ │ ├── provider.js │ │ │ │ ├── scoutsuite.js │ │ │ │ ├── sqlite.js │ │ │ │ └── theme.js │ │ │ └── listall-configs/ │ │ │ └── ec2.regions.id.vpcs.id.security_groups.id.json │ │ ├── html.py │ │ ├── result_encoder.py │ │ └── utils.py │ ├── providers/ │ │ ├── __init__.py │ │ ├── aliyun/ │ │ │ ├── __init__.py │ │ │ ├── authentication_strategy.py │ │ │ ├── facade/ │ │ │ │ ├── __init__.py │ │ │ │ ├── actiontrail.py │ │ │ │ ├── base.py │ │ │ │ ├── ecs.py │ │ │ │ ├── kms.py │ │ │ │ ├── oss.py │ │ │ │ ├── ram.py │ │ │ │ ├── rds.py │ │ │ │ ├── utils.py │ │ │ │ └── vpc.py │ │ │ ├── metadata.json │ │ │ ├── provider.py │ │ │ ├── resources/ │ │ │ │ ├── __init__.py │ │ │ │ ├── actiontrail/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── trails.py │ │ │ │ ├── base.py │ │ │ │ ├── ecs/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── instances.py │ │ │ │ ├── kms/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── keys.py │ │ │ │ ├── oss/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── buckets.py │ │ │ │ ├── ram/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── api_keys.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── groups.py │ │ │ │ │ ├── password_policy.py │ │ │ │ │ ├── policies.py │ │ │ │ │ ├── roles.py │ │ │ │ │ ├── security_policy.py │ │ │ │ │ └── users.py │ │ │ │ ├── rds/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── instances.py │ │ │ │ ├── regions.py │ │ │ │ └── vpc/ │ │ │ │ ├── __init__.py │ │ │ │ ├── base.py │ │ │ │ └── vpcs.py │ │ │ ├── rules/ │ │ │ │ ├── findings/ │ │ │ │ │ ├── actiontrail-not-configured.json │ │ │ │ │ ├── actiontrail-not-enabled.json │ │ │ │ │ ├── ecs-instance-with-deletion-protection-disabled.json │ │ │ │ │ ├── ecs-instance-with-public-ip.json │ │ │ │ │ ├── kms-no-key-rotation.json │ │ │ │ │ ├── ram-password-policy-expiration-threshold.json │ │ │ │ │ ├── ram-password-policy-minimum-length.json │ │ │ │ │ ├── ram-password-policy-no-expiration.json │ │ │ │ │ ├── ram-password-policy-no-lowercase-required.json │ │ │ │ │ ├── ram-password-policy-no-number-required.json │ │ │ │ │ ├── ram-password-policy-no-symbol-required.json │ │ │ │ │ ├── ram-password-policy-no-uppercase-required.json │ │ │ │ │ ├── ram-password-policy-reuse-enabled.json │ │ │ │ │ ├── ram-user-lacking-mfa.json │ │ │ │ │ ├── ram-user-unused-api-key.json │ │ │ │ │ ├── ram-user-unused-console-password.json │ │ │ │ │ ├── ram-user-with-multiple-api-keys.json │ │ │ │ │ └── ram-user-with-old-api-key.json │ │ │ │ └── rulesets/ │ │ │ │ ├── default.json │ │ │ │ └── filters.json │ │ │ ├── services.py │ │ │ └── utils.py │ │ ├── aws/ │ │ │ ├── __init__.py │ │ │ ├── authentication_strategy.py │ │ │ ├── facade/ │ │ │ │ ├── __init__.py │ │ │ │ ├── acm.py │ │ │ │ ├── awslambda.py │ │ │ │ ├── base.py │ │ │ │ ├── basefacade.py │ │ │ │ ├── cloudformation.py │ │ │ │ ├── cloudfront.py │ │ │ │ ├── cloudtrail.py │ │ │ │ ├── cloudwatch.py │ │ │ │ ├── codebuild.py │ │ │ │ ├── config.py │ │ │ │ ├── directconnect.py │ │ │ │ ├── dynamodb.py │ │ │ │ ├── ec2.py │ │ │ │ ├── efs.py │ │ │ │ ├── elasticache.py │ │ │ │ ├── elb.py │ │ │ │ ├── elbv2.py │ │ │ │ ├── emr.py │ │ │ │ ├── iam.py │ │ │ │ ├── kms.py │ │ │ │ ├── rds.py │ │ │ │ ├── redshift.py │ │ │ │ ├── route53.py │ │ │ │ ├── s3.py │ │ │ │ ├── secretsmanager.py │ │ │ │ ├── ses.py │ │ │ │ ├── sns.py │ │ │ │ ├── sqs.py │ │ │ │ └── utils.py │ │ │ ├── metadata.json │ │ │ ├── provider.py │ │ │ ├── resources/ │ │ │ │ ├── __init__.py │ │ │ │ ├── acm/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── certificates.py │ │ │ │ ├── awslambda/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── functions.py │ │ │ │ ├── base.py │ │ │ │ ├── cloudformation/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── stacks.py │ │ │ │ ├── cloudfront/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── distributions.py │ │ │ │ ├── cloudtrail/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── trails.py │ │ │ │ ├── cloudwatch/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── alarms.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── metric_filters.py │ │ │ │ ├── codebuild/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── build_projects.py │ │ │ │ ├── config/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── recorders.py │ │ │ │ │ └── rules.py │ │ │ │ ├── directconnect/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── connections.py │ │ │ │ ├── dynamodb/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── tables.py │ │ │ │ ├── ec2/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── ami.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── instances.py │ │ │ │ │ ├── networkinterfaces.py │ │ │ │ │ ├── regional_settings.py │ │ │ │ │ ├── securitygroups.py │ │ │ │ │ ├── snapshots.py │ │ │ │ │ ├── volumes.py │ │ │ │ │ └── vpcs.py │ │ │ │ ├── efs/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── filesystems.py │ │ │ │ ├── elasticache/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── cluster.py │ │ │ │ │ ├── parametergroups.py │ │ │ │ │ ├── securitygroups.py │ │ │ │ │ ├── subnetgroups.py │ │ │ │ │ └── vpcs.py │ │ │ │ ├── elb/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── load_balancers.py │ │ │ │ │ ├── policies.py │ │ │ │ │ └── vpcs.py │ │ │ │ ├── elbv2/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── listeners.py │ │ │ │ │ ├── load_balancers.py │ │ │ │ │ └── vpcs.py │ │ │ │ ├── emr/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── clusters.py │ │ │ │ │ └── vpcs.py │ │ │ │ ├── iam/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── credentialreports.py │ │ │ │ │ ├── groups.py │ │ │ │ │ ├── passwordpolicy.py │ │ │ │ │ ├── policies.py │ │ │ │ │ ├── roles.py │ │ │ │ │ └── users.py │ │ │ │ ├── kms/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── grants.py │ │ │ │ │ └── keys.py │ │ │ │ ├── rds/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── instances.py │ │ │ │ │ ├── parametergroups.py │ │ │ │ │ ├── securitygroups.py │ │ │ │ │ ├── snapshots.py │ │ │ │ │ ├── subnetgroups.py │ │ │ │ │ └── vpcs.py │ │ │ │ ├── redshift/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── cluster_parameter_groups.py │ │ │ │ │ ├── cluster_parameters.py │ │ │ │ │ ├── cluster_security_groups.py │ │ │ │ │ ├── clusters.py │ │ │ │ │ └── vpcs.py │ │ │ │ ├── regions.py │ │ │ │ ├── route53/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── domains.py │ │ │ │ │ └── hosted_zones.py │ │ │ │ ├── s3/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── buckets.py │ │ │ │ ├── secretsmanager/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── secrets.py │ │ │ │ ├── ses/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── identities.py │ │ │ │ │ └── identity_policies.py │ │ │ │ ├── sns/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── subscriptions.py │ │ │ │ │ └── topics.py │ │ │ │ ├── sqs/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── queues.py │ │ │ │ ├── vpc/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── flow_logs.py │ │ │ │ │ ├── network_acls.py │ │ │ │ │ ├── peering_connections.py │ │ │ │ │ ├── subnets.py │ │ │ │ │ └── vpcs.py │ │ │ │ └── vpcs.py │ │ │ ├── rules/ │ │ │ │ ├── conditions/ │ │ │ │ │ ├── cidr-is-all.json │ │ │ │ │ ├── ec2-security-group-in-use.json │ │ │ │ │ ├── ec2-security-group-not-used.json │ │ │ │ │ ├── instance-with-open-nacls.json │ │ │ │ │ ├── instance-with-public-ip.json │ │ │ │ │ ├── ip-not-in-private-space.json │ │ │ │ │ ├── policy-statement-any-principal.json │ │ │ │ │ ├── policy-statement-any-resource.json │ │ │ │ │ ├── policy-statement-poor-condition.json │ │ │ │ │ └── security-group-opens-all-ports.json │ │ │ │ ├── filters/ │ │ │ │ │ ├── ec2-instance-with-open-nacls.json │ │ │ │ │ ├── ec2-security-group-with-public-cidr-grant.json │ │ │ │ │ ├── iam-role-for-aws-account.json │ │ │ │ │ ├── iam-role-for-service.json │ │ │ │ │ └── s3-bucket-website-enabled.json │ │ │ │ ├── findings/ │ │ │ │ │ ├── acm-certificate-with-close-expiration-date.json │ │ │ │ │ ├── acm-certificate-with-transparency-logging-disabled.json │ │ │ │ │ ├── cloudformation-stack-with-role.json │ │ │ │ │ ├── cloudfront-distribution-cleartext-origin.json │ │ │ │ │ ├── cloudfront-distribution-insecure-origin.json │ │ │ │ │ ├── cloudfront-distribution-insufficient-viewer-security.json │ │ │ │ │ ├── cloudtrail-duplicated-global-services-logging.json │ │ │ │ │ ├── cloudtrail-no-cloudwatch-integration.json │ │ │ │ │ ├── cloudtrail-no-data-logging.json │ │ │ │ │ ├── cloudtrail-no-encryption-with-kms.json │ │ │ │ │ ├── cloudtrail-no-global-services-logging.json │ │ │ │ │ ├── cloudtrail-no-log-file-validation.json │ │ │ │ │ ├── cloudtrail-no-logging.json │ │ │ │ │ ├── cloudtrail-not-configured.json │ │ │ │ │ ├── cloudtrail-partial-data-logging.json │ │ │ │ │ ├── cloudwatch-alarm-without-actions.json │ │ │ │ │ ├── config-recorder-not-configured.json │ │ │ │ │ ├── ec2-ami-public.json │ │ │ │ │ ├── ec2-default-security-group-in-use.json │ │ │ │ │ ├── ec2-default-security-group-with-rules.json │ │ │ │ │ ├── ec2-ebs-default-encryption-disabled.json │ │ │ │ │ ├── ec2-ebs-snapshot-not-encrypted.json │ │ │ │ │ ├── ec2-ebs-snapshot-public.json │ │ │ │ │ ├── ec2-ebs-volume-not-encrypted.json │ │ │ │ │ ├── ec2-instance-in-security-group.json │ │ │ │ │ ├── ec2-instance-type.json │ │ │ │ │ ├── ec2-instance-types.json │ │ │ │ │ ├── ec2-instance-with-public-ip.json │ │ │ │ │ ├── ec2-instance-with-user-data-secrets.json │ │ │ │ │ ├── ec2-security-group-opens-all-ports-to-all.json │ │ │ │ │ ├── ec2-security-group-opens-all-ports-to-self.json │ │ │ │ │ ├── ec2-security-group-opens-all-ports.json │ │ │ │ │ ├── ec2-security-group-opens-icmp-to-all.json │ │ │ │ │ ├── ec2-security-group-opens-known-port-to-all.json │ │ │ │ │ ├── ec2-security-group-opens-plaintext-port.json │ │ │ │ │ ├── ec2-security-group-opens-port-range.json │ │ │ │ │ ├── ec2-security-group-opens-port-to-all.json │ │ │ │ │ ├── ec2-security-group-whitelists-aws-ip-from-banned-region.json │ │ │ │ │ ├── ec2-security-group-whitelists-aws.json │ │ │ │ │ ├── ec2-security-group-whitelists-non-elastic-ips.json │ │ │ │ │ ├── ec2-security-group-whitelists-unknown-aws.json │ │ │ │ │ ├── ec2-security-group-whitelists-unknown-cidrs.json │ │ │ │ │ ├── ec2-unused-security-group.json │ │ │ │ │ ├── elb-listener-allowing-cleartext.json │ │ │ │ │ ├── elb-no-access-logs.json │ │ │ │ │ ├── elb-older-ssl-policy.json │ │ │ │ │ ├── elbv2-http-request-smuggling.json │ │ │ │ │ ├── elbv2-listener-allowing-cleartext.json │ │ │ │ │ ├── elbv2-no-access-logs.json │ │ │ │ │ ├── elbv2-no-deletion-protection.json │ │ │ │ │ ├── elbv2-older-ssl-policy.json │ │ │ │ │ ├── iam-assume-role-lacks-external-id-and-mfa.json │ │ │ │ │ ├── iam-assume-role-no-mfa.json │ │ │ │ │ ├── iam-assume-role-policy-allows-all.json │ │ │ │ │ ├── iam-ec2-role-without-instances.json │ │ │ │ │ ├── iam-group-with-inline-policies.json │ │ │ │ │ ├── iam-group-with-no-users.json │ │ │ │ │ ├── iam-human-user-with-policies.json │ │ │ │ │ ├── iam-inline-policy-allows-NotActions.json │ │ │ │ │ ├── iam-inline-policy-allows-non-sts-action.json │ │ │ │ │ ├── iam-inline-policy-for-role.json │ │ │ │ │ ├── iam-lightspin-user-action-denied-for-group.json │ │ │ │ │ ├── iam-managed-policy-allows-NotActions.json │ │ │ │ │ ├── iam-managed-policy-allows-full-privileges.json │ │ │ │ │ ├── iam-managed-policy-allows-non-sts-action.json │ │ │ │ │ ├── iam-managed-policy-for-role.json │ │ │ │ │ ├── iam-managed-policy-no-attachments.json │ │ │ │ │ ├── iam-no-support-role.json │ │ │ │ │ ├── iam-password-policy-expiration-threshold.json │ │ │ │ │ ├── iam-password-policy-minimum-length.json │ │ │ │ │ ├── iam-password-policy-no-expiration.json │ │ │ │ │ ├── iam-password-policy-no-lowercase-required.json │ │ │ │ │ ├── iam-password-policy-no-number-required.json │ │ │ │ │ ├── iam-password-policy-no-symbol-required.json │ │ │ │ │ ├── iam-password-policy-no-uppercase-required.json │ │ │ │ │ ├── iam-password-policy-reuse-enabled.json │ │ │ │ │ ├── iam-role-with-inline-policies.json │ │ │ │ │ ├── iam-root-account-no-hardware-mfa.json │ │ │ │ │ ├── iam-root-account-no-mfa.json │ │ │ │ │ ├── iam-root-account-used-recently.json │ │ │ │ │ ├── iam-root-account-with-active-certs.json │ │ │ │ │ ├── iam-root-account-with-active-keys.json │ │ │ │ │ ├── iam-service-user-with-password.json │ │ │ │ │ ├── iam-unused-credentials-not-disabled.json │ │ │ │ │ ├── iam-user-no-key-rotation.json │ │ │ │ │ ├── iam-user-not-in-category-group.json │ │ │ │ │ ├── iam-user-not-in-common-group.json │ │ │ │ │ ├── iam-user-unused-access-key-initial-setup.json │ │ │ │ │ ├── iam-user-with-multiple-access-keys.json │ │ │ │ │ ├── iam-user-with-password-and-key.json │ │ │ │ │ ├── iam-user-with-policies.json │ │ │ │ │ ├── iam-user-without-mfa.json │ │ │ │ │ ├── kms-cmk-rotation-disabled.json │ │ │ │ │ ├── logs-no-alarm-aws-configuration-changes.json │ │ │ │ │ ├── logs-no-alarm-cloudtrail-configuration-changes.json │ │ │ │ │ ├── logs-no-alarm-cmk-deletion.json │ │ │ │ │ ├── logs-no-alarm-console-authentication-failures.json │ │ │ │ │ ├── logs-no-alarm-iam-policy-changes.json │ │ │ │ │ ├── logs-no-alarm-nacl-changes.json │ │ │ │ │ ├── logs-no-alarm-network-gateways-changes.json │ │ │ │ │ ├── logs-no-alarm-root-usage.json │ │ │ │ │ ├── logs-no-alarm-route-table-changes.json │ │ │ │ │ ├── logs-no-alarm-s3-policy-changes.json │ │ │ │ │ ├── logs-no-alarm-security-group-changes.json │ │ │ │ │ ├── logs-no-alarm-signin-without-mfa.json │ │ │ │ │ ├── logs-no-alarm-unauthorized-api-calls.json │ │ │ │ │ ├── logs-no-alarm-vpc-changes.json │ │ │ │ │ ├── rds-instance-backup-disabled.json │ │ │ │ │ ├── rds-instance-ca-certificate-deprecated.json │ │ │ │ │ ├── rds-instance-no-minor-upgrade.json │ │ │ │ │ ├── rds-instance-publicly-accessible.json │ │ │ │ │ ├── rds-instance-short-backup-retention-period.json │ │ │ │ │ ├── rds-instance-single-az.json │ │ │ │ │ ├── rds-instance-storage-not-encrypted.json │ │ │ │ │ ├── rds-postgres-instance-with-invalid-certificate.json │ │ │ │ │ ├── rds-security-group-allows-all.json │ │ │ │ │ ├── rds-snapshot-public.json │ │ │ │ │ ├── redshift-cluster-database-not-encrypted.json │ │ │ │ │ ├── redshift-cluster-no-version-upgrade.json │ │ │ │ │ ├── redshift-cluster-publicly-accessible.json │ │ │ │ │ ├── redshift-parameter-group-logging-disabled.json │ │ │ │ │ ├── redshift-parameter-group-ssl-not-required.json │ │ │ │ │ ├── redshift-security-group-whitelists-all.json │ │ │ │ │ ├── route53-domain-no-autorenew.json │ │ │ │ │ ├── route53-domain-no-transferlock.json │ │ │ │ │ ├── route53-domain-transferlock-not-authorized.json │ │ │ │ │ ├── s3-bucket-allowing-cleartext.json │ │ │ │ │ ├── s3-bucket-no-default-encryption.json │ │ │ │ │ ├── s3-bucket-no-logging.json │ │ │ │ │ ├── s3-bucket-no-mfa-delete.json │ │ │ │ │ ├── s3-bucket-no-versioning.json │ │ │ │ │ ├── s3-bucket-world-acl.json │ │ │ │ │ ├── s3-bucket-world-policy-arg.json │ │ │ │ │ ├── s3-bucket-world-policy-star.json │ │ │ │ │ ├── ses-identity-dkim-not-enabled.json │ │ │ │ │ ├── ses-identity-dkim-not-verified.json │ │ │ │ │ ├── ses-identity-world-policy.json │ │ │ │ │ ├── sns-topic-world-policy.json │ │ │ │ │ ├── sqs-queue-server-side-encryption-disabled.json │ │ │ │ │ ├── sqs-queue-world-policy.json │ │ │ │ │ ├── vpc-custom-network-acls-allow-all.json │ │ │ │ │ ├── vpc-default-network-acls-allow-all.json │ │ │ │ │ ├── vpc-network-acl-not-used.json │ │ │ │ │ ├── vpc-routing-tables-with-peering.json │ │ │ │ │ ├── vpc-subnet-with-bad-acls.json │ │ │ │ │ ├── vpc-subnet-with-default-acls.json │ │ │ │ │ └── vpc-subnet-without-flow-log.json │ │ │ │ └── rulesets/ │ │ │ │ ├── cis-1.2.0.json │ │ │ │ ├── default.json │ │ │ │ ├── detailed.json │ │ │ │ └── filters.json │ │ │ ├── services.py │ │ │ └── utils.py │ │ ├── azure/ │ │ │ ├── __init__.py │ │ │ ├── authentication_strategy.py │ │ │ ├── facade/ │ │ │ │ ├── __init__.py │ │ │ │ ├── aad.py │ │ │ │ ├── appservice.py │ │ │ │ ├── base.py │ │ │ │ ├── keyvault.py │ │ │ │ ├── loggingmonitoring.py │ │ │ │ ├── mysqldatabase.py │ │ │ │ ├── network.py │ │ │ │ ├── postgresqldatabse.py │ │ │ │ ├── rbac.py │ │ │ │ ├── resourcemanagement.py │ │ │ │ ├── securitycenter.py │ │ │ │ ├── sqldatabase.py │ │ │ │ ├── storageaccounts.py │ │ │ │ └── virtualmachines.py │ │ │ ├── metadata.json │ │ │ ├── provider.py │ │ │ ├── resources/ │ │ │ │ ├── __init__.py │ │ │ │ ├── aad/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── applications.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── groups.py │ │ │ │ │ ├── policies.py │ │ │ │ │ ├── serviceprincipals.py │ │ │ │ │ └── users.py │ │ │ │ ├── appservice/ │ │ │ │ │ ├── base.py │ │ │ │ │ └── web_apps.py │ │ │ │ ├── base.py │ │ │ │ ├── keyvault/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── vaults.py │ │ │ │ ├── loggingmonitoring/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── activity_log_alerts.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── diagnostic_resource_key_vault.py │ │ │ │ │ ├── diagnostic_settings.py │ │ │ │ │ ├── log_profiles.py │ │ │ │ │ └── resources.py │ │ │ │ ├── mysqldatabase/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── mysql_servers.py │ │ │ │ ├── network/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── application_security_groups.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── network_interfaces.py │ │ │ │ │ ├── security_groups.py │ │ │ │ │ ├── virtual_networks.py │ │ │ │ │ └── watchers.py │ │ │ │ ├── postgresqldatabase/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── configuration_connection_throttling.py │ │ │ │ │ ├── configuration_log_checkpoints.py │ │ │ │ │ ├── configuration_log_connections.py │ │ │ │ │ ├── configuration_log_disconnections.py │ │ │ │ │ ├── configuration_log_duration.py │ │ │ │ │ ├── configuration_log_retention_days.py │ │ │ │ │ ├── posgresql_firewall_rules.py │ │ │ │ │ └── postgresql_servers.py │ │ │ │ ├── rbac/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── custom_roles_report.py │ │ │ │ │ ├── role_assignments.py │ │ │ │ │ └── roles.py │ │ │ │ ├── securitycenter/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── alerts.py │ │ │ │ │ ├── auto_provisioning_settings.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── compliance_results.py │ │ │ │ │ ├── information_protection_policies.py │ │ │ │ │ ├── pricings.py │ │ │ │ │ ├── regulatory_compliance_results.py │ │ │ │ │ ├── security_contacts.py │ │ │ │ │ └── settings.py │ │ │ │ ├── sqldatabase/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── database_blob_auditing_policies.py │ │ │ │ │ ├── database_threat_detection_policies.py │ │ │ │ │ ├── databases.py │ │ │ │ │ ├── firewall_rules.py │ │ │ │ │ ├── replication_links.py │ │ │ │ │ ├── server_azure_ad_administrators.py │ │ │ │ │ ├── server_blob_auditing_policies.py │ │ │ │ │ ├── server_encryption_protectors.py │ │ │ │ │ ├── server_security_alert_policies.py │ │ │ │ │ ├── server_vulnerability_assessments.py │ │ │ │ │ ├── servers.py │ │ │ │ │ └── transparent_data_encryptions.py │ │ │ │ ├── storageaccounts/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── blob_containers.py │ │ │ │ │ ├── blob_services.py │ │ │ │ │ ├── queues.py │ │ │ │ │ └── storage_accounts.py │ │ │ │ ├── subscriptions.py │ │ │ │ └── virtualmachines/ │ │ │ │ ├── __init__.py │ │ │ │ ├── base.py │ │ │ │ ├── disks.py │ │ │ │ ├── images.py │ │ │ │ ├── instances.py │ │ │ │ └── snapshots.py │ │ │ ├── rules/ │ │ │ │ ├── conditions/ │ │ │ │ │ ├── allow-tcp.json │ │ │ │ │ ├── allow-udp.json │ │ │ │ │ └── exposed-to-the-internet.json │ │ │ │ ├── findings/ │ │ │ │ │ ├── aad-guest-users.json │ │ │ │ │ ├── aad-users-create-security-groups-disabled.json │ │ │ │ │ ├── appservice-authentication-disabled.json │ │ │ │ │ ├── appservice-client-certificates-disabled.json │ │ │ │ │ ├── appservice-ftp-deployment-enabled.json │ │ │ │ │ ├── appservice-http-2-disabled.json │ │ │ │ │ ├── appservice-http-allowed.json │ │ │ │ │ ├── appservice-managed-service-identities-disabled.json │ │ │ │ │ ├── appservice-outdated-version-dotnet.json │ │ │ │ │ ├── appservice-outdated-version-java.json │ │ │ │ │ ├── appservice-outdated-version-php.json │ │ │ │ │ ├── appservice-outdated-version-python.json │ │ │ │ │ ├── appservice-tls-v1-supported.json │ │ │ │ │ ├── appservice-webapp-using-outdated-progamming-language-version.json │ │ │ │ │ ├── keyvault-not-recoverable.json │ │ │ │ │ ├── keyvault-public-traffic-allowed.json │ │ │ │ │ ├── keyvault-rbac-authorization-disabled.json │ │ │ │ │ ├── logging-monitoring-diagnostic-setting-does-not-exist.json │ │ │ │ │ ├── logging-monitoring-log-alert-not-exist-create-policy-assignment.json │ │ │ │ │ ├── logging-monitoring-log-alert-not-exist-nsg.json │ │ │ │ │ ├── logging-monitoring-log-alert-not-exist-security-solution.json │ │ │ │ │ ├── logging-monitoring-logging-key-vault-disabled.json │ │ │ │ │ ├── logging-monitoring-profile-does-not-capture-all-activities.json │ │ │ │ │ ├── mysql-database-servers-ssl-enforcement-disabled.json │ │ │ │ │ ├── network-security-groups-rule-inbound-internet-all.json │ │ │ │ │ ├── network-security-groups-rule-inbound-service-mssql.json │ │ │ │ │ ├── network-security-groups-rule-inbound-service-udp.json │ │ │ │ │ ├── network-security-groups-rule-inbound-service.json │ │ │ │ │ ├── network-watcher-not-enabled.json │ │ │ │ │ ├── network-watcher-not-provisioned.json │ │ │ │ │ ├── postgresql-database-servers-allow-any-ip.json │ │ │ │ │ ├── postgresql-database-servers-connection-throttling-not-on.json │ │ │ │ │ ├── postgresql-database-servers-log-checkpoints-not-on.json │ │ │ │ │ ├── postgresql-database-servers-log-connections-not-on.json │ │ │ │ │ ├── postgresql-database-servers-log-disconnections-not-on.json │ │ │ │ │ ├── postgresql-database-servers-log-duration-not-on.json │ │ │ │ │ ├── postgresql-database-servers-log-retention-days-less-than-4.json │ │ │ │ │ ├── postgresql-database-servers-ssl-enforcement-disabled.json │ │ │ │ │ ├── rbac-administering-resource-locks-assigned.json │ │ │ │ │ ├── rbac-custom-subscription-owner-role-not-allowed.json │ │ │ │ │ ├── securitycenter-auto-provisioning-off.json │ │ │ │ │ ├── securitycenter-security-contacts-email-not-set.json │ │ │ │ │ ├── securitycenter-security-contacts-no-admin-email-notifications.json │ │ │ │ │ ├── securitycenter-security-contacts-no-email-notifications.json │ │ │ │ │ ├── securitycenter-security-contacts-not-set.json │ │ │ │ │ ├── securitycenter-security-contacts-phone-not-set.json │ │ │ │ │ ├── securitycenter-settings-MCAS-integration-disabled.json │ │ │ │ │ ├── securitycenter-settings-WDATP-integration-disabled.json │ │ │ │ │ ├── securitycenter-standard-tier-not-enabled.json │ │ │ │ │ ├── sqldatabase-allow-any-ip.json │ │ │ │ │ ├── sqldatabase-databases-auditing-low-retention.json │ │ │ │ │ ├── sqldatabase-databases-no-auditing.json │ │ │ │ │ ├── sqldatabase-databases-no-threat-detection.json │ │ │ │ │ ├── sqldatabase-databases-no-transparent-data-encryption.json │ │ │ │ │ ├── sqldatabase-databases-threat-detection-disabled-alerts.json │ │ │ │ │ ├── sqldatabase-databases-threat-detection-low-retention.json │ │ │ │ │ ├── sqldatabase-databases-threat-detection-send-alerts-disabled.json │ │ │ │ │ ├── sqldatabase-servers-TDE-not-encrypted-with-customer-managed-key.json │ │ │ │ │ ├── sqldatabase-servers-auditing-low-retention.json │ │ │ │ │ ├── sqldatabase-servers-no-ad-admin-configured.json │ │ │ │ │ ├── sqldatabase-servers-no-auditing.json │ │ │ │ │ ├── sqldatabase-servers-no-threat-detection.json │ │ │ │ │ ├── sqldatabase-servers-threat-detection-disabled-alerts.json │ │ │ │ │ ├── sqldatabase-servers-threat-detection-low-retention.json │ │ │ │ │ ├── sqldatabase-servers-threat-detection-send-alerts-disabled.json │ │ │ │ │ ├── sqldatabase-servers-vulnerability-assessments-disabled.json │ │ │ │ │ ├── sqldatabase-servers-vulnerability-email-notif-to-admins-owners-not-set.json │ │ │ │ │ ├── sqldatabase-servers-vulnerability-recurring-scans-disabled.json │ │ │ │ │ ├── sqldatabase-servers-vulnerability-send-scan-reports-to-not-configured.json │ │ │ │ │ ├── storageaccount-access-keys-not-rotated.json │ │ │ │ │ ├── storageaccount-account-allowing-clear-text.json │ │ │ │ │ ├── storageaccount-encrypted-not-customer-managed.json │ │ │ │ │ ├── storageaccount-public-blob-container.json │ │ │ │ │ ├── storageaccount-public-traffic-allowed.json │ │ │ │ │ ├── storageaccount-soft-delete-enabled.json │ │ │ │ │ ├── storageaccount-trusted-microsoft-services.json │ │ │ │ │ ├── virtual-machines-disk-encryption.json │ │ │ │ │ ├── virtual-machines-extensions-installed.json │ │ │ │ │ ├── virtual-machines-managed-disks.json │ │ │ │ │ ├── virtual-machines-os-data-encrypted-cmk.json │ │ │ │ │ └── virtual-machines-unattached-disks-encrypted-cmk.json │ │ │ │ └── rulesets/ │ │ │ │ ├── cis-1.0.0.json │ │ │ │ ├── cis-1.1.0.json │ │ │ │ ├── cis-1.2.0.json │ │ │ │ ├── default.json │ │ │ │ └── filters.json │ │ │ ├── services.py │ │ │ └── utils.py │ │ ├── base/ │ │ │ ├── __init__.py │ │ │ ├── authentication_strategy.py │ │ │ ├── authentication_strategy_factory.py │ │ │ ├── configs/ │ │ │ │ ├── __init__.py │ │ │ │ └── browser.py │ │ │ ├── provider.py │ │ │ ├── resources/ │ │ │ │ ├── __init__.py │ │ │ │ └── base.py │ │ │ └── services.py │ │ ├── do/ │ │ │ ├── authentication_strategy.py │ │ │ ├── facade/ │ │ │ │ ├── __init__.py │ │ │ │ ├── base.py │ │ │ │ ├── database.py │ │ │ │ ├── droplet.py │ │ │ │ ├── kubernetes.py │ │ │ │ ├── networking.py │ │ │ │ ├── spaces.py │ │ │ │ └── utils.py │ │ │ ├── metadata.json │ │ │ ├── provider.py │ │ │ ├── resources/ │ │ │ │ ├── __init__.py │ │ │ │ ├── base.py │ │ │ │ ├── database/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── databases.py │ │ │ │ ├── droplet/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── droplets.py │ │ │ │ ├── kubernetes/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── kubernetes.py │ │ │ │ ├── networking/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── domains.py │ │ │ │ │ ├── firewalls.py │ │ │ │ │ └── load_balancers.py │ │ │ │ └── spaces/ │ │ │ │ ├── __init__.py │ │ │ │ ├── base.py │ │ │ │ └── buckets.py │ │ │ ├── rules/ │ │ │ │ ├── filters/ │ │ │ │ │ └── .gitkeep │ │ │ │ ├── findings/ │ │ │ │ │ ├── database-databases-mysql-publically-exposed.json │ │ │ │ │ ├── database-databases-mysql-user-legacy-encryption.json │ │ │ │ │ ├── database-databases-postgres-connection-pools.json │ │ │ │ │ ├── database-databases-postgres-trusted-sources.json │ │ │ │ │ ├── database-databases-redis-evicition-policy.json │ │ │ │ │ ├── droplet-droplets-all-ports-exposed.json │ │ │ │ │ ├── droplet-droplets-backup-not-enabled.json │ │ │ │ │ ├── droplet-droplets-backup-not-present.json │ │ │ │ │ ├── droplet-droplets-custom-image.json │ │ │ │ │ ├── droplet-droplets-features-monitoring.json │ │ │ │ │ ├── droplet-droplets-firewall-not-attached.json │ │ │ │ │ ├── droplet-droplets-port-22-exposed.json │ │ │ │ │ ├── droplet-droplets-snapshot-not-present.json │ │ │ │ │ ├── kubernetes-kubernetes-autoupgrade-minor.json │ │ │ │ │ ├── kubernetes-kubernetes-ha-enabled.json │ │ │ │ │ ├── kubernetes-kubernetes-surge-upgrade.json │ │ │ │ │ ├── networking-domains-high-ttl.json │ │ │ │ │ ├── networking-domains-missing-dkim.json │ │ │ │ │ ├── networking-domains-missing-dmarc.json │ │ │ │ │ ├── networking-domains-missing-spf.json │ │ │ │ │ ├── networking-domains-spf-overly-permissive.json │ │ │ │ │ ├── networking-firewalls-public-ports.json │ │ │ │ │ ├── networking-firewalls-quad-zero.json │ │ │ │ │ ├── networking-load-balancer-backend-keepalive-disabled.json │ │ │ │ │ ├── networking-load-balancer-ssl-redirect-disabled.json │ │ │ │ │ ├── networking-load-balancer-without-droplet.json │ │ │ │ │ ├── spaces-buckets-cors.json │ │ │ │ │ ├── spaces-buckets-public-read.json │ │ │ │ │ └── spaces-buckets-public-write.json │ │ │ │ └── rulesets/ │ │ │ │ ├── default.json │ │ │ │ └── filters.json │ │ │ ├── services.py │ │ │ └── utils.py │ │ ├── gcp/ │ │ │ ├── __init__.py │ │ │ ├── authentication_strategy.py │ │ │ ├── facade/ │ │ │ │ ├── __init__.py │ │ │ │ ├── base.py │ │ │ │ ├── basefacade.py │ │ │ │ ├── bigquery.py │ │ │ │ ├── cloudresourcemanager.py │ │ │ │ ├── cloudsql.py │ │ │ │ ├── cloudstorage.py │ │ │ │ ├── dns.py │ │ │ │ ├── functions.py │ │ │ │ ├── gce.py │ │ │ │ ├── gke.py │ │ │ │ ├── iam.py │ │ │ │ ├── kms.py │ │ │ │ ├── memorystoreredis.py │ │ │ │ ├── stackdriverlogging.py │ │ │ │ ├── stackdrivermonitoring.py │ │ │ │ └── utils.py │ │ │ ├── metadata.json │ │ │ ├── provider.py │ │ │ ├── resources/ │ │ │ │ ├── __init__.py │ │ │ │ ├── base.py │ │ │ │ ├── bigquery/ │ │ │ │ │ ├── base.py │ │ │ │ │ └── datasets.py │ │ │ │ ├── cloudsql/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── backups.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── database_instances.py │ │ │ │ │ └── users.py │ │ │ │ ├── cloudstorage/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── buckets.py │ │ │ │ ├── dns/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── managed_zones.py │ │ │ │ ├── functions/ │ │ │ │ │ ├── base.py │ │ │ │ │ ├── functions_v1.py │ │ │ │ │ ├── functions_v2.py │ │ │ │ │ └── utils.py │ │ │ │ ├── gce/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── disks.py │ │ │ │ │ ├── firewalls.py │ │ │ │ │ ├── forwarding_rules.py │ │ │ │ │ ├── global_forwarding_rules.py │ │ │ │ │ ├── instance_disks.py │ │ │ │ │ ├── instances.py │ │ │ │ │ ├── networks.py │ │ │ │ │ ├── regions.py │ │ │ │ │ ├── snapshots.py │ │ │ │ │ ├── subnetworks.py │ │ │ │ │ └── zones.py │ │ │ │ ├── gke/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── clusters.py │ │ │ │ │ └── node_pools.py │ │ │ │ ├── iam/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── bindings_separation_duties.py │ │ │ │ │ ├── domains.py │ │ │ │ │ ├── groups.py │ │ │ │ │ ├── keys.py │ │ │ │ │ ├── member_bindings.py │ │ │ │ │ ├── service_account_bindings.py │ │ │ │ │ ├── service_accounts.py │ │ │ │ │ └── users.py │ │ │ │ ├── kms/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── keyrings.py │ │ │ │ │ ├── keys.py │ │ │ │ │ └── kms_policy.py │ │ │ │ ├── memorystore/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ └── redis_instances.py │ │ │ │ ├── projects.py │ │ │ │ ├── regions.py │ │ │ │ ├── stackdriverlogging/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── logging_metrics.py │ │ │ │ │ ├── metrics.py │ │ │ │ │ └── sinks.py │ │ │ │ ├── stackdrivermonitoring/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── alert_policies.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── monitoring_alert_policies.py │ │ │ │ │ └── uptime_checks.py │ │ │ │ └── zones.py │ │ │ ├── rules/ │ │ │ │ ├── findings/ │ │ │ │ │ ├── bigquery-dataset-member.json │ │ │ │ │ ├── bigquery-encryption-no-cmk.json │ │ │ │ │ ├── cloudsql-allows-root-login-from-any-host.json │ │ │ │ │ ├── cloudsql-instance-backups-disabled.json │ │ │ │ │ ├── cloudsql-instance-is-open-to-public-range.json │ │ │ │ │ ├── cloudsql-instance-is-open-to-the-world.json │ │ │ │ │ ├── cloudsql-instance-no-binary-logging.json │ │ │ │ │ ├── cloudsql-instance-ssl-not-required.json │ │ │ │ │ ├── cloudsql-instance-with-no-backups.json │ │ │ │ │ ├── cloudsql-instances-public-ips.json │ │ │ │ │ ├── cloudsql-mysql-instances-local-infile-on.json │ │ │ │ │ ├── cloudsql-postgresql-instances-log-checkpoints-off.json │ │ │ │ │ ├── cloudsql-postgresql-instances-log-connections-off.json │ │ │ │ │ ├── cloudsql-postgresql-instances-log-disconnections-off.json │ │ │ │ │ ├── cloudsql-postgresql-instances-log-lock-waits-off.json │ │ │ │ │ ├── cloudsql-postgresql-instances-log-min-duration-not-set-1.json │ │ │ │ │ ├── cloudsql-postgresql-instances-log-min-messages-not-set.json │ │ │ │ │ ├── cloudsql-postgresql-instances-log-temp-files-not-set-0.json │ │ │ │ │ ├── cloudsql-sqlservers-instances-contained-database-authentication-on.json │ │ │ │ │ ├── cloudsql-sqlservers-instances-cross-db-ownership-chaining-on.json │ │ │ │ │ ├── cloudstorage-bucket-member.json │ │ │ │ │ ├── cloudstorage-bucket-no-logging.json │ │ │ │ │ ├── cloudstorage-bucket-no-public-access-prevention.json │ │ │ │ │ ├── cloudstorage-bucket-no-versioning.json │ │ │ │ │ ├── cloudstorage-uniform-bucket-level-access-disabled.json │ │ │ │ │ ├── computeengine-firewall-default-rule-in-use.json │ │ │ │ │ ├── computeengine-firewall-rule-allows-all-ports.json │ │ │ │ │ ├── computeengine-firewall-rule-allows-internal-traffic.json │ │ │ │ │ ├── computeengine-firewall-rule-allows-port-range.json │ │ │ │ │ ├── computeengine-firewall-rule-allows-public-access.json │ │ │ │ │ ├── computeengine-firewall-rule-opens-all-ports-to-all.json │ │ │ │ │ ├── computeengine-firewall-rule-opens-sensitive-port-to-all.json │ │ │ │ │ ├── computeengine-instance-block-project-ssh-keys-disabled.json │ │ │ │ │ ├── computeengine-instance-connecting-serial-ports-enabled.json │ │ │ │ │ ├── computeengine-instance-default-service-account.json │ │ │ │ │ ├── computeengine-instance-disk-not-csek-encrypted.json │ │ │ │ │ ├── computeengine-instance-disk-with-no-snapshot.json │ │ │ │ │ ├── computeengine-instance-full-api-access.json │ │ │ │ │ ├── computeengine-instance-ip-forwarding-enabled.json │ │ │ │ │ ├── computeengine-instance-os-login-disabled.json │ │ │ │ │ ├── computeengine-instance-public-ip-adresses.json │ │ │ │ │ ├── computeengine-instance-shielded-vm-disabled.json │ │ │ │ │ ├── computeengine-instance-with-deletion-protection-disabled.json │ │ │ │ │ ├── computeengine-loadbalancer-forwarding-rule-forwards-sensitive-port.json │ │ │ │ │ ├── computeengine-loadbalancer-global-forwarding-rule-forwards-sensitive-port.json │ │ │ │ │ ├── computeengine-network-default-in-use.json │ │ │ │ │ ├── computeengine-network-legacy-in-use.json │ │ │ │ │ ├── computeengine-network-with-no-instances.json │ │ │ │ │ ├── computeengine-old-disk-snapshot.json │ │ │ │ │ ├── computeengine-vpc-flow-logs-disabled.json │ │ │ │ │ ├── dns-zones-dnssec-not-enabled.json │ │ │ │ │ ├── dns-zones-key-signing-key-using-rsasha1.json │ │ │ │ │ ├── dns-zones-zone-signing-key-using-rsasha1.json │ │ │ │ │ ├── functions-v1-allowing-http.json │ │ │ │ │ ├── functions-v1-environment-variables-secrets.json │ │ │ │ │ ├── functions-v1-member.json │ │ │ │ │ ├── functions-v1-public-endpoint.json │ │ │ │ │ ├── functions-v2-environment-variables-secrets.json │ │ │ │ │ ├── functions-v2-public-endpoint.json │ │ │ │ │ ├── iam-gmail-accounts-used.json │ │ │ │ │ ├── iam-lack-of-service-account-key-rotation.json │ │ │ │ │ ├── iam-primitive-role-in-use.json │ │ │ │ │ ├── iam-role-account-separation-duties-is-false.json │ │ │ │ │ ├── iam-role-assigned-to-domain.json │ │ │ │ │ ├── iam-role-assigned-to-user.json │ │ │ │ │ ├── iam-role-kms-separation-duties-is-false.json │ │ │ │ │ ├── iam-sa-has-admin-privileges.json │ │ │ │ │ ├── iam-service-account-user-member.json │ │ │ │ │ ├── iam-service-account-with-user-managed-keys.json │ │ │ │ │ ├── iam-user-has-sa-user-role.json │ │ │ │ │ ├── kms-cryptokeys-anonymously-publicly-accessible.json │ │ │ │ │ ├── kms-encryption-keys-not-rotated.json │ │ │ │ │ ├── kubernetesengine-basic-authentication-enabled.json │ │ │ │ │ ├── kubernetesengine-certificate-authentication-enabled.json │ │ │ │ │ ├── kubernetesengine-cluster-alias-ip-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-application-layer-encryption-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-binary-authorization-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-has-no-labels.json │ │ │ │ │ ├── kubernetesengine-cluster-logging-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-master-authorized-networks-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-metadata-server-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-monitoring-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-network-policy-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-pod-security-policy-config-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-private-endpoint-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-private-google-access-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-release-channel.json │ │ │ │ │ ├── kubernetesengine-cluster-shielded-nodes-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-workload-identity-disabled.json │ │ │ │ │ ├── kubernetesengine-dashboard-enabled.json │ │ │ │ │ ├── kubernetesengine-default-service-account-used.json │ │ │ │ │ ├── kubernetesengine-legacy-abac-enabled.json │ │ │ │ │ ├── kubernetesengine-legacy-metadata-endpoints-enabled.json │ │ │ │ │ ├── kubernetesengine-node-auto-repair-disabled.json │ │ │ │ │ ├── kubernetesengine-node-auto-upgrade-disabled.json │ │ │ │ │ ├── kubernetesengine-node-container-optimized-os-not-used.json │ │ │ │ │ ├── kubernetesengine-node-integrity-monitoring-disabled.json │ │ │ │ │ ├── kubernetesengine-node-secure-boot-disabled.json │ │ │ │ │ ├── kubernetesengine-private-nodes-disabled.json │ │ │ │ │ ├── kubernetesengine-scopes-not-limited.json │ │ │ │ │ ├── memorystore-redis-instance-auth-not-enabled.json │ │ │ │ │ ├── memorystore-redis-instance-ssl-not-required.json │ │ │ │ │ ├── stackdriverlogging-metric-filter-does-not-exist-audit-config-changes.json │ │ │ │ │ ├── stackdriverlogging-metric-filter-does-not-exist-cloud-storage-iam-permission-changes.json │ │ │ │ │ ├── stackdriverlogging-metric-filter-does-not-exist-custom-role-changes.json │ │ │ │ │ ├── stackdriverlogging-metric-filter-does-not-exist-project-ownership-assignment.json │ │ │ │ │ ├── stackdriverlogging-metric-filter-does-not-exist-sql-instance-config-changes.json │ │ │ │ │ ├── stackdriverlogging-metric-filter-does-not-exist-vpc-network-changes.json │ │ │ │ │ ├── stackdriverlogging-metric-filter-does-not-exist-vpc-network-firewall-rule-changes.json │ │ │ │ │ ├── stackdriverlogging-metric-filter-does-not-exist-vpc-network-route-changes.json │ │ │ │ │ ├── stackdriverlogging-no-export-sinks.json │ │ │ │ │ ├── stackdrivermonitoring-alerts-does-not-exist-audit-config-changes.json │ │ │ │ │ ├── stackdrivermonitoring-alerts-does-not-exist-cloud-storage-iam-permission-changes.json │ │ │ │ │ ├── stackdrivermonitoring-alerts-does-not-exist-custom-role-changes.json │ │ │ │ │ ├── stackdrivermonitoring-alerts-does-not-exist-project-ownership-assignment.json │ │ │ │ │ ├── stackdrivermonitoring-alerts-does-not-exist-sql-instance-config-changes.json │ │ │ │ │ ├── stackdrivermonitoring-alerts-does-not-exist-vpc-network-changes.json │ │ │ │ │ ├── stackdrivermonitoring-alerts-does-not-exist-vpc-network-firewall-rule-changes.json │ │ │ │ │ └── stackdrivermonitoring-alerts-does-not-exist-vpc-network-route-changes.json │ │ │ │ └── rulesets/ │ │ │ │ ├── cis-1.0.0.json │ │ │ │ ├── cis-1.1.0.json │ │ │ │ ├── default.json │ │ │ │ └── filters.json │ │ │ ├── services.py │ │ │ └── utils.py │ │ ├── kubernetes/ │ │ │ ├── __init__.py │ │ │ ├── authentication_strategy.py │ │ │ ├── facade/ │ │ │ │ ├── __init__.py │ │ │ │ ├── base.py │ │ │ │ ├── core.py │ │ │ │ ├── eks.py │ │ │ │ ├── extra.py │ │ │ │ └── version.py │ │ │ ├── metadata.json │ │ │ ├── provider.py │ │ │ ├── resources/ │ │ │ │ ├── __init__.py │ │ │ │ ├── aks.py │ │ │ │ ├── base.py │ │ │ │ ├── eks.py │ │ │ │ ├── fake_network_policy.py │ │ │ │ ├── gke.py │ │ │ │ ├── rbac.py │ │ │ │ ├── version.py │ │ │ │ └── workload.py │ │ │ ├── rules/ │ │ │ │ ├── findings/ │ │ │ │ │ ├── configmap-unnecessary-secrets.json │ │ │ │ │ ├── cron-job-apparmor-annotation-missing.json │ │ │ │ │ ├── cron-job-automounted-service-account-token.json │ │ │ │ │ ├── cron-job-container-ability-to-modify-root-filesystem.json │ │ │ │ │ ├── cron-job-container-allowing-privilege-escalation.json │ │ │ │ │ ├── cron-job-container-running-as-root-group.json │ │ │ │ │ ├── cron-job-container-running-as-root-user.json │ │ │ │ │ ├── cron-job-container-with-overly-permissive-capabilities.json │ │ │ │ │ ├── cron-job-container-with-possible-root-privileges.json │ │ │ │ │ ├── cron-job-host-ipc-true.json │ │ │ │ │ ├── cron-job-host-network-true.json │ │ │ │ │ ├── cron-job-host-pid-true.json │ │ │ │ │ ├── cron-job-kubernetes-container-manifest-hardening.json │ │ │ │ │ ├── cron-job-privileged-container-running.json │ │ │ │ │ ├── cron-job-resources-without-defined-cpu-limit.json │ │ │ │ │ ├── cron-job-resources-without-defined-limits.json │ │ │ │ │ ├── cron-job-resources-without-defined-memory-limit.json │ │ │ │ │ ├── daemonset-apparmor-annotation-missing.json │ │ │ │ │ ├── daemonset-automounted-service-account-token.json │ │ │ │ │ ├── daemonset-container-ability-to-modify-root-filesystem.json │ │ │ │ │ ├── daemonset-container-allowing-privilege-escalation.json │ │ │ │ │ ├── daemonset-container-running-as-root-group.json │ │ │ │ │ ├── daemonset-container-running-as-root-user.json │ │ │ │ │ ├── daemonset-container-with-overly-permissive-capabilities.json │ │ │ │ │ ├── daemonset-container-with-possible-root-privileges.json │ │ │ │ │ ├── daemonset-host-ipc-true.json │ │ │ │ │ ├── daemonset-host-network-true.json │ │ │ │ │ ├── daemonset-host-pid-true.json │ │ │ │ │ ├── daemonset-kubernetes-container-manifest-hardening.json │ │ │ │ │ ├── daemonset-privileged-container-running.json │ │ │ │ │ ├── daemonset-resources-without-defined-cpu-limit.json │ │ │ │ │ ├── daemonset-resources-without-defined-limits.json │ │ │ │ │ ├── daemonset-resources-without-defined-memory-limit.json │ │ │ │ │ ├── deployment-apparmor-annotation-missing.json │ │ │ │ │ ├── deployment-automounted-service-account-token.json │ │ │ │ │ ├── deployment-container-ability-to-modify-root-filesystem.json │ │ │ │ │ ├── deployment-container-allowing-privilege-escalation.json │ │ │ │ │ ├── deployment-container-running-as-root-group.json │ │ │ │ │ ├── deployment-container-running-as-root-user.json │ │ │ │ │ ├── deployment-container-with-overly-permissive-capabilities.json │ │ │ │ │ ├── deployment-container-with-possible-root-privileges.json │ │ │ │ │ ├── deployment-host-ipc-true.json │ │ │ │ │ ├── deployment-host-network-true.json │ │ │ │ │ ├── deployment-host-pid-true.json │ │ │ │ │ ├── deployment-kubernetes-container-manifest-hardening.json │ │ │ │ │ ├── deployment-privileged-container-running.json │ │ │ │ │ ├── deployment-resources-without-defined-cpu-limit.json │ │ │ │ │ ├── deployment-resources-without-defined-limits.json │ │ │ │ │ ├── deployment-resources-without-defined-memory-limit.json │ │ │ │ │ ├── eks-insufficient-control-plane-logging.json │ │ │ │ │ ├── eks-kms-encryption-disabled.json │ │ │ │ │ ├── eks-publically-accessible-apiserver.json │ │ │ │ │ ├── job-apparmor-annotation-missing.json │ │ │ │ │ ├── job-automounted-service-account-token.json │ │ │ │ │ ├── job-container-ability-to-modify-root-filesystem.json │ │ │ │ │ ├── job-container-allowing-privilege-escalation.json │ │ │ │ │ ├── job-container-running-as-root-group.json │ │ │ │ │ ├── job-container-running-as-root-user.json │ │ │ │ │ ├── job-container-with-overly-permissive-capabilities.json │ │ │ │ │ ├── job-container-with-possible-root-privileges.json │ │ │ │ │ ├── job-host-ipc-true.json │ │ │ │ │ ├── job-host-network-true.json │ │ │ │ │ ├── job-host-pid-true.json │ │ │ │ │ ├── job-kubernetes-container-manifest-hardening.json │ │ │ │ │ ├── job-privileged-container-running.json │ │ │ │ │ ├── job-resources-without-defined-cpu-limit.json │ │ │ │ │ ├── job-resources-without-defined-limits.json │ │ │ │ │ ├── job-resources-without-defined-memory-limit.json │ │ │ │ │ ├── kubernetesengine-basic-authentication-enabled.json │ │ │ │ │ ├── kubernetesengine-certificate-authentication-enabled.json │ │ │ │ │ ├── kubernetesengine-cluster-alias-ip-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-application-layer-encryption-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-binary-authorization-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-has-no-labels.json │ │ │ │ │ ├── kubernetesengine-cluster-logging-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-master-authorized-networks-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-metadata-server-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-monitoring-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-network-policy-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-pod-security-policy-config-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-private-endpoint-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-private-google-access-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-release-channel.json │ │ │ │ │ ├── kubernetesengine-cluster-shielded-nodes-disabled.json │ │ │ │ │ ├── kubernetesengine-cluster-workload-identity-disabled.json │ │ │ │ │ ├── kubernetesengine-dashboard-enabled.json │ │ │ │ │ ├── kubernetesengine-default-service-account-used.json │ │ │ │ │ ├── kubernetesengine-legacy-abac-enabled.json │ │ │ │ │ ├── kubernetesengine-legacy-metadata-endpoints-enabled.json │ │ │ │ │ ├── kubernetesengine-node-auto-repair-disabled.json │ │ │ │ │ ├── kubernetesengine-node-auto-upgrade-disabled.json │ │ │ │ │ ├── kubernetesengine-node-container-optimized-os-not-used.json │ │ │ │ │ ├── kubernetesengine-node-integrity-monitoring-disabled.json │ │ │ │ │ ├── kubernetesengine-node-secure-boot-disabled.json │ │ │ │ │ ├── kubernetesengine-private-nodes-disabled.json │ │ │ │ │ ├── kubernetesengine-scopes-not-limited.json │ │ │ │ │ ├── logging-monitoring-diagnostic-setting-does-not-exist.json │ │ │ │ │ ├── logging-monitoring-log-alert-not-exist-create-policy-assignment.json │ │ │ │ │ ├── logging-monitoring-log-alert-not-exist-nsg.json │ │ │ │ │ ├── logging-monitoring-log-alert-not-exist-security-solution.json │ │ │ │ │ ├── logging-monitoring-logging-key-vault-disabled.json │ │ │ │ │ ├── logging-monitoring-profile-does-not-capture-all-activities.json │ │ │ │ │ ├── networkpolicy-unrestricted-cluster-network-access.json │ │ │ │ │ ├── networkpolicy-unrestricted-cluster-network-egress.json │ │ │ │ │ ├── networkpolicy-unrestricted-cluster-network-ingress.json │ │ │ │ │ ├── pod-apparmor-annotation-missing.json │ │ │ │ │ ├── pod-automounted-service-account-token.json │ │ │ │ │ ├── pod-container-ability-to-modify-root-filesystem.json │ │ │ │ │ ├── pod-container-allowing-privilege-escalation.json │ │ │ │ │ ├── pod-container-running-as-root-group.json │ │ │ │ │ ├── pod-container-running-as-root-user.json │ │ │ │ │ ├── pod-container-with-overly-permissive-capabilities.json │ │ │ │ │ ├── pod-container-with-possible-root-privileges.json │ │ │ │ │ ├── pod-helm-tiller-in-use.json │ │ │ │ │ ├── pod-host-ipc-true.json │ │ │ │ │ ├── pod-host-network-true.json │ │ │ │ │ ├── pod-host-pid-true.json │ │ │ │ │ ├── pod-kubernetes-container-manifest-hardening.json │ │ │ │ │ ├── pod-privileged-container-running.json │ │ │ │ │ ├── pod-resources-without-defined-cpu-limit.json │ │ │ │ │ ├── pod-resources-without-defined-limits.json │ │ │ │ │ ├── pod-resources-without-defined-memory-limit.json │ │ │ │ │ ├── podtemplate-apparmor-annotation-missing.json │ │ │ │ │ ├── podtemplate-automounted-service-account-token.json │ │ │ │ │ ├── podtemplate-container-ability-to-modify-root-filesystem.json │ │ │ │ │ ├── podtemplate-container-allowing-privilege-escalation.json │ │ │ │ │ ├── podtemplate-container-running-as-root-group.json │ │ │ │ │ ├── podtemplate-container-running-as-root-user.json │ │ │ │ │ ├── podtemplate-container-with-overly-permissive-capabilities.json │ │ │ │ │ ├── podtemplate-container-with-possible-root-privileges.json │ │ │ │ │ ├── podtemplate-host-ipc-true.json │ │ │ │ │ ├── podtemplate-host-network-true.json │ │ │ │ │ ├── podtemplate-host-pid-true.json │ │ │ │ │ ├── podtemplate-privileged-container-running.json │ │ │ │ │ ├── podtemplate-resources-without-defined-cpu-limit.json │ │ │ │ │ ├── podtemplate-resources-without-defined-limits.json │ │ │ │ │ ├── podtemplate-resources-without-defined-memory-limit.json │ │ │ │ │ ├── rbac-dangerous-grants.json │ │ │ │ │ ├── rbac-dodgy-subjects.json │ │ │ │ │ ├── rbac-permissive-bindings.json │ │ │ │ │ ├── replicaset-apparmor-annotation-missing.json │ │ │ │ │ ├── replicaset-automounted-service-account-token.json │ │ │ │ │ ├── replicaset-container-ability-to-modify-root-filesystem.json │ │ │ │ │ ├── replicaset-container-allowing-privilege-escalation.json │ │ │ │ │ ├── replicaset-container-running-as-root-group.json │ │ │ │ │ ├── replicaset-container-running-as-root-user.json │ │ │ │ │ ├── replicaset-container-with-overly-permissive-capabilities.json │ │ │ │ │ ├── replicaset-container-with-possible-root-privileges.json │ │ │ │ │ ├── replicaset-host-ipc-true.json │ │ │ │ │ ├── replicaset-host-network-true.json │ │ │ │ │ ├── replicaset-host-pid-true.json │ │ │ │ │ ├── replicaset-kubernetes-container-manifest-hardening.json │ │ │ │ │ ├── replicaset-privileged-container-running.json │ │ │ │ │ ├── replicaset-resources-without-defined-cpu-limit.json │ │ │ │ │ ├── replicaset-resources-without-defined-limits.json │ │ │ │ │ ├── replicaset-resources-without-defined-memory-limit.json │ │ │ │ │ ├── service-helm-tiller-in-use.json │ │ │ │ │ ├── serviceaccount-automounted-service-account-token.json │ │ │ │ │ ├── statefulset-apparmor-annotation-missing.json │ │ │ │ │ ├── statefulset-automounted-service-account-token.json │ │ │ │ │ ├── statefulset-container-ability-to-modify-root-filesystem.json │ │ │ │ │ ├── statefulset-container-allowing-privilege-escalation.json │ │ │ │ │ ├── statefulset-container-running-as-root-group.json │ │ │ │ │ ├── statefulset-container-running-as-root-user.json │ │ │ │ │ ├── statefulset-container-with-overly-permissive-capabilities.json │ │ │ │ │ ├── statefulset-container-with-possible-root-privileges.json │ │ │ │ │ ├── statefulset-host-ipc-true.json │ │ │ │ │ ├── statefulset-host-network-true.json │ │ │ │ │ ├── statefulset-host-pid-true.json │ │ │ │ │ ├── statefulset-kubernetes-container-manifest-hardening.json │ │ │ │ │ ├── statefulset-privileged-container-running.json │ │ │ │ │ ├── statefulset-resources-without-defined-cpu-limit.json │ │ │ │ │ ├── statefulset-resources-without-defined-limits.json │ │ │ │ │ └── statefulset-resources-without-defined-memory-limit.json │ │ │ │ └── rulesets/ │ │ │ │ ├── aks.json │ │ │ │ ├── default.json │ │ │ │ ├── eks.json │ │ │ │ ├── filters.json │ │ │ │ └── gke.json │ │ │ ├── services.py │ │ │ └── utils.py │ │ ├── oci/ │ │ │ ├── __init__.py │ │ │ ├── authentication_strategy.py │ │ │ ├── facade/ │ │ │ │ ├── __init__.py │ │ │ │ ├── base.py │ │ │ │ ├── identity.py │ │ │ │ ├── kms.py │ │ │ │ └── objectstorage.py │ │ │ ├── metadata.json │ │ │ ├── provider.py │ │ │ ├── resources/ │ │ │ │ ├── __init__.py │ │ │ │ ├── base.py │ │ │ │ ├── identity/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── api_keys.py │ │ │ │ │ ├── authentication_policy.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── groups.py │ │ │ │ │ ├── policies.py │ │ │ │ │ └── users.py │ │ │ │ ├── kms/ │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── base.py │ │ │ │ │ ├── keys.py │ │ │ │ │ └── keyvaults.py │ │ │ │ └── objectstorage/ │ │ │ │ ├── __init__.py │ │ │ │ ├── base.py │ │ │ │ └── buckets.py │ │ │ ├── rules/ │ │ │ │ ├── filters/ │ │ │ │ │ └── .keep │ │ │ │ ├── findings/ │ │ │ │ │ ├── identity-password-policy-minimum-length.json │ │ │ │ │ ├── identity-password-policy-no-lowercase-required.json │ │ │ │ │ ├── identity-password-policy-no-number-required.json │ │ │ │ │ ├── identity-password-policy-no-symbol-required.json │ │ │ │ │ ├── identity-password-policy-no-uppercase-required.json │ │ │ │ │ ├── identity-policy-affects-user.json │ │ │ │ │ ├── identity-user-with-multiple-api-keys.json │ │ │ │ │ ├── kms-no-key-rotation.json │ │ │ │ │ ├── objectstorage-bucket-lacking-kms-encryption.json │ │ │ │ │ └── objectstorage-public-bucket.json │ │ │ │ └── rulesets/ │ │ │ │ ├── default.json │ │ │ │ └── filters.json │ │ │ ├── services.py │ │ │ └── utils.py │ │ └── utils.py │ └── utils.py ├── dev-requirements.txt ├── docker/ │ ├── .dockerignore │ ├── Dockerfile-aws │ ├── Dockerfile-azure │ ├── Dockerfile-base │ ├── Dockerfile-gcp │ ├── README.md │ ├── bin/ │ │ ├── container-install-aws2.sh │ │ ├── container-install-azure.sh │ │ ├── container-install-gcp.sh │ │ ├── container-install-prereqs.sh │ │ ├── container-install-scoutsuite.sh │ │ └── container-set-init.sh │ ├── build.sh │ ├── config/ │ │ ├── aws.env │ │ ├── azure.env │ │ ├── base.env │ │ ├── combined.env │ │ ├── gcp.env │ │ └── ibm.env │ └── tag.sh ├── pytest.ini ├── requirements.txt ├── scout.py ├── setup.py ├── tests/ │ ├── data/ │ │ ├── invalid-file.json │ │ ├── ip-ranges-1.json │ │ ├── ip-ranges-3.json │ │ ├── policy1.json │ │ ├── protocols.json │ │ ├── resources/ │ │ │ └── dummy_resources.json │ │ ├── rule-configs/ │ │ │ ├── ec2.json │ │ │ ├── iam-password-policy.json │ │ │ └── iam-root.json │ │ ├── rule-results/ │ │ │ ├── ec2-default-security-group-in-use.json │ │ │ ├── ec2-default-security-group-with-rules.json │ │ │ ├── ec2-ebs-default-encryption-disabled.json │ │ │ ├── ec2-security-group-opens-all-ports-to-all.json │ │ │ ├── ec2-security-group-opens-all-ports-to-self.json │ │ │ ├── ec2-security-group-opens-all-ports.json │ │ │ ├── ec2-security-group-opens-known-port-to-all.json │ │ │ ├── ec2-security-group-opens-port-range.json │ │ │ ├── ec2-security-group-opens-port-to-all.json │ │ │ ├── ec2-security-group-whitelists-aws-ip-from-banned-region.json │ │ │ ├── ec2-security-group-whitelists-aws.json │ │ │ ├── iam-password-policy-expiration-threshold.json │ │ │ ├── iam-password-policy-lowercase-required.json │ │ │ ├── iam-password-policy-minimum-length.json │ │ │ ├── iam-password-policy-no-expiration.json │ │ │ ├── iam-password-policy-no-lowercase-required.json │ │ │ ├── iam-password-policy-no-number-required.json │ │ │ ├── iam-password-policy-no-symbol-required.json │ │ │ ├── iam-password-policy-no-uppercase-required.json │ │ │ └── iam-password-policy-reuse-enabled.json │ │ ├── ruleset-test.json │ │ ├── statement1.json │ │ └── test-ruleset.json │ ├── results/ │ │ └── read_ip_ranges/ │ │ ├── ip-ranges-1a.json │ │ ├── ip-ranges-1b.json │ │ ├── ip-ranges-1c.json │ │ ├── ip-ranges-3.json │ │ └── ip-ranges-a.json │ ├── test_aws_provider.py │ ├── test_azure_provider.py │ ├── test_core.py │ ├── test_main.py │ ├── test_output.py │ ├── test_resources.py │ ├── test_rules_processingengine.py │ ├── test_rules_ruleset.py │ ├── test_scoutsuite.py │ ├── test_utils.py │ ├── test_utils_conditions.py │ ├── test_utils_console.py │ └── test_utils_fs.py └── tools/ ├── README.md ├── __init__.py ├── aws_security_hub_export.py ├── format_findings.py ├── gen-tests.py ├── process_raw_response.py ├── sort-ruleset.py ├── update-aws-ips.sh └── utils.py ================================================ FILE CONTENTS ================================================ ================================================ FILE: .coveragerc ================================================ [report] include = ScoutSuite/*.py ScoutSuite/core/*.py ScoutSuite/output/*.py ScoutSuite/providers/aws/*.py ScoutSuite/providers/aws/facade/*.py ScoutSuite/providers/aws/resources/*.py ScoutSuite/providers/azure/*.py ScoutSuite/providers/azure/facade/*.py ScoutSuite/providers/azure/resources/*.py ScoutSuite/providers/gcp/*.py ScoutSuite/providers/gcp/facade/*.py ScoutSuite/providers/gcp/resources/*.py ================================================ FILE: .flake8 ================================================ [flake8] select = E901, E999, F821, F822, F823 statistics = True show-source = True max-line-length = 127 max-complexity = 10 exclude = .git, __pycache__, docs/source/conf.py, old, build, dist, venv [pycodestyle] max_line_length = 127 ignore = E501 ================================================ FILE: .github/ISSUE_TEMPLATE/bug_report.md ================================================ --- name: Bug report about: Create a report to help us improve Scout Suite! title: '' labels: bug, potential assignees: '' --- **Describe the bug** Please provide: - A clear and concise description of what the bug is. - Console output using the `--debug` argument. - If possible, the errors JSON file generated at the end of execution (the CLI output will provide the path to this file). The file can be sent to to avoid including sensitive content in the GitHub issue. **To Reproduce** Please provide: - The **exact** CLI parameters used to run Scout Suite. - Any specific configuration within the cloud account which might have lead to the issue. **Additional context** Add any other context about the problem here. ================================================ FILE: .github/ISSUE_TEMPLATE/feature_request.md ================================================ --- name: Feature request about: Suggest an idea to improve Scout Suite! title: '' labels: enhancement assignees: '' --- **Is your feature request related to a problem? Please describe.** A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] **Describe the solution you'd like** A clear and concise description of what you want to happen. **Describe alternatives you've considered** A clear and concise description of any alternative solutions or features you've considered. **Additional context** Add any other context or screenshots about the feature request here. ================================================ FILE: .github/PULL_REQUEST_TEMPLATE.md ================================================ # Description **Make sure the PR is against the `develop` branch (see [Contributing](https://github.com/nccgroup/ScoutSuite/blob/master/CONTRIBUTING.md)).** **Make sure to set the corresponding milestone in the PR.** Please include a summary of the change(s) and which issue(s) it addresses. Please also include relevant motivation and context. Fixes # (issue) ## Type of change Select the relevant option(s): - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] This change requires a documentation update ## Checklist: - [ ] My code follows the style guidelines of this project - [ ] I have performed a self-review of my own code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] My changes generate no new warnings - [ ] I have added tests that prove my fix is effective or that my feature works (optional) - [ ] New and existing unit tests pass locally with my changes ================================================ FILE: .github/workflows/frontend-build.yml ================================================ name: Fronted Build CI (dummy version) on: # Triggers the workflow on push or pull request events but only for the master branch push: branches: [ v6-master ] jobs: test: runs-on: ubuntu-18.04 steps: - name: Show environment v1 run: env | grep ^GITHUB - name: Show ref v1 run: echo "===============> Version from $GITHUB_REF" ================================================ FILE: .github/workflows/testing.yml ================================================ name: CI Workflow on: push: branches: - develop - master pull_request: jobs: build: runs-on: ubuntu-20.04 strategy: matrix: python-version: ['3.9', '3.10', '3.11'] steps: - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v4 with: python-version: ${{ matrix.python-version }} - name: Cache pip uses: actions/cache@v2 with: # This path is specific to Ubuntu path: ~/.cache/pip # Look to see if there is a cache hit for the corresponding requirements file key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }} restore-keys: | ${{ runner.os }}-pip- ${{ runner.os }}- - name: Install dependencies run: | python -m pip install --upgrade pip pip install -U setuptools pip install -r dev-requirements.txt - name: Lint with flake8 run: | # stop the build if there are Python syntax errors or undefined names flake8 . # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics - name: Autopep 8 run: | autopep8 --diff --recursive --max-line-length=127 . - name: Test with pytest and generate coverage report run: | python -m pytest --cov=./ --cov-report=xml - name: Upload coverage to Codecov uses: codecov/codecov-action@v1 with: file: ./coverage.xml ================================================ FILE: .gitignore ================================================ # virtualenv env/ venv/ # Compiled files *.py[cod] # C extensions *.so # Packages *.egg *.egg-info .eggs .cache/ dist build eggs parts bin var sdist develop-eggs .installed.cfg lib lib64 __pycache__ # Installer logs pip-log.txt # Unit test / coverage reports .coverage .tox nosetests.xml # Translations *.mo # Mr Developer .mr.developer.cfg .project .pydevproject # In case people do a `git add .` ... *.csv # Data folder and files scoutsuite-report* inc-scoutsuite-run* report-* *.db # IntelliJ files .idea/ *.iml # Vs Code .vscode/ # Mac cruft .DS_Store # Emacs backups *~ # Private files *private.* # Private folders /private*/ /**/private*/ #Profiling output *.prof !docker/bin ================================================ FILE: CODE_OF_CONDUCT.md ================================================ # Code of conduct ## Our Pledge In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation. ## Our Standards Examples of behavior that contributes to creating a positive environment include: * Using welcoming and inclusive language * Being respectful of differing viewpoints and experiences * Gracefully accepting constructive criticism * Focusing on what is best for the community * Showing empathy towards other community members Examples of unacceptable behavior by participants include: * The use of sexualized language or imagery and unwelcome sexual attention or advances * Trolling, insulting/derogatory comments, and personal or political attacks * Public or private harassment * Publishing others’ private information, such as a physical or electronic address, without explicit permission * Other conduct which could reasonably be considered inappropriate in a professional setting ## Our Responsibilities Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. ## Scope This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. ## Enforcement Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at . All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project’s leadership. ## Attribution This Code of Conduct is adapted from the Contributor Covenant, version 1.4, available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html For answers to common questions about this code of conduct, see https://www.contributor-covenant.org/faq ================================================ FILE: CONTRIBUTING.md ================================================ # Contributing ## Table of Contents * [Introduction](#introduction) * [Getting started](#getting-started) * [How to report a bug](#How-to-report-a-bug) * [How to suggest a new feature](#How-to-suggest-a-new-feature) * [Code review process](#Code-review-process) ## Introduction First off, thank you for considering contributing to Scout Suite, you're awesome! 🎉 Following these guidelines helps to communicate that you respect the time of the developers managing and developing this open source project. In return, they should reciprocate that respect in addressing your issue, assessing changes, and helping you finalize your pull requests. ## Getting started So you want to contribute some code, that's great! This project follows the [GitHub Workflow](https://guides.github.com/introduction/flow/). 1. If it's a complex issue, please describe how you plan on going about addressing it on the issue thread. 2. Assign yourself to the issue 3. Create a branch using the following naming convention: * If it's a feature: `feature/issuenumber-descriptive-name` * If it's a bug fix: `bugfix/issuenumber-descriptive-name` * If it's a hot fix: `hotfix/issuenumber-descriptive-name` 4. Implement your solution and the associated tests 5. Make sure your code follows the [PEP8 guidelines](https://www.python.org/dev/peps/pep-0008/) 6. [Create a pull request](https://help.github.com/articles/creating-a-pull-request/) against `develop` 7. Wait for people to review it 8. Address the comments people left on your pull request 9. Go back to 7. and repeat until your PR is 💯 10. Wait for someone from the team to merge your PR ## How to report a bug When filing an issue, make sure to answer these five questions: 1. What version of Python are you using? 2. What operating system and processor architecture are you using? 3. What did you do? 4. What did you expect to see? 5. What did you see instead? ## How to suggest a new feature If you find yourself wishing for a feature that doesn't exist in Scout Suite, you are probably not alone. There are bound to be others out there with similar needs. Many of the features that Scout Suite has today have been added because our users saw the need. Open an issue on our issues list on GitHub which describes the feature you would like to see, why you need it, and how it should work. ## Code review process Pull requests are regularly reviewed by the core team. We require a minimum of two reviewers before allowing to merge. ================================================ FILE: LICENSE ================================================ GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. ================================================ FILE: MANIFEST.in ================================================ include LICENSE include README.md include requirements.txt recursive-include ScoutSuite/data * recursive-include ScoutSuite/output/data * recursive-include ScoutSuite/providers/aws * recursive-include ScoutSuite/providers/aws/rules * recursive-include ScoutSuite/providers/azure * recursive-include ScoutSuite/providers/azure/rules * recursive-include ScoutSuite/providers/gcp * recursive-include ScoutSuite/providers/gcp/rules * recursive-include ScoutSuite/providers/aliyun * recursive-include ScoutSuite/providers/aliyun/rules * recursive-include ScoutSuite/providers/oci * recursive-include ScoutSuite/providers/oci/rules * recursive-include ScoutSuite/providers/kubernetes * recursive-include ScoutSuite/providers/kubernetes/rules * ================================================ FILE: README.md ================================================

# [![Workflow](https://github.com/nccgroup/ScoutSuite/workflows/CI%20Workflow/badge.svg)](https://github.com/nccgroup/ScoutSuite/actions) [![CodeCov](https://codecov.io/gh/nccgroup/ScoutSuite/branch/master/graph/badge.svg)](https://codecov.io/gh/nccgroup/ScoutSuite) [![PyPI version](https://badge.fury.io/py/ScoutSuite.svg)](https://badge.fury.io/py/ScoutSuite) [![PyPI downloads](https://img.shields.io/pypi/dm/scoutsuite)](https://img.shields.io/pypi/dm/scoutsuite) [![Docker Hub](https://img.shields.io/badge/Docker%20Hub-rossja%2Fncc--scoutsuite-blue)](https://hub.docker.com/r/rossja/ncc-scoutsuite/) [![Docker Pulls](https://img.shields.io/docker/pulls/rossja/ncc-scoutsuite.svg?style=flat-square)](https://hub.docker.com/r/rossja/ncc-scoutsuite/) ## Description Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically. Scout Suite was designed by security consultants/auditors. It is meant to provide a point-in-time security-oriented view of the cloud account it was run in. Once the data has been gathered, all usage may be performed offline. The project team can be contacted at . ### Cloud Provider Support The following cloud providers are currently supported: - Amazon Web Services - Microsoft Azure - Google Cloud Platform - Alibaba Cloud (alpha) - Oracle Cloud Infrastructure (alpha) - Kubernetes clusters on a cloud provider (alpha) - DigitalOcean Cloud (alpha) ## Installation Refer to the [wiki](https://github.com/nccgroup/ScoutSuite/wiki/Setup). ## Usage Scout Suite is run through the CLI: ![Running Scout Suite](https://user-images.githubusercontent.com/13310971/78389085-22659d00-75b0-11ea-9f22-ea6fcaa6a1cd.gif) Once this has completed, it will generate an HTML report including findings and Cloud account configuration: ![Scout Suite Report](https://user-images.githubusercontent.com/13310971/77861662-342bf680-71e4-11ea-8eed-ccaeb78c5f45.gif) The above report was generated by running Scout Suite against https://github.com/nccgroup/sadcloud. Additional information can be found in the [wiki](https://github.com/nccgroup/ScoutSuite/wiki). There are also a number of handy [tools](https://github.com/nccgroup/ScoutSuite/tree/master/tools) for automation of common tasks. ================================================ FILE: ScoutSuite/__init__.py ================================================ __author__ = 'NCC Group' __version__ = '5.14.0' ERRORS_LIST = [] DEFAULT_REPORT_DIRECTORY = 'scoutsuite-report' DEFAULT_REPORT_RESULTS_DIRECTORY = 'scoutsuite-results' DEFAULT_INCLUDES_DIRECTORY = 'inc-scoutsuite' ================================================ FILE: ScoutSuite/__main__.py ================================================ import asyncio import os import webbrowser from asyncio_throttle import Throttler from ScoutSuite import ERRORS_LIST from concurrent.futures import ThreadPoolExecutor from ScoutSuite.core.cli_parser import ScoutSuiteArgumentParser from ScoutSuite.core.console import set_logger_configuration, print_info, print_exception from ScoutSuite.core.exceptions import RuleExceptions from ScoutSuite.core.processingengine import ProcessingEngine from ScoutSuite.core.ruleset import Ruleset from ScoutSuite.core.server import Server from ScoutSuite.output.html import ScoutReport from ScoutSuite.output.utils import get_filename from ScoutSuite.providers import get_provider from ScoutSuite.providers.base.authentication_strategy_factory import get_authentication_strategy # Dirty workaround for compatibility with Python >= 3.10 import collections collections.Callable = collections.abc.Callable def run_from_cli(): parser = ScoutSuiteArgumentParser() args = parser.parse_args() # Get the dictionary to get None instead of a crash args = args.__dict__ # TODO provider-specific arguments should be prepended with the provider's code # (e.g. aws_profile, azure_user_account) try: return run(provider=args.get('provider'), # AWS profile=args.get('profile'), aws_access_key_id=args.get('aws_access_key_id'), aws_secret_access_key=args.get('aws_secret_access_key'), aws_session_token=args.get('aws_session_token'), # Azure cli=args.get('cli'), user_account=args.get('user_account'), user_account_browser=args.get('user_account_browser'), service_account=args.get('service_account'), msi=args.get('msi'), service_principal=args.get('service_principal'), file_auth=args.get('file_auth'), client_id=args.get('client_id'), client_secret=args.get('client_secret'), username=args.get('username'), password=args.get('password'), tenant_id=args.get('tenant_id'), subscription_ids=args.get('subscription_ids'), all_subscriptions=args.get('all_subscriptions'), # GCP project_id=args.get('project_id'), folder_id=args.get('folder_id'), organization_id=args.get('organization_id'), all_projects=args.get('all_projects'), # Aliyun access_key_id=args.get('access_key_id'), access_key_secret=args.get('access_key_secret'), # Kubernetes kubernetes_cluster_provider=args.get('kubernetes_cluster_provider'), kubernetes_config_file=args.get('kubernetes_config_file'), kubernetes_context=args.get('kubernetes_context'), kubernetes_persist_config=args.get('kubernetes_persist_config'), kubernetes_azure_subscription_id=args.get('kubernetes_azure_subscription_id'), #DigitalOcean token=args.get('token'), access_key=args.get('access_key'), access_secret=args.get('access_secret'), # General report_name=args.get('report_name'), report_dir=args.get('report_dir'), timestamp=args.get('timestamp'), services=args.get('services'), skipped_services=args.get('skipped_services'), list_services=args.get('list_services'), result_format=args.get('result_format'), database_name=args.get('database_name'), host_ip=args.get('host_ip'), host_port=args.get('host_port'), max_workers=args.get('max_workers'), regions=args.get('regions'), excluded_regions=args.get('excluded_regions'), fetch_local=args.get('fetch_local'), update=args.get('update'), max_rate=args.get('max_rate'), ip_ranges=args.get('ip_ranges'), ip_ranges_name_key=args.get('ip_ranges_name_key'), ruleset=args.get('ruleset'), exceptions=args.get('exceptions'), force_write=args.get('force_write'), debug=args.get('debug'), quiet=args.get('quiet'), log_file=args.get('log_file'), no_browser=args.get('no_browser'), programmatic_execution=False) except (KeyboardInterrupt, SystemExit): print_info('Exiting') return 130 def run(provider, # AWS profile=None, aws_access_key_id=None, aws_secret_access_key=None, aws_session_token=None, # Azure user_account=False, user_account_browser=False, cli=False, msi=False, service_principal=False, file_auth=None, client_id=None, client_secret=None, username=None, password=None, tenant_id=None, subscription_ids=None, all_subscriptions=None, # GCP service_account=None, project_id=None, folder_id=None, organization_id=None, all_projects=False, # Aliyun access_key_id=None, access_key_secret=None, # Kubernetes kubernetes_cluster_provider=None, kubernetes_config_file=None, kubernetes_context=None, kubernetes_persist_config=True, kubernetes_azure_subscription_id=None, #DigitalOcean token=None, access_key=None, access_secret=None, # General report_name=None, report_dir=None, timestamp=False, services=[], skipped_services=[], list_services=None, result_format='json', database_name=None, host_ip='127.0.0.1', host_port=8000, max_workers=10, regions=[], excluded_regions=[], fetch_local=False, update=False, max_rate=None, ip_ranges=[], ip_ranges_name_key='name', ruleset='default.json', exceptions=None, force_write=False, debug=False, quiet=False, log_file=None, no_browser=False, programmatic_execution=True): """ Run a scout job in an async event loop. """ loop = asyncio.get_event_loop() if loop.is_closed(): loop = asyncio.new_event_loop() # Set the throttler within the loop so it's accessible later on loop.throttler = Throttler(rate_limit=max_rate if max_rate else 999999, period=1) loop.set_default_executor(ThreadPoolExecutor(max_workers=max_workers)) result = loop.run_until_complete(_run(**locals())) # pass through all the parameters loop.close() return result async def _run(provider, # AWS profile, aws_access_key_id, aws_secret_access_key, aws_session_token, # Azure cli, user_account, user_account_browser, msi, service_principal, file_auth, tenant_id, subscription_ids, all_subscriptions, client_id, client_secret, username, password, # GCP service_account, project_id, folder_id, organization_id, all_projects, # Aliyun access_key_id, access_key_secret, # Kubernetes kubernetes_cluster_provider, kubernetes_config_file, kubernetes_context, kubernetes_persist_config, kubernetes_azure_subscription_id, #DigitalOcean token, access_key, access_secret, # General report_name, report_dir, timestamp, services, skipped_services, list_services, result_format, database_name, host_ip, host_port, regions, excluded_regions, fetch_local, update, ip_ranges, ip_ranges_name_key, ruleset, exceptions, force_write, debug, quiet, log_file, no_browser, programmatic_execution, **kwargs): """ Run a scout job. """ # Configure the debug level set_logger_configuration(debug, quiet, log_file) print_info('Launching Scout') print_info('Authenticating to cloud provider') auth_strategy = get_authentication_strategy(provider) try: credentials = auth_strategy.authenticate(profile=profile, aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token, user_account=user_account, user_account_browser=user_account_browser, service_account=service_account, cli=cli, msi=msi, service_principal=service_principal, file_auth=file_auth, tenant_id=tenant_id, client_id=client_id, client_secret=client_secret, username=username, password=password, access_key_id=access_key_id, access_key_secret=access_key_secret, #DigitalOcean token=token, access_key=access_key, access_secret=access_secret, # Kubernetes kubernetes_cluster_provider=kubernetes_cluster_provider, kubernetes_config_file=kubernetes_config_file, kubernetes_context=kubernetes_context, kubernetes_persist_config=kubernetes_persist_config, kubernetes_azure_subscription_id=kubernetes_azure_subscription_id, kubernetes_fetch_local=fetch_local) if not credentials: return 101 except Exception as e: print_exception(f'Authentication failure: {e}') return 101 # Create a cloud provider object try: cloud_provider = get_provider(provider=provider, # AWS profile=profile, # Azure subscription_ids=subscription_ids, all_subscriptions=all_subscriptions, # GCP project_id=project_id, folder_id=folder_id, organization_id=organization_id, all_projects=all_projects, # Kubernetes kubernetes_config_file=kubernetes_config_file, kubernetes_context=kubernetes_context, kubernetes_cluster_provider=kubernetes_cluster_provider, # Other report_dir=report_dir, timestamp=timestamp, services=services, skipped_services=skipped_services, programmatic_execution=programmatic_execution, credentials=credentials) except Exception as e: print_exception(f'Initialization failure: {e}') return 102 # Create a new report try: report_name = report_name if report_name else cloud_provider.get_report_name() report = ScoutReport(cloud_provider.provider_code, report_name, report_dir, timestamp, result_format=result_format) if database_name: database_file, _ = get_filename('RESULTS', report_name, report_dir, file_extension="db") Server.init(database_file, host_ip, host_port) return except Exception as e: print_exception('Report initialization failure: {}'.format(e)) return 103 # If this command, run and exit if list_services: available_services = [x for x in dir(cloud_provider.services) if not (x.startswith('_') or x in ['credentials', 'fetch'])] print_info('The available services are: "{}"'.format('", "'.join(available_services))) return 0 # Complete run, including pulling data from provider if not fetch_local: # Fetch data from provider APIs try: print_info('Gathering data from APIs') await cloud_provider.fetch(regions=regions, excluded_regions=excluded_regions) except KeyboardInterrupt: print_info('\nCancelled by user') return 130 except Exception as e: print_exception('Unhandled exception thrown while gathering data: {}'.format(e)) return 104 # Update means we reload the whole config and overwrite part of it if update: try: print_info('Updating existing data') #Load previous results last_run_dict = report.encoder.load_from_file('RESULTS') #Get list of previous services which were not updated during this run previous_services = [prev_service for prev_service in last_run_dict['service_list'] if prev_service not in cloud_provider.service_list] #Add previous services for service in previous_services: cloud_provider.service_list.append(service) cloud_provider.services[service] = last_run_dict['services'][service] except Exception as e: print_exception('Failure while updating report: {}'.format(e)) # Partial run, using pre-pulled data else: try: print_info('Using local data') # Reload to flatten everything into a python dictionary last_run_dict = report.encoder.load_from_file('RESULTS') for key in last_run_dict: setattr(cloud_provider, key, last_run_dict[key]) except Exception as e: print_exception('Failure while updating report: {}'.format(e)) # Pre processing try: print_info('Running pre-processing engine') cloud_provider.preprocessing(ip_ranges, ip_ranges_name_key) except Exception as e: print_exception('Failure while running pre-processing engine: {}'.format(e)) return 105 # Analyze config try: print_info('Running rule engine') finding_rules = Ruleset(cloud_provider=cloud_provider.provider_code, environment_name=cloud_provider.environment, filename=ruleset, ip_ranges=ip_ranges, account_id=cloud_provider.account_id) processing_engine = ProcessingEngine(finding_rules) processing_engine.run(cloud_provider) except Exception as e: print_exception('Failure while running rule engine: {}'.format(e)) return 106 # Create display filters try: print_info('Applying display filters') filter_rules = Ruleset(cloud_provider=cloud_provider.provider_code, environment_name=cloud_provider.environment, filename='filters.json', rule_type='filters', account_id=cloud_provider.account_id) processing_engine = ProcessingEngine(filter_rules) processing_engine.run(cloud_provider) except Exception as e: print_exception('Failure while applying display filters: {}'.format(e)) return 107 # Handle exceptions if exceptions: print_info('Applying exceptions') try: exceptions = RuleExceptions(exceptions) exceptions.process(cloud_provider) exceptions = exceptions.exceptions except Exception as e: print_exception(f'Failed to load exceptions: {e}') exceptions = {} else: exceptions = {} # Finalize try: print_info('Running post-processing engine') run_parameters = { 'services': services, 'skipped_services': skipped_services, 'regions': regions, 'excluded_regions': excluded_regions, } cloud_provider.postprocessing(report.current_time, finding_rules, run_parameters) except Exception as e: print_exception('Failure while running post-processing engine: {}'.format(e)) return 108 # Save config and create HTML report try: html_report_path = report.save(cloud_provider, exceptions, force_write, debug) except Exception as e: print_exception('Failure while generating HTML report: {}'.format(e)) return 109 # Open the report by default if not no_browser: print_info('Opening the HTML report') url = 'file://%s' % os.path.abspath(html_report_path) webbrowser.open(url, new=2) if ERRORS_LIST: # errors were handled during execution return 200 else: return 0 ================================================ FILE: ScoutSuite/core/__init__.py ================================================ ================================================ FILE: ScoutSuite/core/cli_parser.py ================================================ import argparse from ScoutSuite import __version__ class ScoutSuiteArgumentParser: def __init__(self): self.parser = argparse.ArgumentParser(epilog='To get addtional help on a specific provider run: scout.py {provider} -h') # People will still be able to use the old --provider syntax self.parser.add_argument("--provider", action='store_true', dest='sinkhole', help=argparse.SUPPRESS) self.parser.add_argument('-v', '--version', action='version', version=f'Scout Suite {__version__}') self.common_providers_args_parser = argparse.ArgumentParser(add_help=False) self.subparsers = self.parser.add_subparsers(title="The provider you want to run scout against", dest="provider") self._init_common_args_parser() self._init_aws_parser() self._init_gcp_parser() self._init_azure_parser() self._init_aliyun_parser() self._init_oci_parser() self._init_kubernetes_parser() self._init_do_parser() def _init_aws_parser(self): parser = self.subparsers.add_parser("aws", parents=[self.common_providers_args_parser], help="Run Scout against an Amazon Web Services account") aws_parser = parser.add_argument_group('Authentication modes') aws_auth_params = parser.add_argument_group('Authentication parameters') aws_auth_modes = aws_parser.add_mutually_exclusive_group(required=False) aws_auth_modes.add_argument('-p', '--profile', dest='profile', default=None, help='Run with a named profile') aws_auth_modes.add_argument('--access-keys', action='store_true', dest='aws_access_keys', help='Run with access keys') aws_auth_params.add_argument('--access-key-id', action='store', default=None, dest='aws_access_key_id', help='AWS Access Key ID') aws_auth_params.add_argument('--secret-access-key', action='store', default=None, dest='aws_secret_access_key', help='AWS Secret Access Key') aws_auth_params.add_argument('--session-token', action='store', default=None, dest='aws_session_token', help='AWS Session Token') aws_additional_parser = parser.add_argument_group('Additional arguments') aws_additional_parser.add_argument('-r', '--regions', dest='regions', default=[], nargs='+', help='Name of regions to run the tool in, defaults to all') aws_additional_parser.add_argument('-xr', '--exclude-regions', dest='excluded_regions', default=[], nargs='+', help='Name of regions to excluded from execution') aws_additional_parser.add_argument('--ip-ranges', dest='ip_ranges', default=[], nargs='+', help='Config file(s) that contain your known IP ranges') aws_additional_parser.add_argument('--ip-ranges-name-key', dest='ip_ranges_name_key', default='name', help='Name of the key containing the display name of a known CIDR') def _init_gcp_parser(self): parser = self.subparsers.add_parser("gcp", parents=[self.common_providers_args_parser], help="Run Scout against a Google Cloud Platform account") gcp_parser = parser.add_argument_group('Authentication modes') gcp_auth_modes = gcp_parser.add_mutually_exclusive_group(required=True) gcp_auth_modes.add_argument('-u', '--user-account', action='store_true', help='Run Scout with a Google Account') gcp_auth_modes.add_argument('-s', '--service-account', action='store', metavar="KEY_FILE", help='Run Scout with a Google Service Account with the specified ' 'Google Service Account Application Credentials file') gcp_scope = parser.add_argument_group('Additional arguments') gcp_scope.add_argument('--project-id', action='store', help='ID of the GCP Project to scan') gcp_scope.add_argument('--folder-id', action='store', help='ID of the GCP Folder to scan') gcp_scope.add_argument('--organization-id', action='store', help='ID of the GCP Organization to scan') gcp_scope.add_argument('--all-projects', action='store_true', help='Scan all of the accessible projects') def _init_azure_parser(self): parser = self.subparsers.add_parser("azure", parents=[self.common_providers_args_parser], help="Run Scout against a Microsoft Azure account") azure_parser = parser.add_argument_group('Authentication modes') azure_auth_params = parser.add_argument_group('Authentication parameters') azure_auth_modes = azure_parser.add_mutually_exclusive_group(required=True) # az-cli authentication azure_auth_modes.add_argument('-c', '--cli', action='store_true', help='Run Scout using configured azure-cli credentials') # username/password authentication azure_auth_modes.add_argument('--user-account', action='store_true', help='Run Scout with user credentials') azure_auth_params.add_argument('-u', '--username', action='store', default=None, dest='username', help='Username of the Azure account') azure_auth_params.add_argument('-p', '--password', action='store', default=None, dest='password', help='Password of the Azure account') # username/password authentication via browser azure_auth_modes.add_argument('--user-account-browser', action='store_true', help='Run Scout with user credentials, authenticating through a browser (useful when MFA is enforced)') # Service Principal authentication azure_auth_modes.add_argument('-s', '--service-principal', action='store_true', help='Run Scout with an Azure Service Principal') azure_auth_params.add_argument('--client-id', action='store', dest='client_id', help='Client ID of the service principal') azure_auth_params.add_argument('--client-secret', action='store', dest='client_secret', help='Client of the service principal') # Service Principal credentials in an auth file azure_auth_modes.add_argument('--file-auth', action='store', type=argparse.FileType('rb'), dest='file_auth', metavar="FILE", help='Run Scout with the specified credential file') # Managed Service Identity (MSI) authentication azure_auth_modes.add_argument('-m', '--msi', action='store_true', help='Run Scout with Managed Service Identity') # Additional arguments azure_scope = parser.add_argument_group('Additional arguments') azure_scope.add_argument('--tenant', action='store', dest='tenant_id', help='ID of the Tenant (Directory) to scan') azure_scope.add_argument('--subscriptions', action='store', default=[], nargs='+', dest='subscription_ids', help='IDs (separated by spaces) of the Azure subscription(s) to scan. ' 'By default, only the default subscription will be scanned.') azure_scope.add_argument('--all-subscriptions', action='store_true', dest='all_subscriptions', help='Scan all of the accessible subscriptions') def _init_aliyun_parser(self): parser = self.subparsers.add_parser("aliyun", parents=[self.common_providers_args_parser], help="Run Scout against an Alibaba Cloud account") aliyun_parser = parser.add_argument_group('Authentication modes') aliyun_auth_params = parser.add_argument_group('Authentication parameters') aliyun_auth_modes = aliyun_parser.add_mutually_exclusive_group(required=True) aliyun_auth_modes.add_argument('--access-keys', action='store_true', help='Run Scout with user credentials') aliyun_auth_params.add_argument('-k', '--access-key-id', action='store', default=None, dest='access_key_id', help='Access Key Id') aliyun_auth_params.add_argument('-s', '--access-key-secret', action='store', default=None, dest='access_key_secret', help='Access Key Secret') def _init_oci_parser(self): oci_parser = self.subparsers.add_parser("oci", parents=[self.common_providers_args_parser], help="Run Scout against an Oracle Cloud Infrastructure account") parser = oci_parser.add_argument_group('Authentication parameters') parser.add_argument('-p', '--profile', dest='profile', default=None, help='Name of the profile') def _init_do_parser(self): do_parser = self.subparsers.add_parser("do", parents=[self.common_providers_args_parser], help="Run Scout against an DigitalOcean account") parser = do_parser.add_argument_group('Authentication parameters') parser.add_argument('-t', '--token', action='store', default=None, dest='token', help='DO Token') parser.add_argument('--access_key', action='store', default=None, dest='access_key', help='Spaces Access Key ID') parser.add_argument('--access_secret', action='store', default=None, dest='access_secret', help='Spaces Secret Access Key') def _init_kubernetes_parser(self): kubernetes_parser = self.subparsers.add_parser("kubernetes", parents=[self.common_providers_args_parser], help="Run Scout against a Kubernetes cluster") kubernetes_scope = kubernetes_parser.add_argument_group('Additional arguments') kubernetes_scope.add_argument('-c', '--cluster-provider', dest='kubernetes_cluster_provider', default=None, choices=['aks', 'eks', 'gke'], help='Cluster contexts to scan. If no cloud provider is specified, ScoutSuite will use the default Kubernetes configuration.') kubernetes_scope.add_argument('--config-file', dest='kubernetes_config_file', default=None, help='Name of the kube-config file. By default, it will use Kubernetes\' default directory.') kubernetes_scope.add_argument('--context', dest='kubernetes_context', default=None, help='Cluster context to scan. By default, current_context from config file will be used.') kubernetes_scope.add_argument('--do-not-persist-config', dest='kubernetes_persist_config', action='store_false', default=True, help='If specified, config file will NOT be updated when changed (e.g GCP token refresh).') kubernetes_scope.add_argument('--subscription-id', dest='kubernetes_azure_subscription_id', action='store', default=None, help='If unspecified, the default subscription will be used.') def _init_common_args_parser(self): parser = self.common_providers_args_parser.add_argument_group('Scout Arguments') parser.add_argument('-f', '--force', dest='force_write', default=False, action='store_true', help='Overwrite existing files') parser.add_argument('-l', '--local', dest='fetch_local', default=False, action='store_true', help='Use local data previously fetched and re-run the analysis.') parser.add_argument('--max-rate', dest='max_rate', type=int, default=None, help='Maximum number of API requests per second') parser.add_argument('--debug', dest='debug', default=False, action='store_true', help='Print the stack trace when exception occurs') parser.add_argument('--quiet', dest='quiet', default=False, action='store_true', help='Disables CLI output') parser.add_argument('--logfile', dest='log_file', default=None, action='store', nargs='?', help='Additional output to the specified file') # parser.add_argument('--resume', # dest='resume', # default=False, # action='store_true', # help='Complete a partial (throttled) run') parser.add_argument('--update', dest='update', default=False, action='store_true', help='Reload all the existing data and only overwrite data in scope for this run') parser.add_argument('--ruleset', dest='ruleset', default='default.json', nargs='?', help='Set of rules to be used during the analysis.') parser.add_argument('--no-browser', dest='no_browser', default=False, action='store_true', help='Do not automatically open the report in the browser.') parser.add_argument('--max-workers', dest='max_workers', type=int, default=10, help='Maximum number of threads (workers) used by Scout Suite (default is 10)') parser.add_argument('--report-dir', dest='report_dir', default=None, help='Path of the Scout report.') parser.add_argument('--report-name', dest='report_name', default=None, help='Name of the Scout report.') parser.add_argument('--timestamp', dest='timestamp', default=False, nargs='?', help='Timestamp added to the name of the report (default is current time in UTC).') parser.add_argument('--services', dest='services', default=[], nargs='+', help='Name of in-scope services, defaults to all.') parser.add_argument('--list-services', dest='list_services', default=False, action='store_true', help='List available services.') parser.add_argument('--skip', dest='skipped_services', default=[], nargs='+', help='Name of out-of-scope services.') parser.add_argument('--exceptions', dest='exceptions', default=None, nargs='?', help='Exception file to use during analysis.') parser.add_argument('--result-format', dest='result_format', default='json', type=str, choices=['json', 'sqlite'], help="[EXPERIMENTAL FEATURE] The database file format to use. JSON doesn't require a server to view the report, " "but cannot be viewed if the result file is over 400mb.") parser.add_argument('--serve', dest="database_name", default=None, const=True, nargs="?", help="[EXPERIMENTAL FEATURE] Serve the specified result database on the server to show the report. " "This must be used when the results are exported as an sqlite database.") parser.add_argument('--host', dest="host_ip", default="127.0.0.1", help="[EXPERIMENTAL FEATURE] Address on which you want the server to listen. Defaults to localhost.") parser.add_argument('--port', dest="host_port", type=int, default=8000, help="[EXPERIMENTAL FEATURE] Port on which you want the server to listen. Defaults to 8000.") def parse_args(self, args=None): args = self.parser.parse_args(args) # Cannot simply use required for backward compatibility if not args.provider: self.parser.error('You need to input a provider') # If local analysis, overwrite results if args.__dict__.get('fetch_local'): args.force_write = True # Test conditions v = vars(args) # AWS if v.get('provider') == 'aws': if v.get('aws_access_keys') and not (v.get('aws_access_key_id') or v.get('aws_secret_access_key')): self.parser.error('When running with --access-keys, you must provide an Access Key ID ' 'and Secret Access Key.') # Azure elif v.get('provider') == 'azure': if v.get('tenant_id') and not (v.get('service_principal') or v.get('user_account_browser') or v.get('user_account')): self.parser.error('--tenant can only be set when using --user-account-browser or --user-account or ' '--service-principal authentication') if v.get('service_principal') and not v.get('tenant_id'): self.parser.error('You must provide --tenant when using --service-principal authentication') if v.get('user_account_browser') and not v.get('tenant_id'): self.parser.error('You must provide --tenant when using --user-account-browser authentication') if v.get('user_account') and not v.get('tenant_id'): self.parser.error('You must provide --tenant when using --user-account authentication') if v.get('subscription_ids') and v.get('all_subscriptions'): self.parser.error('--subscription-ids and --all-subscriptions are mutually exclusive options') # DigitalOcean if v.get('provider') == 'do': if (v.get('access_key') or v.get('access_secret')) and not (v.get('access_key') and v.get('access_secret')): self.parser.error('For DO Spaces service please provide both --access_key and --access_secret') # Kubernetes elif v.get('provider') == 'kubernetes': cluster_provider = v.get('kubernetes_cluster_provider') # change ruleset based on cluster provider if cluster_provider: args.ruleset = f'{cluster_provider}.json' # only use subscription_id if kubernetes_cluster_provider is 'aks' if cluster_provider != 'aks' and v.get('kubernetes_azure_subscription_id'): self.parser.error('--subscription-id is only used when analyzing AKS clusters') return args ================================================ FILE: ScoutSuite/core/conditions.py ================================================ import datetime import dateutil.parser import json import netaddr import re import ipaddress from policyuniverse.expander_minimizer import get_actions_from_statement, _expand_wildcard_action from ScoutSuite.core.console import print_error, print_exception re_get_value_at = re.compile(r'_GET_VALUE_AT_\((.*?)\)') re_nested_get_value_at = re.compile(r'_GET_VALUE_AT_\(.*') def pass_conditions(all_info, current_path, conditions, unknown_as_pass_condition=False): """ Check that all conditions are passed for the current path. :param all_info: All of the services' data :param current_path: The value of the `path` variable defined in the finding file :param conditions: The conditions to check as defined in the finding file :param unknown_as_pass_condition: Consider an undetermined condition as passed :return: """ # Fixes circular dependency from ScoutSuite.providers.base.configs.browser import get_value_at if len(conditions) == 0: return True condition_operator = conditions.pop(0) for condition in conditions: if condition[0] in ['and', 'or']: res = pass_conditions(all_info, current_path, condition, unknown_as_pass_condition) else: # Conditions are formed as "path to value", "type of test", "value(s) for test" path_to_value, test_name, test_values = condition path_to_value = fix_path_string(all_info, current_path, path_to_value) target_obj = get_value_at(all_info, current_path, path_to_value) if type(test_values) != list and type(test_values) != dict: dynamic_value = re_get_value_at.match(test_values) if dynamic_value: test_values = get_value_at(all_info, current_path, dynamic_value.groups()[0], True) try: res = pass_condition(target_obj, test_name, test_values) except Exception as e: res = True if unknown_as_pass_condition else False print_exception('Unable to process testcase \'%s\' on value \'%s\', interpreted as %s: %s' % (test_name, str(target_obj), res, e)) # Quick exit and + false if condition_operator == 'and' and not res: return False # Quick exit or + true if condition_operator == 'or' and res: return True return not condition_operator == 'or' def pass_condition(b, test, a): """ Generic test function used by Scout . :param b: Value to be tested against :param test: Name of the test case to run :param a: Value to be tested :return: True of condition is met, False otherwise """ # Return false by default result = False # Equality tests if test == 'equal': a = str(a) b = str(b) result = (a == b) elif test == 'notEqual': result = (not pass_condition(b, 'equal', a)) # More/Less tests elif test == 'lessThan': result = (int(b) < int(a)) elif test == 'lessOrEqual': result = (int(b) <= int(a)) elif test == 'moreThan': result = (int(b) > int(a)) elif test == 'moreOrEqual': result = (int(b) >= int(a)) # Empty tests elif test == 'empty': result = ((type(b) == dict and b == {}) or (type(b) == list and b == []) or (type(b) == list and b == [None])) elif test == 'notEmpty': result = (not pass_condition(b, 'empty', 'a')) elif test == 'null': result = ((b is None) or (type(b) == str and b == 'None')) elif test == 'notNull': result = (not pass_condition(b, 'null', a)) # Boolean tests elif test == 'true': result = (str(b).lower() == 'true') elif test == 'notTrue' or test == 'false': result = (str(b).lower() == 'false') # Object length tests elif test == 'lengthLessThan': result = (len(b) < int(a)) elif test == 'lengthMoreThan': result = (len(b) > int(a)) elif test == 'lengthEqual': result = (len(b) == int(a)) # Dictionary keys tests elif test == 'withKey': result = a in b elif test == 'withoutKey': result = a not in b elif test == 'withKeyCaseInsensitive': result = a.lower() in map(str.lower, b) elif test == 'withoutKeyCaseInsensitive': result = a.lower() not in map(str.lower, b) # String test elif test == 'containString': if not type(b) == str: b = str(b) if not type(a) == str: a = str(a) result = a in b elif test == 'notContainString': if not type(b) == str: b = str(b) if not type(a) == str: a = str(a) result = a not in b # List tests elif test == 'containAtLeastOneOf': result = False if not type(b) == list: b = [b] if not type(a) == list: a = [a] for c in b: if type(c) != dict: c = str(c) if c in a: result = True break elif test == 'containAtLeastOneDifferentFrom': result = False if not type(b) == list: b = [b] if not type(a) == list: a = [a] for c in b: if c and c != '' and c not in a: result = True break elif test == 'containNoneOf': result = True if not type(b) == list: b = [b] if not type(a) == list: a = [a] for c in b: if c in a: result = False break elif test == 'containAtLeastOneMatching': result = False for item in b: if re.match(a, item): result = True break # Regex tests elif test == 'match': if type(a) != list: a = [a] b = str(b) for c in a: if re.match(c, b): result = True break elif test == 'matchInList': if type(a) != list: a = [a] if type(b) !=list: b = [b] for c in a: for d in b: if re.match(c, d): result = True break if result: break elif test == 'notMatch': result = (not pass_condition(b, 'match', a)) # Date tests elif test == 'priorToDate': b = dateutil.parser.parse(str(b)).replace(tzinfo=None) a = dateutil.parser.parse(str(a)).replace(tzinfo=None) result = (b < a) elif test == 'olderThan': age, threshold = __prepare_age_test(a, b) result = (age > threshold) elif test == 'newerThan': age, threshold = __prepare_age_test(a, b) result = (age < threshold) # CIDR tests elif test == 'inSubnets': result = False grant = netaddr.IPNetwork(b) if type(a) != list: a = [a] for c in a: known_subnet = netaddr.IPNetwork(c) if grant in known_subnet: result = True break elif test == 'notInSubnets': result = (not pass_condition(b, 'inSubnets', a)) elif test == 'isSubnetRange': result = not ipaddress.ip_network(b, strict=False).exploded.endswith("/32") elif test == 'isPrivateSubnet': result = ipaddress.ip_network(b, strict=False).is_private elif test == 'isPublicSubnet': result = not ipaddress.ip_network(b, strict=False).is_private # Port/port ranges tests elif test == 'portsInPortList': result = False if not type(b) == list: b = [b] if not type(a) == list: a = [a] for port_range in b: if '-' in port_range: bottom_limit_port = int(port_range.split('-')[0]) upper_limit_port = int(port_range.split('-')[1]) for port in a: if type(port) != int: port = int(port) if bottom_limit_port <= port <= upper_limit_port: result = True break else: #A single port for port in a: if port == port_range: result = True break # Policy statement tests elif test == 'containAction': result = False if type(b) != dict: b = json.loads(b) statement_actions = get_actions_from_statement(b) rule_actions = _expand_wildcard_action(a) for action in rule_actions: if action.lower() in statement_actions: result = True break elif test == 'notContainAction': result = (not pass_condition(b, 'containAction', a)) elif test == 'containAtLeastOneAction': result = False if type(b) != dict: b = json.loads(b) if type(a) != list: a = [a] actions = get_actions_from_statement(b) for c in a: if c.lower() in actions: result = True break # Policy principal tests elif test == 'isCrossAccount': result = False if type(b) != list: b = [b] for c in b: if type(c) == dict and 'AWS' in c: c = c['AWS'] if c != a and not re.match(r'arn:aws:iam:.*?:%s:.*' % a, c): result = True break elif test == 'isSameAccount': result = False if type(b) != list: b = [b] for c in b: if c == a or re.match(r'arn:aws:iam:.*?:%s:.*' % a, c): result = True break elif test == 'isAccountRoot': result = False if type(b) != list: b = [b] for c in b: if type(c) == dict and 'AWS' in c: c = c['AWS'] if type(c) != list: c = [c] for i in c: if i == a or re.match(r'arn:aws:iam:.*?:%s:root' % a, i): result = True break # Unknown test case else: print_error('Error: unknown test case %s' % test) raise Exception return result def fix_path_string(all_info, current_path, path_to_value): # Fixes circular dependency from ScoutSuite.providers.base.configs.browser import get_value_at # handle nested _GET_VALUE_AT_... while True: dynamic_path = re_get_value_at.findall(path_to_value) if len(dynamic_path) == 0: break for dp in dynamic_path: tmp = dp while True: nested = re_nested_get_value_at.findall(tmp) if len(nested) == 0: break tmp = nested[0].replace('_GET_VALUE_AT_(', '', 1) dv = get_value_at(all_info, current_path, tmp) path_to_value = path_to_value.replace('_GET_VALUE_AT_(%s)' % tmp, dv) return path_to_value def __prepare_age_test(a, b): if type(a) != list: print_error('Error: olderThan requires a list such as [ N , \'days\' ] or [ M, \'hours\'].') raise Exception number = int(a[0]) unit = a[1] if unit not in ['days', 'hours', 'minutes', 'seconds']: print_error('Error: only days, hours, minutes, and seconds are supported.') raise Exception if unit == 'hours': number *= 3600 unit = 'seconds' elif unit == 'minutes': number *= 60 unit = 'seconds' age = getattr((datetime.datetime.today() - dateutil.parser.parse(str(b)).replace(tzinfo=None)), unit) return age, number ================================================ FILE: ScoutSuite/core/console.py ================================================ import logging import platform import os import sys import traceback import coloredlogs from ScoutSuite import ERRORS_LIST ######################################## # Output configuration ######################################## verbose_exceptions = False logger = logging.getLogger('scout') def set_logger_configuration(is_debug=False, quiet=False, output_file_path=None): """ Configure whether full stacktraces should be dumped in the console output """ # set debug level global verbose_exceptions verbose_exceptions = is_debug # if "quiet" is set, don't output anything if quiet: coloredlogs.install(level='ERROR', logger=logger) else: coloredlogs.install(level='DEBUG' if is_debug else 'INFO', logger=logger) if output_file_path: # For some reason, hostname information is not passed to the FileHandler # Add it using a filter class HostnameFilter(logging.Filter): hostname = platform.node() def filter(self, record): record.hostname = HostnameFilter.hostname return True # create file handler which logs messages fh = logging.FileHandler(output_file_path, 'w+') # Add filter to add hostname information fh.addFilter(HostnameFilter()) # create formatter and add it to the handlers formatter = logging.Formatter(fmt='%(asctime)s %(hostname)s %(name)s[%(process)d] %(levelname)s %(message)s', datefmt='%Y-%m-%d %H:%M:%S') fh.setFormatter(formatter) # add the handlers to the logger logger.addHandler(fh) ######################################## # Output functions ######################################## def print_generic(msg): logger.info(msg) def print_info(msg): print_generic(msg) def print_debug(msg): logger.debug(msg) def print_error(msg): logger.error(msg) def print_warning(msg): logger.warning(msg) def print_exception(exception, additional_details=None): try: exc = True exc_type, exc_obj, exc_tb = sys.exc_info() if exc_tb and traceback: file_name = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1] line_number = exc_tb.tb_lineno traceback_exc = traceback.format_exc() str = f'{file_name} L{line_number}: {exception}' else: file_name = None line_number = None traceback_exc = None str = f'{exception}' exc = False # if there isn't an actual exception then it's pointless except Exception as e: file_name = None line_number = None traceback_exc = None str = f'{exception}' if verbose_exceptions and exc: logger.exception(str) else: logger.error(str) ERRORS_LIST.append({'file': file_name, 'line': line_number, 'exception': f'{exception}', 'traceback': f'{traceback_exc}', 'additional_details': additional_details}) ######################################## # Prompt functions ######################################## def prompt(test_input=None): """ Prompt function that works for Python2 and Python3 :param test_input: Value to be returned when testing :return: Value typed by user (or passed in argument when testing) """ if test_input is not None: if type(test_input) == list and len(test_input): choice = test_input.pop(0) elif type(test_input) == list: choice = '' else: choice = test_input else: choice = input() return choice def prompt_overwrite(filename, force_write, test_input=None): """ Prompt whether the file should be overwritten :param filename: Name of the file about to be written :param force_write: Skip confirmation prompt if this flag is set :param test_input: Used for unit testing :return: Boolean whether file write operation is allowed """ if not os.path.exists(filename) or force_write: return True return prompt_yes_no(f'File \'{filename}\' already exists. Do you want to overwrite it', test_input=test_input) def prompt_value(question, choices=None, default=None, display_choices=True, display_indices=False, authorize_list=False, is_question=False, no_confirm=False, required=True, regex=None, regex_format='', max_laps=5, test_input=None, return_index=False): """ Prompt for a value . . :param return_index: :param question: Question to be asked :param choices: List of authorized answers :param default: Value suggested by default :param display_choices: Display accepted choices :param display_indices: Display the indice in the list next to the choice :param authorize_list: Set to true if a list of answers may be accepted :param is_question: Set to true to append a question mark :param no_confirm: Set to true to not prompt for a confirmation of the value :param required: Set to false if an empty answer is authorized :param regex: TODO :param regex_format TODO :param max_laps: Exit after N laps :param test_input: Used for unit testing :param return_index TODO :return: """ int_choice = 0 if choices and display_choices and not display_indices: question = question + ' (' + '/'.join(choices) + ')' lap_n = 0 while True: if lap_n >= max_laps: print_error('Automatically aborting prompt loop after 5 failures') return None lap_n += 1 can_return = False # Display the question, choices, and prompt for the answer if is_question: question = question + '? ' print_error(question) if choices and display_indices: for c in choices: print_error('%3d. %s' % (choices.index(c), c)) print_error('Enter the number corresponding to your choice: ') choice = prompt(test_input) # Set the default value if empty choice if not choice or choice == '': if default: if no_confirm or prompt_yes_no('Use the default value (' + default + ')'): # return default choice = default can_return = True elif not required: can_return = True else: print_error('Error: you cannot leave this parameter empty.') # Validate the value against a whitelist of choices elif choices: user_choices = [item.strip() for item in choice.split(',')] if not authorize_list and len(user_choices) > 1: print_error( 'Error: multiple values are not supported; please enter a single value.') else: choice_valid = True if display_indices and int(choice) < len(choices): int_choice = choice choice = choices[int(choice)] else: for c in user_choices: if c not in choices: print_error('Invalid value (%s).' % c) choice_valid = False break if choice_valid: can_return = True # Validate against a regex elif regex: if regex.match(choice): # return choice can_return = True else: print_error('Error: expected format is: %s' % regex_format) else: # No automated validation, can attempt to return can_return = True if can_return: # Manually confirm that the entered value is correct if needed if no_confirm or prompt_yes_no('You entered "' + choice + '". Is that correct', test_input=test_input): return int(int_choice) if return_index else choice def prompt_yes_no(question, test_input=None): """ Prompt for a yes/no or y/n answer . :param question: Question to be asked :param test_input: Used for unit testing :return: True for yes/y, False for no/n """ count = 0 while True: print_error(question + ' (y/n)? ') choice = prompt(test_input).lower() if choice == 'yes' or choice == 'y': return True elif choice == 'no' or choice == 'n': return False else: count += 1 print_error('\'%s\' is not a valid answer. Enter \'yes\'(y) or \'no\'(n).' % choice) if count > 3: return None ================================================ FILE: ScoutSuite/core/exceptions.py ================================================ from ScoutSuite.core.console import print_debug from ScoutSuite.output.result_encoder import JavaScriptEncoder class RuleExceptions: """ Exceptions handling """ def __init__(self, file_path=None): self.jsrw = JavaScriptEncoder() self.exceptions = self.jsrw.load_from_file(file_type='EXCEPTIONS', file_path=file_path, first_line=True) def process(self, cloud_provider): for service in self.exceptions: for rule in self.exceptions[service]: filtered_items = [] if rule not in cloud_provider.services[service]['findings']: print_debug('Warning:: key error should not be happening') continue for item in cloud_provider.services[service]['findings'][rule]['items']: if item not in self.exceptions[service][rule]: filtered_items.append(item) cloud_provider.services[service]['findings'][rule]['items'] = filtered_items cloud_provider.services[service]['findings'][rule]['flagged_items'] = \ len(cloud_provider.services[service]['findings'][rule]['items']) ================================================ FILE: ScoutSuite/core/fs.py ================================================ import datetime import json import os from ScoutSuite.core.console import print_exception, prompt_overwrite, print_info from ScoutSuite.core.conditions import pass_condition class CustomJSONEncoder(json.JSONEncoder): """ JSON encoder class """ def default(self, o): if type(o) == datetime.datetime: return str(o) else: return o.__dict__ def load_data(data_file, key_name=None, local_file=False): """ Load a JSON data file :param data_file: :param key_name: :param local_file: :return: """ if local_file: if data_file.startswith('/'): src_file = data_file else: src_dir = os.getcwd() src_file = os.path.join(src_dir, data_file) else: src_dir = os.path.join(os.path.dirname(os.path.realpath(__file__)), '../data') src_file = os.path.join(src_dir, data_file) with open(src_file) as f: data = json.load(f) if key_name: data = data[key_name] return data def read_ip_ranges(filename, local_file=True, ip_only=False, conditions=None): """ Returns the list of IP prefixes from an ip-ranges file :param filename: :param local_file: :param conditions: :param ip_only: :return: """ if not conditions: conditions = [] targets = [] data = load_data(filename, local_file=local_file) if 'source' in data: # Filtered IP ranges conditions = data['conditions'] local_file = data['local_file'] if 'local_file' in data else False data = load_data(data['source'], local_file=local_file, key_name='prefixes') else: # Plain IP ranges data = data['prefixes'] for d in data: condition_passed = True for condition in conditions: if type(condition) != list or len(condition) < 3: continue condition_passed = pass_condition(d[condition[0]], condition[1], condition[2]) if not condition_passed: break if condition_passed: targets.append(d) if ip_only: ips = [] for t in targets: ips.append(t['ip_prefix']) return ips else: return targets def save_blob_as_json(filename, blob, force_write): """ Creates/Modifies file and saves python object as JSON :param filename: :param blob: :param force_write: :return: """ try: if prompt_overwrite(filename, force_write): with open(filename, 'wt') as f: print_info('%s' % json.dumps(blob, indent=4, separators=(',', ': '), sort_keys=True, cls=CustomJSONEncoder)) except Exception as e: print_exception(e) ================================================ FILE: ScoutSuite/core/processingengine.py ================================================ from ScoutSuite.core.console import print_debug, print_exception from ScoutSuite.utils import manage_dictionary from ScoutSuite.core.utils import recurse class ProcessingEngine: """ """ def __init__(self, ruleset): # Organize rules by path self.ruleset = ruleset self.rules = {} for filename in self.ruleset.rules: for rule in self.ruleset.rules[filename]: if not rule.enabled: continue try: manage_dictionary(self.rules, rule.path, []) self.rules[rule.path].append(rule) except Exception as e: print_exception(f'Failed to create rule {rule.filename}: {e}') def run(self, cloud_provider, skip_dashboard=False): # Clean up existing findings for service in cloud_provider.services: cloud_provider.services[service][self.ruleset.rule_type] = {} # Process each rule for finding_path in self._filter_rules(self.rules, cloud_provider.service_list): for rule in self.rules[finding_path]: if not rule.enabled: # or rule.service not in []: # TODO: handle this... continue print_debug(f'Processing {rule.service} rule "{rule.description}" ({rule.filename})') finding_path = rule.path path = finding_path.split('.') service = path[0] manage_dictionary(cloud_provider.services[service], self.ruleset.rule_type, {}) cloud_provider.services[service][self.ruleset.rule_type][rule.key] = {} cloud_provider.services[service][self.ruleset.rule_type][rule.key]['description'] = rule.description cloud_provider.services[service][self.ruleset.rule_type][rule.key]['path'] = rule.path for attr in ['level', 'id_suffix', 'class_suffix', 'display_path']: if hasattr(rule, attr): cloud_provider.services[service][self.ruleset.rule_type][rule.key][attr] = getattr(rule, attr) try: setattr(rule, 'checked_items', 0) cloud_provider.services[service][self.ruleset.rule_type][rule.key]['items'] = recurse( cloud_provider.services, cloud_provider.services, path, [], rule, True) if skip_dashboard: continue cloud_provider.services[service][self.ruleset.rule_type][rule.key]['dashboard_name'] = \ rule.dashboard_name cloud_provider.services[service][self.ruleset.rule_type][rule.key]['checked_items'] = \ rule.checked_items cloud_provider.services[service][self.ruleset.rule_type][rule.key]['flagged_items'] = \ len(cloud_provider.services[service][self.ruleset.rule_type][rule.key]['items']) cloud_provider.services[service][self.ruleset.rule_type][rule.key]['service'] = rule.service cloud_provider.services[service][self.ruleset.rule_type][rule.key]['rationale'] = \ rule.rationale if hasattr(rule, 'rationale') else None cloud_provider.services[service][self.ruleset.rule_type][rule.key]['remediation'] = \ rule.remediation if hasattr(rule, 'remediation') else None cloud_provider.services[service][self.ruleset.rule_type][rule.key]['compliance'] = \ rule.compliance if hasattr(rule, 'compliance') else None cloud_provider.services[service][self.ruleset.rule_type][rule.key]['references'] = \ rule.references if hasattr(rule, 'references') else None except Exception as e: print_exception(f'Failed to process rule defined in {rule.filename}: {e}') # Fallback if process rule failed to ensure report creation and data dump still happen cloud_provider.services[service][self.ruleset.rule_type][rule.key]['checked_items'] = 0 cloud_provider.services[service][self.ruleset.rule_type][rule.key]['flagged_items'] = 0 @staticmethod def _filter_rules(rules, services): return {rule_name: rule for rule_name, rule in rules.items() if rule_name.split('.')[0] in services} ================================================ FILE: ScoutSuite/core/rule.py ================================================ import json import re from ScoutSuite.core.fs import read_ip_ranges from ScoutSuite.core.console import print_exception from ScoutSuite.utils import format_service_name ip_ranges_from_args = 'ip-ranges-from-args' re_account_id = re.compile(r'_ACCOUNT_ID_') re_ip_ranges_from_file = re.compile(r'_IP_RANGES_FROM_FILE_\((.*?)(,.*?)\)') re_ip_ranges_from_local_file = re.compile(r'_IP_RANGES_FROM_LOCAL_FILE_\((.*?)(,.*?)\)') re_strip_dots = re.compile(r'(_STRIPDOTS_\((.*?)\))') testcases = [ { 'name': 'account_id', 'regex': re_account_id }, { 'name': 'ip_ranges_from_file', 'regex': re_ip_ranges_from_file }, { 'name': 'ip_ranges_from_local_file', 'regex': re_ip_ranges_from_local_file } ] class Rule: def to_string(self): return str(vars(self)) def __init__(self, data_path, filename, rule_type, rule): self.data_path = data_path self.filename = filename self.rule_type = rule_type self.enabled = bool(self.get_attribute('enabled', rule, False)) self.level = self.get_attribute('level', rule, '') self.args = self.get_attribute('args', rule, []) self.conditions = self.get_attribute('conditions', rule, []) self.key_suffix = self.get_attribute('key_suffix', rule, None) @staticmethod def get_attribute(name, rule, default_value): return rule[name] if name in list(rule.keys()) else default_value def set_definition(self, rule_definitions, attributes=None, ip_ranges=None, params=None): """ Update every attribute of the rule by setting the argument values as necessary :param rule_definitions: TODO :param attributes: TODO :param ip_ranges: TODO :param params: TODO :return: """ attributes = [] if attributes is None else attributes ip_ranges = [] if ip_ranges is None else ip_ranges params = {} if params is None else params try: string_definition = rule_definitions[self.filename].string_definition # Load condition dependencies definition = json.loads(string_definition) definition['conditions'] += self.conditions loaded_conditions = [] for condition in definition['conditions']: if condition[0].startswith('_INCLUDE_('): include = re.findall(r'_INCLUDE_\((.*?)\)', condition[0])[0] # new_conditions = load_data(include, key_name = 'conditions') rules_path = f'{self.data_path}/{include}' with open(rules_path) as f: new_conditions = f.read() for (i, value) in enumerate(condition[1]): new_conditions = re.sub(condition[1][i], condition[2][i], new_conditions) new_conditions = json.loads(new_conditions)['conditions'] loaded_conditions.append(new_conditions) else: loaded_conditions.append(condition) definition['conditions'] = loaded_conditions string_definition = json.dumps(definition) # Set parameters parameters = re.findall(r'(_ARG_([a-zA-Z0-9]+)_)', string_definition) for param in parameters: index = int(param[1]) if len(self.args) <= index: string_definition = string_definition.replace(param[0], '') elif type(self.args[index]) == list: value = '[ %s ]' % ', '.join('"%s"' % v for v in self.args[index]) string_definition = string_definition.replace('"%s"' % param[0], value) else: string_definition = string_definition.replace(param[0], self.args[index]) # Strip dots if necessary stripdots = re_strip_dots.findall(string_definition) for value in stripdots: string_definition = string_definition.replace(value[0], value[1].replace('.', '')) definition = json.loads(string_definition) # Set special values (IP ranges, AWS account ID, ...) for condition in definition['conditions']: if type(condition) != list \ or len(condition) == 1 \ or type(condition[2]) == list \ or type(condition[2]) == dict: continue for testcase in testcases: result = testcase['regex'].match(condition[2]) if result and (testcase['name'] == 'ip_ranges_from_file' or testcase['name'] == 'ip_ranges_from_local_file'): filename = result.groups()[0] conditions = result.groups()[1] if len(result.groups()) > 1 else [] # TODO :: handle comma here... if filename == ip_ranges_from_args: prefixes = [] for filename in ip_ranges: prefixes += read_ip_ranges(filename, local_file=True, ip_only=True, conditions=conditions) condition[2] = prefixes break else: local_file = True if testcase['name'] == 'ip_ranges_from_local_file' else False condition[2] = read_ip_ranges(filename, local_file=local_file, ip_only=True, conditions=conditions) break elif result: condition[2] = params[testcase['name']] break if len(attributes) == 0: attributes = [attr for attr in definition] for attr in attributes: if attr in definition: setattr(self, attr, definition[attr]) if hasattr(self, 'path'): self.service = format_service_name(self.path.split('.')[0]) if not hasattr(self, 'key'): setattr(self, 'key', self.filename) setattr(self, 'key', self.key.replace('.json', '')) if self.key_suffix: setattr(self, 'key', f'{self.key}-{self.key_suffix}') except Exception as e: print_exception(f'Failed to set definition {self.filename}: {e}') ================================================ FILE: ScoutSuite/core/rule_definition.py ================================================ import json import os from ScoutSuite.core.console import print_error, print_exception class RuleDefinition: def __init__(self, data_path, file_name=None, rule_dirs=None, string_definition=None): rule_dirs = [] if rule_dirs is None else rule_dirs self.rules_data_path = data_path self.file_name = file_name self.rule_dirs = rule_dirs self.rule_types = ['findings', 'filters'] if self.file_name: self.load() elif string_definition: self.string_definition = string_definition self.load_from_string_definition() else: print_error('Error') def __str__(self): desription = getattr(self, 'description') dlen = len(desription) padding = (80 - dlen) // 2 if dlen < 80 else 0 value = '-' * 80 + '\n' + ' ' * padding + ' %s' % getattr(self, 'description') + '\n' + '-' * 80 + '\n' quiet_list = ['descriptions', 'rule_dirs', 'rule_types', 'rules_data_path', 'string_definition'] value += '\n'.join( '{}: {}'.format(attr, str(getattr(self, attr))) for attr in vars(self) if attr not in quiet_list) value += '\n' return value def load(self): """ Load the definition of the rule, searching in the specified rule dirs first, then in the built-in definitions :return: None """ file_name_valid = False rule_type_valid = False file_path = None # Look for a locally-defined rule for rule_dir in self.rule_dirs: try: file_path = os.path.join(rule_dir, self.file_name) if rule_dir else self.file_name except Exception as e: print_exception('Failed to load file {}: {}'.format(self.file_name, str(e))) if os.path.isfile(file_path): self.file_path = file_path file_name_valid = True break # Look for a built-in rule if not file_name_valid: for rule_type in self.rule_types: if self.file_name.startswith(rule_type): self.file_path = os.path.join(self.rules_data_path, self.file_name) rule_type_valid = True file_name_valid = True break if not rule_type_valid: for rule_type in self.rule_types: self.file_path = os.path.join(self.rules_data_path, rule_type, self.file_name) if os.path.isfile(self.file_path): file_name_valid = True break else: if os.path.isfile(self.file_path): file_name_valid = True if not file_name_valid: print_error('Error: could not find %s' % self.file_name) else: try: with open(self.file_path) as f: self.string_definition = f.read() self.load_from_string_definition() except Exception as e: print_exception('Failed to load rule defined in {}: {}'.format(self.file_name, str(e))) def load_from_string_definition(self): try: definition = json.loads(self.string_definition) for attr in definition: setattr(self, attr, definition[attr]) except Exception as e: print_exception('Failed to load string definition {}: {}'.format(self.string_definition, str(e))) ================================================ FILE: ScoutSuite/core/ruleset.py ================================================ import json import os import tempfile from ScoutSuite.core.console import print_debug, print_error, prompt_yes_no, print_exception from ScoutSuite.core.rule import Rule from ScoutSuite.core.rule_definition import RuleDefinition aws_ip_ranges_filename = 'ip-ranges.json' ip_ranges_from_args = 'ip-ranges-from-args' class Ruleset: """ TODO :ivar rules: List of rules defined in the ruleset :ivar rule_definitions: Definition of all rules found :ivar ?? """ def __init__(self, cloud_provider, environment_name='default', filename=None, name=None, rules_dir=None, rule_type='findings', ip_ranges=None, account_id=None, ruleset_generator=False): rules_dir = [] if rules_dir is None else rules_dir ip_ranges = [] if ip_ranges is None else ip_ranges self.rules_data_path = os.path.dirname( os.path.dirname(os.path.abspath(__file__))) + '/providers/%s/rules' % cloud_provider self.environment_name = environment_name self.rule_type = rule_type # Ruleset filename self.filename = self.find_file(filename) if not self.filename: self.search_ruleset(environment_name) print_debug('Loading ruleset %s' % self.filename) self.name = os.path.basename(self.filename).replace('.json', '') if not name else name self.load(self.rule_type) self.shared_init(ruleset_generator, rules_dir, account_id, ip_ranges) def to_string(self): return str(vars(self)) def shared_init(self, ruleset_generator, rule_dirs, account_id, ip_ranges): # Load rule definitions if not hasattr(self, 'rule_definitions'): self.load_rule_definitions(ruleset_generator, rule_dirs) # Prepare the rules params = {'account_id': account_id} if ruleset_generator: self.prepare_rules(attributes=['description', 'key', 'rationale'], params=params) else: self.prepare_rules(ip_ranges=ip_ranges, params=params) def load(self, rule_type, quiet=False): """ Open a JSON file defining a ruleset and load it into a Ruleset object :param rule_type: TODO :param quiet: TODO :return: """ if self.filename and os.path.exists(self.filename): try: with open(self.filename) as f: ruleset = json.load(f) self.about = ruleset['about'] if 'about' in ruleset else '' self.rules = {} for filename in ruleset['rules']: self.rules[filename] = [] for rule in ruleset['rules'][filename]: self.handle_rule_versions(filename, rule_type, rule) except Exception as e: print_exception(f'Ruleset file {self.filename} contains malformed JSON: {e}') self.rules = [] self.about = '' else: self.rules = [] if not quiet: print_error('Error: the file %s does not exist.' % self.filename) def load_rules(self, file, rule_type): file.seek(0) ruleset = json.load(file) self.about = ruleset['about'] self.rules = {} for filename in ruleset['rules']: self.rules[filename] = [] for rule in ruleset['rules'][filename]: self.handle_rule_versions(filename, rule_type, rule) def handle_rule_versions(self, filename, rule_type, rule): """ For each version of a rule found in the ruleset, append a new Rule object """ if 'versions' in rule: versions = rule.pop('versions') for version_key_suffix in versions: version = versions[version_key_suffix] version['key_suffix'] = version_key_suffix tmp_rule = dict(rule, **version) self.rules[filename].append(Rule(self.rules_data_path, filename, rule_type, tmp_rule)) else: self.rules[filename].append(Rule(self.rules_data_path, filename, rule_type, rule)) def prepare_rules(self, attributes=None, ip_ranges=None, params=None): """ Update the ruleset's rules by duplicating fields as required by the HTML ruleset generator :return: """ attributes = [] if attributes is None else attributes ip_ranges = [] if ip_ranges is None else ip_ranges params = {} if params is None else params for filename in self.rule_definitions: if filename in self.rules: for rule in self.rules[filename]: rule.set_definition(self.rule_definitions, attributes, ip_ranges, params) else: self.rules[filename] = [] new_rule = Rule(self.rules_data_path, filename, self.rule_type, {'enabled': False, 'level': 'danger'}) new_rule.set_definition(self.rule_definitions, attributes, ip_ranges, params) self.rules[filename].append(new_rule) def load_rule_definitions(self, ruleset_generator=False, rule_dirs=None): """ Load definition of rules declared in the ruleset :param ruleset_generator: :param rule_dirs: :return: """ rule_dirs = [] if rule_dirs is None else rule_dirs # Load rules from JSON files self.rule_definitions = {} for rule_filename in self.rules: for rule in self.rules[rule_filename]: if not rule.enabled and not ruleset_generator: continue self.rule_definitions[os.path.basename(rule_filename)] = RuleDefinition(self.rules_data_path, rule_filename, rule_dirs=rule_dirs) # In case of the ruleset generator, list all available built-in rules if ruleset_generator: rule_dirs.append(self.rules_data_path + '/findings') rule_filenames = [] for rule_dir in rule_dirs: rule_filenames += [f for f in os.listdir(rule_dir) if os.path.isfile(os.path.join(rule_dir, f))] for rule_filename in rule_filenames: if rule_filename not in self.rule_definitions: self.rule_definitions[os.path.basename(rule_filename)] = RuleDefinition(self.rules_data_path, rule_filename) def search_ruleset(self, environment_name, no_prompt=False): """ :param environment_name: :param no_prompt: :return: """ ruleset_found = False if environment_name != 'default': ruleset_file_name = 'ruleset-%s.json' % environment_name ruleset_file_path = os.path.join(self.rules_data_path, 'rulesets/%s' % ruleset_file_name) if os.path.exists(ruleset_file_path): if no_prompt or prompt_yes_no( "A ruleset whose name matches your environment name was found in %s. " "Would you like to use it instead of the default one" % ruleset_file_name): ruleset_found = True self.filename = ruleset_file_path if not ruleset_found: self.filename = os.path.join(self.rules_data_path, 'rulesets/default.json') def find_file(self, filename, filetype='rulesets'): """ :param filename: :param filetype: :return: """ if filename and not os.path.isfile(filename): # Not a valid relative / absolute path, check Scout's data under findings/ or filters/ if not filename.startswith('findings/') and not filename.startswith('filters/'): filename = f'{filetype}/{filename}' if not os.path.isfile(filename): filename = os.path.join(self.rules_data_path, filename) if not os.path.isfile(filename) and not filename.endswith('.json'): filename = self.find_file('%s.json' % filename, filetype) return filename class TmpRuleset(Ruleset): def __init__(self, cloud_provider, rule_dirs=None, rule_filename=None, rule_args=None, rule_level='danger'): super().__init__(cloud_provider) rule_dirs = [] if rule_dirs is None else rule_dirs rule_args = [] if rule_args is None else rule_args self.rule_type = 'findings' tmp_ruleset = {'rules': {}, 'about': 'Temporary, single-rule ruleset.'} tmp_ruleset['rules'][rule_filename] = [] rule = {'enabled': True, 'level': rule_level} if len(rule_args): rule['args'] = rule_args tmp_ruleset['rules'][rule_filename].append(rule) tmp_ruleset_file = tempfile.TemporaryFile('w+t') tmp_ruleset_file.write(json.dumps(tmp_ruleset)) self.rules_data_path = os.path.dirname( os.path.dirname(os.path.abspath(__file__))) + '/providers/%s/rules' % cloud_provider self.load_rules(file=tmp_ruleset_file, rule_type='findings') self.shared_init(False, rule_dirs, '', []) ================================================ FILE: ScoutSuite/core/server.py ================================================ from sqlitedict import SqliteDict import cherrypy import cherrypy_cors import re count_re = re.compile(r".*_count$") class Server: """ Boots a server that serves the result of the report for the user. This is still a proof of concept, but will eventually be used to serve data when it exceeds 400mb. """ def __init__(self, filename): """ Constructor of the server object. Should not be called directly outside the class. :param filename: Name of the file to write data to. :return: The server object. """ self.results = SqliteDict(filename) @cherrypy.expose() @cherrypy.tools.json_out() def summary(self): """ Returns the stripped down data of the results that doesn't scale up when using a lot of resources, used to render the summary. Should be the first call from the server. Can be found at GET /api/summary :return: The summary data of the report. """ data = dict(self.results) services = data.get('services') stripped_services = {} for k1, v1 in services.items(): service = {} for k2, v2 in v1.items(): if k2 == 'findings' or k2 == 'filters' or count_re.match(k2): service[k2] = v2 stripped_services[k1] = service data['services'] = stripped_services return {'data': data} @cherrypy.expose() @cherrypy.tools.json_out() def data(self, key=None): """ Return the data at the requested key. Doesn't returns nested dictionaries and lists. If one of the value is a dictionary, it will return {'type': 'dict', 'keys': } If one of the value is a list, it will return {'type': 'list', 'count': } Can be found at GET /api/data?key= :param key: Key of the requested information, separated by the character '¤'. :return: The data at the requested location stripped of its nested data. """ result = self.get_item(self.results, key) # Returns only indexes or length if it's a complex type if isinstance(result, dict) or isinstance(result, SqliteDict): result = {'type': 'dict', 'keys': list(result.keys())} elif isinstance(result, list): result = {'type': 'list', 'length': len(result)} return {'data': result} @cherrypy.expose() @cherrypy.tools.json_out() def full(self, key=None): """ Return the data at the requested key. Returns all the nested data. Be sure not to use it on a key that may contains a lot of data, as the request won't be answered if it's too large(generally 3mb). Can be found at GET /api/full?key= :param key: Key of the requested information, separated by the character '¤'. :return: The data at the requested location. """ result = self.get_item(self.results, key) if isinstance(result, str) or isinstance(result, int): return {'data': result} return {'data': dict(result)} @cherrypy.expose() @cherrypy.tools.json_out() def page(self, key=None, page=None, pagesize=None): """ Return a page of the data at the requested key. Doesn't returns nested dictionaries and lists. For example, if you set pagesize=10 and page=2, it should return element 10-19 If one of the value is a dictionary, it will return {'type': 'dict', 'keys': } If one of the value is a list, it will return {'type': 'list', 'count': } Can be found at GET /api/page?key=&page=&pagesize= :param key: Key of the requested information, separated by the character '¤'. :param page: The number of the page you request. :param pagesize: The size of the page you request. :return: A subset of the data at the requested location. """ result = self.get_item(self.results, key) page = int(page) pagesize = int(pagesize) start = page * pagesize end = min((page + 1) * pagesize, len(result)) if isinstance(result, dict) or isinstance(result, SqliteDict): page = {k: result.get(k) for k in sorted(list(result))[start:end]} if isinstance(result, list): page = result[start:end] return {'data': self.strip_nested_data(page)} @staticmethod def init(database_filename, host, port): """ Configure and starts the server. :param database_filename: Location of the database file. :param host: Address on which to listen. :param port: Port on which to listen. """ cherrypy_cors.install() config = { '/': { 'cors.expose.on': True, 'tools.sessions.on': True, 'tools.response_headers.on': True, 'tools.response_headers.headers': [('Content-Type', 'text/plain')], }, } cherrypy.config.update({ 'server.socket_host': host, 'server.socket_port': port, }) cherrypy.quickstart(Server(database_filename), "/api", config=config) @staticmethod def get_item(data, key): """ Get a specific information from its key. :param data: The dictionary in which the information is stored. :param host: The key where the information is located. :return: The nested data at the requested location. """ if not key: return data keyparts = key.split('¤') for k in keyparts: if isinstance(data, dict) or isinstance(data, SqliteDict): data = data.get(k) elif isinstance(data, list): data = data[int(k)] return data @staticmethod def strip_nested_data(data): """ Strip nested lists and dictionaries from the provided object to reduce its size. :param data: The object to strip. :return: The input data stripped of its nested lists and dictionaries. """ if not isinstance(data, dict): return data result = {} for k, v in data.items(): if isinstance(v, dict): result[k] = {'type': 'dict', 'keys': list(v.keys())} elif isinstance(v, list): result[k] = {'type': 'list', 'length': len(v)} return result ================================================ FILE: ScoutSuite/core/utils.py ================================================ """ Single-service rule processing functions """ import copy from ScoutSuite.core.console import print_exception from ScoutSuite.core.conditions import pass_conditions, fix_path_string def recurse(all_info, current_info, target_path, current_path, config, add_suffix=False): """ Recursively test conditions for a path. In order to do this, needs to evaluate all the `id` possibilities. When the value in the path is `id`, this represents either a key for a dict or an index for a list. When the is `id`: - For a dict return value at key - For a list, return the list When the value ends in `id.`: - For a dict, return a list of keys - For a list, return value at the index indicated by id ` :param all_info: All of the services' data :param current_info: ? :param target_path: The path that is being tested :param current_path: :param config: The Rule object that is being tested :param add_suffix: ? :return: """ results = [] if len(target_path) == 0: # Dashboard: count the number of processed resources here setattr(config, 'checked_items', getattr(config, 'checked_items') + 1) # Test for conditions... if pass_conditions(all_info, current_path, copy.deepcopy(config.conditions)): # id_suffix if add_suffix and hasattr(config, 'id_suffix'): suffix = fix_path_string(all_info, current_path, config.id_suffix) current_path.append(suffix) # class_suffix if add_suffix and hasattr(config, 'class_suffix'): suffix = fix_path_string(all_info, current_path, config.class_suffix) current_path.append(suffix) results.append('.'.join(current_path)) # Return the flagged items... return results target_path = copy.deepcopy(target_path) dbg_target_path = copy.deepcopy(target_path) current_path = copy.deepcopy(current_path) attribute = target_path.pop(0) if type(current_info) == dict: if attribute in current_info: split_path = copy.deepcopy(current_path) split_path.append(attribute) results = results + recurse(all_info, current_info[attribute], target_path, split_path, config, add_suffix) elif attribute == 'id': for key in current_info: split_target_path = copy.deepcopy(target_path) split_current_path = copy.deepcopy(current_path) split_current_path.append(key) split_current_info = current_info[key] results = results + recurse(all_info, split_current_info, split_target_path, split_current_path, config, add_suffix) # To handle lists properly, I would have to make sure the list is properly ordered and I can use the index to # consistently access an object... Investigate (or do not use lists) elif type(current_info) == list: for index, split_current_info in enumerate(current_info): split_current_path = copy.deepcopy(current_path) split_current_path.append(str(index)) results = results + recurse(all_info, split_current_info, copy.deepcopy(target_path), split_current_path, config, add_suffix) # Python 2-3 compatible way to check for string type elif isinstance(current_info, str): split_current_path = copy.deepcopy(current_path) results = results + recurse(all_info, current_info, [], split_current_path, config, add_suffix) else: print_exception('Unable to recursively test condition for path {}: ' 'unhandled case for \"{}\" type'.format(current_path, type(current_info)), additional_details={'current_path': current_path, 'current_info': current_info, 'dbg_target_path': dbg_target_path}) return results ================================================ FILE: ScoutSuite/data/aws/ip-ranges/aws-in-ec2.json ================================================ { "source": "aws/ip-ranges/aws.json", "conditions": [ "and", [ "service", "equal", "EC2" ] ] } ================================================ FILE: ScoutSuite/data/aws/ip-ranges/aws-in-us.json ================================================ { "source": "aws/ip-ranges/aws.json", "conditions": [ "and", [ "region", "match", [ "us-.*" ] ] ] } ================================================ FILE: ScoutSuite/data/aws/ip-ranges/aws.json ================================================ { "syncToken": "1662013390", "createDate": "2022-09-01-06-23-10", "prefixes": [ { "ip_prefix": "3.2.34.0/26", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "3.5.140.0/22", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.34.37.64/27", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "13.34.65.64/27", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "13.34.66.0/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.78.160/27", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "15.230.221.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "35.180.0.0/16", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "43.224.79.154/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.79.174/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.153.170/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.178.234/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.76.0/22", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.95.36.0/22", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.219.170.0/23", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "99.87.32.0/22", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "120.52.22.96/27", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.11.86/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.81.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.234.54/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.2.35.64/26", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "13.34.11.32/27", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "13.34.24.160/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.50.32/27", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.52.96/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "13.34.69.64/27", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.230.39.60/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "43.224.79.48/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "43.224.79.212/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.188.68/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.189.248/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.94.152.9/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.219.168.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.78.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "3.108.0.0/14", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.43.192/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.52.0/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.64.32/27", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.181.232.0/21", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-iah-1" }, { "ip_prefix": "15.230.39.208/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.93.17.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.127.163/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.240.164/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.95.150.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.219.60.0/23", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "142.4.160.136/29", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-msp-1" }, { "ip_prefix": "150.222.230.102/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.2.0.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-iah-1" }, { "ip_prefix": "13.34.43.96/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.48.0/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.62.160/27", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.34.64.96/27", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.248.56.0/22", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "13.248.117.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.221.34.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.230.137.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.126.135/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.93.178.219/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.240.186/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.94.24.0/23", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.3.187/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.199.0/25", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.252.248/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "161.188.154.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-chi-1" }, { "ip_prefix": "13.34.71.0/27", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.230.39.44/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "43.249.45.0/24", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.4.0.0/14", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.174/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.92.68/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.127.27/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.144.227.192/26", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.144.229.64/26", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.222.88.0/24", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "64.252.81.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "142.4.160.80/29", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-chi-1" }, { "ip_prefix": "13.34.70.224/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.248.70.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.230.73.192/26", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "43.224.76.28/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "50.16.0.0/15", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.189.108/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.116.148/32", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.93.127.133/32", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.93.198.0/25", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.95.208.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.95.224.0/24", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "104.255.59.104/32", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "104.255.59.114/32", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "150.222.84.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "150.222.129.244/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.208.82/31", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "150.222.234.50/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "205.251.249.0/24", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.32.128/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.49.0/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.73.96/27", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.193.3.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.220.196.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-mia-1" }, { "ip_prefix": "15.220.216.0/22", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1-del-2" }, { "ip_prefix": "35.71.115.0/24", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "43.224.76.152/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.169/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.153.148/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.94.244.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.119.208.0/23", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "54.117.0.0/16", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "54.240.236.26/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "150.222.3.190/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.228.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "13.34.34.192/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.197.34.0/23", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.205.0.0/16", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "15.230.39.10/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "16.12.6.0/23", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "52.46.190.68/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.82.169.16/28", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.34.56/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.198.16/28", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.144.225.128/26", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "64.252.69.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "71.131.192.0/18", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "150.222.122.104/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.17.64/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.236.0.0/14", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.197.36.0/22", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.230.158.0/23", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "16.57.0.0/16", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "43.206.0.0/15", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "43.224.77.192/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.220.0/22", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.93.50.128/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.50.140/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.56.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.178.152/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.95.41.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.95.100.0/22", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "52.95.226.0/24", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "52.219.204.0/22", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "99.78.152.0/22", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "142.4.160.56/29", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-las-1" }, { "ip_prefix": "150.222.135.0/24", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "150.222.202.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "176.32.125.244/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.4.0.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-pilot-6" }, { "ip_prefix": "13.34.53.192/27", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.34.60.128/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.177.83.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.185.0.0/16", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "15.220.252.0/22", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-las-1" }, { "ip_prefix": "15.221.35.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.39.28/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.248.28.0/22", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "16.30.0.0/16", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "16.49.0.0/16", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "40.167.0.0/16", "region": "ap-southeast-6", "service": "AMAZON", "network_border_group": "ap-southeast-6" }, { "ip_prefix": "52.46.190.0/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.35.212/32", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "52.93.127.118/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.178.205/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.26.0/23", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.94.152.44/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.95.182.0/23", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "54.240.236.54/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "54.247.0.0/16", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.248.0.0/15", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.2.40.0/25", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.41.192/27", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.248.72.0/24", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "15.230.39.196/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.251.0.9/32", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "16.155.0.0/16", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "18.34.248.0/22", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "35.71.99.0/24", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "43.224.76.76/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.70/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.200/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.188.192/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.119.252.0/22", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "54.148.0.0/15", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "69.107.7.16/29", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "99.77.130.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "150.222.3.185/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.11.78/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.27.12/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.234.52/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.234.68/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "180.163.57.128/26", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.50.224/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.68.192/26", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "18.200.0.0/16", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "43.224.76.144/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.91.102/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.141.212/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.21.0.0/16", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "54.206.0.0/16", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "54.240.236.69/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "99.150.56.0/21", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "108.175.56.0/22", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "150.222.96.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.15.32/27", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.34.29.224/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.68.160/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.69.224/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.70.64/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.248.124.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.193.2.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.220.222.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-mci-1" }, { "ip_prefix": "15.230.67.64/26", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.230.212.0/23", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "16.22.0.0/16", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "16.24.0.0/15", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "43.224.76.32/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "43.224.79.94/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.79.222/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.178.136/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.219.192.0/23", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "99.77.132.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "104.255.59.82/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "150.222.120.242/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "161.188.146.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-atl-1" }, { "ip_prefix": "13.204.0.0/14", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.181.247.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-atl-1" }, { "ip_prefix": "15.230.200.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.232.0.0/14", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.77.0/29", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.82.169.0/28", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.112.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.178.138/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.239.0.224/28", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "54.239.48.0/22", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "64.252.118.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "142.4.160.144/29", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1-tpe-1" }, { "ip_prefix": "13.34.54.224/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.79.192/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.248.119.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.220.120.0/21", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-bue-1" }, { "ip_prefix": "15.230.39.254/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.179.16/29", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.93.81.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.240.170/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "54.74.0.0/15", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.15.124/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.114.0/24", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "150.222.242.214/31", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.34.27.32/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "13.34.39.32/27", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "15.220.207.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-sea-1" }, { "ip_prefix": "15.230.39.206/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.244/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "18.102.0.0/16", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.46.190.144/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.191.98/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.83.0.0/16", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.14.18/32", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.94.6.0/24", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.144.197.192/26", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "64.252.122.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "69.107.7.56/29", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "150.222.2.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.3.234/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.27.18/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.164.220/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.23.0/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.248.67.0/24", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "15.230.138.0/24", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "15.230.169.6/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.254/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.190.32/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.47.0.0/16", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.93.16.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.94.249.144/28", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "52.95.136.0/23", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "52.95.255.64/28", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.144.199.128/26", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.144.225.64/26", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.219.143.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "54.240.236.22/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "204.246.168.0/22", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.25.248/29", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.38.64/27", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "13.34.72.160/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.208.0.0/16", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.193.7.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.230.39.108/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.70.0/26", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.230.74.128/26", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.230.76.0/26", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.230.253.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "43.224.79.96/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.191.64/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.50.136/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.50.166/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.96.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.122.203/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.93.127.194/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "54.156.0.0/14", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.222.90.0/24", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "54.236.0.0/15", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "99.150.8.0/21", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.234.18/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.234.98/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.5.40.0/22", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "3.5.136.0/22", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.3.160/27", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "15.181.160.0/20", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-nyc-1" }, { "ip_prefix": "15.230.29.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.39.14/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "16.56.0.0/16", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "18.191.0.0/16", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "43.224.79.56/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.144.210.0/26", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "98.131.0.0/16", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "99.77.159.0/24", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "99.83.97.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.232.88/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.21.128/27", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "13.34.55.0/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.177.82.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.181.80.0/20", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-atl-1" }, { "ip_prefix": "15.230.241.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "16.55.0.0/16", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "47.128.0.0/14", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.46.191.60/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.156/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.112/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.93.178.134/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.240.160/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.144.211.196/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.219.72.0/22", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "54.153.128.0/17", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "54.222.58.0/28", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "122.248.192.0/18", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.119.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.34.19.64/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.22.160/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.39.64/27", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "13.247.0.0/16", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "15.230.39.34/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.218.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "18.192.0.0/15", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "35.71.114.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.46.191.68/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.234/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.126.132/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.93.127.126/32", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.93.133.177/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.93.178.183/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.144.215.192/31", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.219.68.0/22", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.229.0.0/16", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.239.1.96/28", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "54.239.102.234/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "104.255.59.103/32", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "150.222.28.136/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "3.2.34.128/26", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.59.96/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.67.224/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.74.64/27", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "13.248.100.0/24", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "15.230.130.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.183.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "18.160.0.0/15", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.46.190.204/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.5.0/24", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.93.50.146/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.50.156/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.55.146/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.71.30/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.120.178/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.127.124/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.144.193.128/26", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.20.0.0/16", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "54.250.0.0/16", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "64.252.89.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "69.107.7.136/29", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "76.223.168.0/24", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "107.20.0.0/14", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.28.130/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.28.140/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.129.62/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.5.160.0/22", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.7.0/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.13.0/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.221.36.0/22", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.40.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "46.51.192.0/20", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.50.174/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.115.0/24", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "52.93.178.161/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.193.200/32", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.95.174.0/24", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "99.77.149.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "99.78.156.0/22", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.120.20/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.220.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "3.132.0.0/14", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.3.224/27", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "13.34.5.46/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.39.192/27", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "15.221.7.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.230.4.164/31", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "15.230.132.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.202.0/30", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.251.0.27/32", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "43.224.79.194/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.208.0/21", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.93.51.28/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.12.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.95.187.0/24", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "63.32.0.0/14", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "64.252.85.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "150.222.3.240/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.129.134/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.45.160/27", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.71.224/27", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "13.36.0.0/14", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.230.36.0/23", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.230.39.54/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.93.91.101/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.240.188/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "70.232.80.0/21", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "99.82.184.0/22", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "150.222.28.108/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.121.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.234.34/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "172.96.98.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.20.0/27", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "13.34.35.160/27", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "15.177.94.0/24", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "43.224.76.188/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.77.136/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.189.140/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.252.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.126.198/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.94.152.67/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.95.255.16/28", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.219.141.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "54.240.236.38/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "150.222.3.198/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.34.55.64/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.71.32/27", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.230.0.12/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.230.87.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "18.236.0.0/15", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "51.20.0.0/14", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.46.188.72/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.188.244/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.230/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.50.142/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.104/32", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.240.192/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.94.249.80/28", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.95.139.0/24", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "54.240.198.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "64.252.74.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "99.77.183.0/24", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "150.222.227.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.230.130/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.29.128/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.52.64/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "13.248.32.0/20", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "52.94.199.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.95.128.0/21", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.119.206.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "64.252.79.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.28.106/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "161.188.148.0/23", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-phx-1" }, { "ip_prefix": "176.32.125.230/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "205.251.252.0/23", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.11.128/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.20.64/27", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "13.34.23.224/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.67.64/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.248.113.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.188.0.0/16", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.230.39.220/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.251.4/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.116.0.0/14", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.46.189.16/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.126.235/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.93.127.218/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.239/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.133.153/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.93.178.231/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.95.178.0/23", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "54.200.0.0/15", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "54.239.1.16/28", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "185.143.16.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "205.251.244.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.5.36.0/22", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "13.34.38.160/27", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "13.34.65.0/27", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "13.34.68.0/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.230.251.0/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "16.20.0.0/16", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "18.34.32.0/20", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "43.224.77.28/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.92.0/22", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.46.190.104/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.158/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.50.178/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.50.188/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.236.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.239.98.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "176.32.125.228/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.30.128/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.77.152/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.188.84/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.189.32/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.189.156/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.190.100/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.178.187/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.119.176.0/21", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.144.0.0/14", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.169.0.0/16", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "54.240.236.74/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "63.246.113.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.77.136.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.230.104/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "161.188.158.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-nyc-1" }, { "ip_prefix": "13.34.26.96/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.230.74.192/26", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.230.78.192/26", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "35.71.118.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "43.224.76.184/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.69/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.193.199/32", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.93.240.148/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.95.104.0/22", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.119.249.0/24", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "54.222.91.0/24", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "64.252.72.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "150.222.85.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.245.122/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.35.224/27", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "13.34.69.0/27", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.230.178.0/24", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "15.230.192.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.58/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.188.120/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.121/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.93.240.194/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.95.168.0/24", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "52.144.224.128/26", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "54.192.0.0/16", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.239.0.16/28", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.239.0.96/28", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "99.77.148.0/24", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "13.34.37.0/27", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "13.248.110.0/24", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "15.197.32.0/23", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.230.39.40/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.251.0.7/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "43.224.76.104/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.76.212/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.77.40/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.188.228/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.71.38/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.95.240.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.219.16.0/22", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "75.101.128.0/17", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.3.242/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.129.122/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "176.32.125.234/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "204.246.173.0/24", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "3.4.3.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-pilot-1" }, { "ip_prefix": "15.222.0.0/15", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "16.180.0.0/16", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "43.224.79.198/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.62.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.93.127.127/32", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.94.176.0/20", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "69.235.128.0/18", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "150.222.129.149/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.234.142/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.2.41.0/26", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.6.224/27", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "13.34.24.96/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.43.128/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.61.224/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.73.192/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.221.50.0/24", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "35.96.0.0/12", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.20.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.127.96/32", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.144.192.0/26", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.112.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "204.236.128.0/18", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.5.208.0/22", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.30.160/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.34.64/27", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "13.34.45.64/27", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.46.0/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.177.76.0/24", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.230.135.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "43.224.77.96/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.77.180/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.79.52/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.30.0.0/15", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.46.188.76/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.189.80/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.71.27/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.8.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.94.249.64/28", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "54.92.0.0/17", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.154.0.0/16", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "64.252.76.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "67.202.0.0/18", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "103.246.148.0/23", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.120.230/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.230.92/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.232.123/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.234.56/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "161.188.156.0/23", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-las-1" }, { "ip_prefix": "3.3.24.0/22", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.30.0.0/15", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "13.34.23.64/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.32.0/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.181.253.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-sea-1" }, { "ip_prefix": "15.197.0.0/23", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "18.34.0.0/19", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "35.71.119.0/24", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "43.249.47.0/24", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "52.46.188.48/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.55.156/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.226.0.0/15", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.230.200.0/21", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "162.250.237.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.112.0.0/14", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.144.0.0/13", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.5.14/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.49.224/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.77.192/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.24/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.178.166/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.128.0/22", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.95.244.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "64.187.128.0/20", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-mia-1" }, { "ip_prefix": "64.252.111.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "99.82.188.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "136.9.0.0/16", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "172.96.110.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "3.2.37.128/26", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.34.56.224/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.71.96/27", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.34.79.128/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.230.18.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.149.11/32", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "18.231.0.0/16", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "43.224.79.136/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.8/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.127.201/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.141.234/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.152.182/32", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "54.252.0.0/16", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "120.253.240.192/26", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.3.182/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.28.142/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.79.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.224.0.0/12", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.40.160/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.248.68.0/24", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "15.230.39.2/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "16.157.0.0/16", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "35.71.104.0/24", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "35.71.117.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "43.224.79.208/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.50.162/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.50.184/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.229.149/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.240.178/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.94.216.0/21", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.144.192.192/26", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.144.196.192/26", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "54.221.0.0/16", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.240.202.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.255.0.0/16", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.230.106/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.45.224/27", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.230.72.0/26", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.46.190.40/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.191.62/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.34.126/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.127.159/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.141.220/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.119.248.0/24", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "52.144.205.0/26", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.239.0.144/28", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "99.77.56.0/21", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "142.4.160.40/29", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-iah-1" }, { "ip_prefix": "150.222.120.248/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.129.132/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.25.96/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.228.0.0/15", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.230.14.18/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.189.128/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.189.192/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.57.0/24", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "52.93.127.93/32", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.127.254/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.95.63.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "69.107.7.40/29", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "99.83.102.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "142.4.160.8/29", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-bos-1" }, { "ip_prefix": "150.222.3.212/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "157.241.0.0/16", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "13.34.32.32/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.40.192/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.57.64/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.181.112.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-bos-1" }, { "ip_prefix": "15.230.16.20/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.230.189.128/25", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "16.12.15.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.79.50/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.190.108/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.216/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.34.40/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.126.215/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.177/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.127.196/32", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.93.127.217/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.240.180/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.94.249.208/28", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "54.233.0.0/18", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "68.66.112.0/20", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-bos-1" }, { "ip_prefix": "69.231.128.0/18", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "99.82.172.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "99.151.120.0/21", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "108.136.0.0/15", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "116.129.226.128/26", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.82.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.34.28.160/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.35.0/27", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "13.34.38.0/27", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "13.34.51.192/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.72.0/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.74.224/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "18.34.72.0/21", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "35.176.0.0/15", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.79.234/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.193.195/32", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "54.239.112.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "70.224.192.0/18", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-lax-1" }, { "ip_prefix": "99.77.153.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "150.222.105.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "161.188.136.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-phl-1" }, { "ip_prefix": "3.4.7.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.5.80/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.43.160/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.53.32/27", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.34.56.32/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.61.32/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.221.6.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.230.19.248/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.79.64/26", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "16.12.10.0/23", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.219.148.0/23", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "69.107.7.88/29", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "99.77.155.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.3.176/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.252.250/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.40.96/27", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "13.34.46.32/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.53.160/27", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.34.57.0/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.75.96/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.80.0/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.67.0/26", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "43.224.76.16/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.82/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.189.220/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.127.179/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.178.206/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.230/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.95.255.32/28", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.144.229.0/26", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "69.230.192.0/18", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "130.176.0.0/17", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.11.84/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.232.176/28", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.234.112/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.234.128/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "160.1.0.0/16", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "3.5.128.0/22", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.79.96/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.181.241.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-dfw-1" }, { "ip_prefix": "15.230.21.0/24", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.230.67.128/26", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "18.216.0.0/14", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "34.192.0.0/12", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.76.108/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.76/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.214/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.76/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.37.222/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.220/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.64.0/22", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "99.83.100.0/24", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "150.222.234.78/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.104.0.0/14", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.34.62.192/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.76.160/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.177.99.0/24", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "15.193.5.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.197.16.0/23", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.220.32.0/21", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-phx-1" }, { "ip_prefix": "15.230.39.24/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.162/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.184.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.106/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.188.176/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.80.0.0/16", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.93.71.46/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.94.250.16/28", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "52.95.216.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.119.232.0/21", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.144.201.128/26", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "64.252.121.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "99.150.32.0/21", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "108.156.0.0/14", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.99.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.218.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.234.104/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "175.41.128.0/18", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "176.32.125.250/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.59.128/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.39.194/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.152.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.46.189.68/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.167/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.178.215/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.239.108.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "64.252.68.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.133.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "161.188.130.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-mia-1" }, { "ip_prefix": "13.34.37.96/27", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "13.34.76.96/27", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.193.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "18.229.0.0/16", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.46.189.72/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.50.148/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.174/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.127.238/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.93.178.182/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.68.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.95.192.0/20", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.144.230.204/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.219.195.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.219.0.0/16", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.28.122/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.232.122/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.32.0.0/16", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "15.230.0.6/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "35.182.0.0/15", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "43.224.76.24/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.77.44/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.178/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.122.255/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.230.192.0/21", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "70.232.124.0/22", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.77.191.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.5.72.0/23", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.26.0/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.62.32/27", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "13.250.0.0/15", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.39.104/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "43.224.79.80/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "44.192.0.0/11", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.189.132/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.190.168/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.127.17/32", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.93.127.99/32", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.95.166.0/23", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "52.144.216.2/31", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "150.222.129.148/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.208.66/31", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "13.34.26.64/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.58.32/27", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "13.34.70.0/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.39.136/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.226/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.251.0.10/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.144.215.0/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.144.215.196/31", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "54.240.236.78/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "64.252.102.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "64.252.108.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "69.107.6.200/29", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "87.238.80.0/21", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.77.156.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "161.188.140.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-dfw-1" }, { "ip_prefix": "13.34.2.0/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.12.64/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.46.192/27", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.34.60.224/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.78.64/26", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.230.243.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.46.191.2/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.50.129/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.178.147/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.95.169.0/24", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "54.222.0.0/19", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "54.239.0.112/28", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "54.239.8.0/21", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.240.204.0/22", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "99.86.0.0/16", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.203.0/24", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "207.171.176.0/20", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.13.160/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.21.96/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.168.0.0/16", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.230.14.252/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.32.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.39.192/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.79.0/26", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "43.224.77.184/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.189.160/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.178.179/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.240.236.18/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "99.77.138.0/24", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "150.222.5.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.120.62/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "162.250.238.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "178.236.0.0/20", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.5.152.0/21", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.34.37.160/27", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "15.230.39.72/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "18.224.0.0/14", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "43.224.76.180/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.74/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.56.0.0/16", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.55.162/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.92.74/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.127.248/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.153.149/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.178.170/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.223/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.144.233.70/31", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "54.240.212.0/22", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.245.0.0/16", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "142.4.160.0/29", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-atl-1" }, { "ip_prefix": "150.222.100.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.21.160/27", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "13.34.24.64/27", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "13.34.27.0/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "13.34.33.64/27", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.48.192/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.72.64/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.248.105.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "16.12.16.0/23", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.230.0.0/16", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.46.189.88/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.190.188/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.58.0.0/15", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.93.50.130/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.121.195/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.127.25/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.218.0.0/17", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.176.0/22", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.30.96/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.40.128/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.62.224/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.74.32/27", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "13.248.0.0/20", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.230.39.174/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.240/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.93.127.219/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.153.177/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.94.152.63/32", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.95.29.0/26", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.144.228.0/31", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.219.142.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "99.77.152.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "150.222.217.248/31", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "3.131.0.0/16", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.29.96/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.53.224/27", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "13.34.59.64/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.63.0/27", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "13.34.74.96/27", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.220.80.0/20", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1-tpe-1" }, { "ip_prefix": "15.230.39.158/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.73.128/26", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.46.191.88/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.236/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.122.202/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.93.127.18/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.195/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.219.0.0/20", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.240.248.0/21", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "69.107.6.120/29", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.208.74/31", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "150.222.234.1/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "176.32.125.252/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.7.32/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.133.26/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.46.189.100/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.190.124/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.178.130/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.95.0.0/20", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "98.80.0.0/12", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.234.5/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "157.152.0.0/16", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "205.251.246.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.96.0.0/15", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "13.34.10.128/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.78.224/27", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "15.220.48.0/21", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1-waw-1" }, { "ip_prefix": "15.230.197.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "43.224.79.190/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.176/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.108/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.93.178.157/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.168/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.32.0/20", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "54.216.0.0/15", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "69.107.3.184/29", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.3.232/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.122.106/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.232.126/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.234.6/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.5.252.0/22", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "13.34.18.192/27", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "15.220.232.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1-ccu-2" }, { "ip_prefix": "23.20.0.0/14", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.168.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.190.228/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.91.115/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.151.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.94.248.80/28", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "64.252.64.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "99.77.143.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "104.255.59.133/32", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "3.4.1.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-pilot-3" }, { "ip_prefix": "13.34.42.192/27", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "13.34.62.64/27", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "13.56.0.0/16", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.230.16.196/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.230.39.4/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.30/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.251.0.28/32", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "18.184.0.0/15", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.46.190.212/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.125.43/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.127.131/32", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.93.178.185/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.240.154/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "54.240.236.45/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "72.21.192.0/19", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "161.188.128.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-iah-1" }, { "ip_prefix": "205.251.200.0/21", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.13.32/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.79.0/27", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.230.39.12/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.242/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.141.0/24", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "15.230.162.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.168.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.251.6/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "35.160.0.0/13", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "43.194.0.0/16", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.46.191.148/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.48.0.0/14", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.124.97/32", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.94.152.11/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.198.80/28", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "99.77.137.0/24", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "150.222.232.116/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "223.71.71.128/25", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "3.2.38.128/26", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "13.32.0.0/15", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.75.0/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.77.64/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.112.0.0/14", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.181.144.0/20", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-phl-1" }, { "ip_prefix": "15.230.39.66/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.89.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "35.71.96.0/24", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "43.200.0.0/14", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "43.224.77.92/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.96/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.68.0.0/15", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.144.231.64/26", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "54.67.0.0/16", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "99.82.173.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.34.59.224/27", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.181.254.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-mia-1" }, { "ip_prefix": "15.230.72.192/26", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "16.156.0.0/16", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.60.0.0/15", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "52.57.0.0/16", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.93.126.123/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.124.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.144.211.192/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "99.151.80.0/21", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "120.253.245.128/26", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.3.180/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.98.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.101.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.120.234/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.36.0.0/14", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.34.1.0/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.5.110/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.224.0.0/14", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "43.224.76.88/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.32.184/32", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "52.93.50.176/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.121.197/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.127.24/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.178.209/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.119.240.0/21", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.239.0.80/28", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.240.216.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "99.82.128.0/20", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "99.82.166.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.234.110/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "161.188.142.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-mci-1" }, { "ip_prefix": "13.34.51.32/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.73.160/27", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.248.97.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.190.0.0/16", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.82.168.0/24", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.55.152/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.143/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.222.58.48/28", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "104.255.59.119/32", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "150.222.129.252/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.213.40/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.242.84/31", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "162.213.232.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.63.32/27", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "15.230.39.18/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.204.2/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.30/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.250/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.190.92/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.190.236/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.191.218/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.91.96/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "104.255.59.134/32", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "150.222.11.92/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.5.224/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.22.96/27", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "13.34.31.192/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.39.96/27", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "13.34.56.160/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.62.0/27", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "15.197.8.0/22", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.230.39.154/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.70.192/26", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "35.71.72.0/22", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "43.224.77.176/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.79.72/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.190.152/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.73.0/26", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.91.105/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.92.72/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.137/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.198.144/28", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.94.208.0/21", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.95.227.0/24", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "54.7.0.0/16", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "54.68.0.0/14", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "54.93.0.0/16", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "70.132.0.0/18", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.11.90/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.230.124/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.234.26/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.56.0/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.58.0/27", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "13.34.66.128/27", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "13.34.68.32/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.50.0.0/16", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "15.251.0.12/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "16.21.0.0/16", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.44.0.0/15", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.76.128.0/17", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.93.55.144/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.219.32.0/21", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "54.95.0.0/16", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.212.0.0/15", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "99.87.4.0/22", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "150.222.3.177/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.69.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.234.84/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.252.246/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "184.32.0.0/12", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "3.5.228.0/22", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "13.34.3.128/27", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "13.34.30.64/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.63.128/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.65.160/27", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "15.158.0.0/16", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.181.176.0/20", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-chi-1" }, { "ip_prefix": "15.220.202.0/23", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-pdx-1" }, { "ip_prefix": "15.230.19.12/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.133.16/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.149.8/31", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "43.224.79.196/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.8.0/22", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.93.91.111/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.123.255/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.124.213/32", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.94.152.65/32", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "142.4.160.128/29", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-mia-1" }, { "ip_prefix": "150.222.3.236/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "3.124.0.0/14", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.47.0/27", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.181.48.0/20", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-msp-1" }, { "ip_prefix": "15.230.4.19/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "43.224.76.136/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.77.116/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.82.176.0/22", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.240.150/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.144.194.192/26", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.183.0.0/16", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.240.236.33/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "54.240.236.49/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "99.83.120.0/22", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "142.4.160.64/29", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-las-1b" }, { "ip_prefix": "3.24.0.0/14", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.34.58.64/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.68.96/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.197.18.0/23", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.230.219.0/24", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "52.46.190.202/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.191.210/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.133.133/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.95.34.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.144.225.0/26", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "54.240.236.10/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "104.255.59.130/32", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "150.222.13.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.120.252/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "205.251.247.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.2.39.0/26", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.34.77.96/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.249.0.0/16", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.193.6.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.39.212/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.65.0/26", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "35.71.113.0/24", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "43.224.79.38/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.127.182/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.152.177/32", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "64.252.103.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "142.4.160.24/29", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-dfw-1" }, { "ip_prefix": "150.222.28.126/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.122.102/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.234.132/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.116.0.0/14", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.34.56.96/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.177.86.0/24", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "15.221.8.0/21", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.221.49.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.230.76.128/26", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.230.91.0/24", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.230.208.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "16.52.0.0/16", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "18.144.0.0/15", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "18.238.0.0/15", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "18.244.0.0/15", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.46.188.36/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.90.0.0/15", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.91.114/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.123.6/32", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.93.127.105/32", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.138.253/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.178.213/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.144.0/23", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.95.157.0/24", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "52.144.208.192/26", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "108.175.52.0/22", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "136.18.18.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.3.226/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.208.88/31", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "150.222.232.224/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.30.0/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.34.0/27", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.34.76.0/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.220.64.0/20", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1-waw-1" }, { "ip_prefix": "15.230.4.166/31", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "15.230.173.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.230.190.128/25", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.251.0.0/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.0.0.0/15", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.188.88/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.82.184.0/23", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.193.198/32", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.93.250.0/23", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.95.176.0/24", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "52.95.253.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "54.239.120.0/21", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "140.179.0.0/16", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "142.4.160.120/29", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-mci-1" }, { "ip_prefix": "150.222.3.200/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "205.251.208.0/20", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "208.110.48.0/20", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.2.37.0/26", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.33.35.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.45.128/27", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.46.189.96/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.184/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.12.12/32", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.95.255.128/28", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.208.0.0/13", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.239.0.208/28", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "99.77.0.0/20", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "103.246.150.0/23", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "150.222.10.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.234.14/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.234.126/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.3.28.0/22", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.22.192/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.48.224/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.248.120.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.230.39.170/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.76.64/26", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "16.62.0.0/15", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "43.224.77.108/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "43.224.79.226/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.191.136/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.54.0.0/15", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.3.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.55.158/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.153.179/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.95.230.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-lax-1" }, { "ip_prefix": "54.222.80.0/21", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "54.240.225.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.240.236.85/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "99.78.212.0/22", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "104.255.59.138/32", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "150.222.3.208/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.106.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.129.118/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.230.108/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.5.48.0/22", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "15.220.152.0/21", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1-ham-1" }, { "ip_prefix": "15.230.77.64/26", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.230.165.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.230.177.0/31", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "15.251.0.5/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "43.224.79.128/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.74.0.0/16", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.93.50.182/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.168.0.0/16", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.239.54.0/23", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.129.154/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.217.250/31", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.11.192/27", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.34.31.160/27", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "13.34.54.96/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.64.64/27", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.177.89.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.4.156/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.14.17/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "18.156.0.0/14", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "43.224.76.92/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.190.214/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.10/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.144/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.82.170.0/24", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.126.244/32", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.93.133.129/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.95.24.0/22", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.95.140.0/23", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "52.119.196.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.144.218.64/26", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "64.252.113.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "79.125.0.0/17", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.77.134.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "99.78.144.0/21", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "3.2.41.128/26", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.34.22.88/29", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.35.192/27", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "13.214.0.0/15", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.177.77.0/24", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.177.90.0/24", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "16.26.0.0/16", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "43.224.79.34/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.189.84/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.224.0/20", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "52.93.91.100/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.126.146/32", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "52.95.156.0/24", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "54.180.0.0/15", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "99.77.253.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "150.222.71.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.120.228/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.4.6.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-pilot-3" }, { "ip_prefix": "13.34.16.128/27", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.34.60.160/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.177.79.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.220.208.128/26", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-las-1b" }, { "ip_prefix": "15.230.39.122/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.133.18/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.210.0/23", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "16.12.2.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "43.224.77.24/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.77.112/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "43.224.79.118/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.50.190/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.95.160.0/23", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "54.64.0.0/15", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "56.156.0.0/16", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "103.8.172.0/22", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "150.222.122.92/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.230.98/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "176.34.0.0/19", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.34.25.64/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.36.224/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.44.0/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.152/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.184/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.215.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "35.71.120.0/24", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "35.80.0.0/12", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.191.80/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.178.194/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.210/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.219.62.0/23", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "69.107.6.216/29", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.77.147.0/24", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "150.222.208.76/31", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "13.34.28.224/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.29.160/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.36.160/27", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.34.45.0/27", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.66.160/27", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "13.34.71.160/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.73.0/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.79.160/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.220.144.0/23", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1-ham-1" }, { "ip_prefix": "15.230.39.118/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.65.64/26", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "16.54.0.0/16", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "18.186.0.0/15", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "43.224.79.42/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.64/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.79.144/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.176/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.190.148/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.178.184/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.240.182/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "54.223.0.0/16", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "54.239.0.48/28", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.239.1.224/28", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "54.239.64.0/21", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "65.9.128.0/18", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.77.129.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "108.175.60.0/22", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "150.222.3.186/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.122.94/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.234.108/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.64.192/27", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "15.220.200.0/23", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-las-1b" }, { "ip_prefix": "15.230.39.46/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.68/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.133.22/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "35.71.128.0/17", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "43.204.0.0/15", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "43.224.79.162/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "46.51.224.0/19", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.46.190.76/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.71.40/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.124.96/32", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.93.124.212/32", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.95.111.0/24", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "54.179.0.0/16", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "54.240.203.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "67.220.240.0/20", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "130.176.128.0/18", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.134.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "3.2.38.192/26", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "3.3.8.0/21", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.16.96/27", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "13.34.50.0/27", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.53.0/27", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.248.127.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.46.189.200/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.66/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.144.224.64/26", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "54.170.0.0/15", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.82.171.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.5.164.0/22", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.220.96.0/20", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1-han-1" }, { "ip_prefix": "15.221.33.0/24", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.230.39.92/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.51.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.64.0/26", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "15.230.75.192/26", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.230.81.0/24", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "35.71.98.0/24", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.46.191.128/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.178.159/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.189/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.240.166/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.95.151.0/24", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.144.200.64/26", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.144.211.128/26", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.144.233.192/26", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "70.232.88.0/22", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "99.77.131.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "104.255.59.122/32", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "150.222.3.178/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.129.112/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.5.240.0/22", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.34.31.64/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.39.134/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.49.0/24", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "35.71.112.0/24", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "35.153.0.0/16", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.76.148/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.191.78/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.61.0.0/16", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "52.79.0.0/16", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.93.71.44/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.127.113/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.93.137.0/24", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "54.231.0.0/16", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "99.150.48.0/21", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "150.222.89.0/24", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "150.222.164.222/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.45.96/27", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.248.96.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.221.32.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.126/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.65.128/25", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.185.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.230.188.128/25", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.46.191.104/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.182/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.126.250/32", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.93.127.155/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.95.158.0/23", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "52.144.192.128/26", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.144.233.128/31", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "52.216.0.0/15", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.240.236.34/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "99.82.144.0/21", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "99.82.169.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "150.222.80.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.234.100/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.220.228.0/22", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1-ccu-2" }, { "ip_prefix": "15.230.64.192/26", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "16.158.0.0/16", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "43.224.76.208/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.12.0.0/15", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.71.45/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.126.245/32", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.93.133.175/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.93.240.202/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.220.0.0/15", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "54.239.1.128/28", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "162.250.236.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.4.8.0/24", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.50.128/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.67.160/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.75.64/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.78.64/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.39.140/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.251.0.2/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "18.163.0.0/16", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "43.224.76.168/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.76.192/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.189.176/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.190.182/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.250.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.34.122/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.240.168/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.94.5.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.144.228.128/26", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.144.230.206/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.219.210.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "54.199.0.0/16", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "150.222.141.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "150.222.205.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.16.160/27", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.230.39.50/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.146/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.69.64/26", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "18.142.0.0/15", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "46.137.192.0/19", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.46.188.24/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.91.112/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.178.181/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.200.0.0/13", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.219.96.0/20", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.223.0.0/17", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.222.32.0/22", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "64.252.123.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "99.151.112.0/21", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.164.208/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "205.251.232.0/22", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.51.224/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.65.128/27", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "13.34.77.32/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.230.39.32/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.214.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "18.34.64.0/21", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "34.224.0.0/12", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.75.0.0/16", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.82.160.0/22", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.144.215.194/31", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "99.78.128.0/20", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "99.82.164.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.3.238/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.28.132/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "13.34.31.96/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.72.64/26", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "52.46.188.136/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.126.138/32", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.93.141.228/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.153.80/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.182.128/26", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.95.148.0/23", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "58.254.138.0/25", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.33.0/27", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.177.66.0/23", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.133.20/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "43.224.77.124/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.221/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.248.224/28", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "52.95.162.0/24", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "52.95.255.48/28", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.218.0.0/16", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "150.222.215.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "3.5.76.0/22", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.40.0/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.41.64/27", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.34.54.128/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.197.4.0/22", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "16.168.0.0/15", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "16.176.0.0/16", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.46.191.238/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.133.155/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.93.141.213/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.16.0/24", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.144.195.0/26", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "64.252.78.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "13.34.37.128/27", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "15.181.0.0/20", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-sea-1" }, { "ip_prefix": "15.230.164.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "43.224.79.242/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.250.192.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.93.124.211/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.93.126.133/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "54.239.102.232/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.239.113.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "64.252.117.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.151.104.0/21", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "99.151.128.0/21", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "176.32.112.0/21", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.63.224/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.66.96/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.153.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "35.71.102.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.46.189.40/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.50.164/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.120.179/32", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.240.196/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.144.209.192/26", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.144.218.0/26", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.240.236.5/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "99.80.0.0/15", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.5.44.0/22", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "13.34.41.224/27", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.34.42.64/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.44.224/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.47.64/27", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.230.39.124/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.200/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "40.172.0.0/14", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.64.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.80.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.127.70/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.94.69.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.94.120.0/22", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.144.133.32/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "54.239.40.152/29", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "54.240.236.1/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "99.77.188.0/24", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.28.18/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "13.34.21.64/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.29.64/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.47.224/27", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "13.34.79.64/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.248.121.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.39.166/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.46.191.212/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.178.192/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.10.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "99.82.170.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.34.19.96/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.35.32/27", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "13.34.61.64/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.248.122.0/24", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "15.248.36.0/22", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.46.189.180/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.189.244/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.55.148/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.71.29/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.139/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.93.178.195/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.222/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.95.249.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "54.230.208.0/20", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.244.0.0/16", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "64.252.87.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "99.82.174.0/24", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "104.255.59.123/32", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "150.222.3.244/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.3.250/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.129.152/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.217.228/30", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "150.222.234.74/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.11.224/27", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.34.54.64/27", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.34.59.160/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "46.137.224.0/19", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.95.42.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.219.180.0/22", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "65.0.0.0/14", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "99.82.156.0/22", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.150.80.0/21", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "104.255.59.126/32", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "13.34.5.45/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.32.64/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.63.96/27", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "43.224.76.84/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "43.224.76.96/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.76.124/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.77.128/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.116/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.93.178.133/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.224/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "63.246.112.0/24", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "63.246.119.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.122.96/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.234.140/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.5.111/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.44.64/27", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.34.55.32/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.77.160/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.230.16.12/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.230.179.8/29", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "43.224.76.40/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "50.19.0.0/16", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.107/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.93.240.152/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.240.198/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.94.152.3/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "99.79.0.0/16", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "116.129.226.0/25", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.73.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.164.211/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.36.192/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.66.192/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.251.0.3/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "44.224.0.0/11", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.189.60/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.189.124/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.191.130/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.81.0.0/16", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.93.120.177/32", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "52.93.135.195/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.222.128.0/17", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.104.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.129.19/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.33.96/27", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.38.128/27", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "13.34.61.0/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.221.4.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.39.110/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.70.64/26", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.230.223.4/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "43.224.79.156/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.127.161/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.93.127.172/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.144.211.64/26", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "150.222.109.0/24", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "150.222.208.68/31", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "3.2.3.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-bos-1" }, { "ip_prefix": "3.48.0.0/12", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.5.192/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.29.0/27", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.197.12.0/22", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "16.181.0.0/16", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "18.164.0.0/15", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.93.126.137/32", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.93.153.176/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.178.200/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.3.214/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.38.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.39.88/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.133.0/28", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "35.71.103.0/24", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "43.224.79.158/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.126.139/32", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.93.127.68/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.95.172.0/23", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "64.252.73.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "99.151.72.0/21", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "174.129.0.0/16", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.2.43.0/26", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "13.34.28.96/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.32.96/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.230.174.0/24", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "15.251.0.20/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "35.71.110.0/24", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "52.46.189.168/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.72/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.34.120/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.127.198/32", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.93.134.181/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.93.141.238/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.211/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.95.255.80/28", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "64.252.101.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "150.222.87.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.129.140/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.234.4/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.234.80/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.2.42.64/26", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "13.34.0.160/27", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.34.19.192/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.38.96/27", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "15.230.31.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.71.31/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.153.169/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.178.169/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.22.0/24", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "52.95.255.112/28", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "54.240.236.2/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "99.83.84.0/22", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "150.222.129.248/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.234.36/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.234.42/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.2.32.128/26", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "13.34.28.64/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.32.160/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.248.118.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.181.224.0/21", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-dfw-1" }, { "ip_prefix": "15.220.227.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1-del-2" }, { "ip_prefix": "15.230.4.162/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.208.0.0/13", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.189.216/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.191.142/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.126.131/32", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.93.240.204/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.95.245.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.240.17.0/24", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "99.77.142.0/24", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "99.77.187.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "99.78.232.0/21", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "15.177.73.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.221.51.0/24", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.230.189.0/25", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.250.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "46.51.216.0/21", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.93.127.97/32", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.127.253/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.94.152.60/32", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.144.223.128/26", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "150.222.120.226/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.129.116/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.234.86/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.252.244/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "176.32.125.254/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.5.64.0/21", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.5.113/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.230.39.0/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.134.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.140.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "43.249.44.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.46.189.8/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.75.0/24", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.93.123.98/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.101/32", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.127.114/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.94.152.180/32", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.94.248.32/28", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.144.233.68/31", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "52.219.40.0/22", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.219.136.0/22", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.220.0.0/16", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.78.240.0/20", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "100.20.0.0/14", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "150.222.74.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "150.222.232.125/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "176.32.125.236/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.24.128/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.190.192/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.91.108/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.126.199/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.93.127.106/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.93.127.122/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.248.160/28", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "54.151.0.0/17", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.43.0/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.52.32/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.54.32/27", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.34.58.128/27", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.161.0.0/16", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "43.224.76.60/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.79.126/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.190.230/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.129.95/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.93.141.214/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.193.196/32", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.94.132.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.222.52.0/22", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "64.252.110.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "99.77.158.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.35.64/27", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "18.188.0.0/16", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "18.252.0.0/16", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "43.224.76.64/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.79.110/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "46.51.128.0/18", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.46.188.44/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.188.204/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.141.232/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.165/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "64.252.107.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "64.252.128.0/18", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.82.152.0/22", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "99.82.167.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.14.72/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.108.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.120.246/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.208.72/31", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "176.32.125.128/26", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "205.251.254.0/24", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.5.49/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.42.96/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.232.0.0/14", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.220.0.0/20", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-pdx-1" }, { "ip_prefix": "15.248.16.0/22", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "16.29.0.0/16", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.46.190.254/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.124/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.50.180/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.178.142/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.229.148/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.95.243.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "150.222.28.116/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.208.84/31", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "3.5.132.0/23", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.53.0.0/16", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.248.114.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.177.88.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.184.0.0/16", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "15.220.56.0/21", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1-tpe-1" }, { "ip_prefix": "15.230.133.28/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "43.224.79.246/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.188.148/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.71.42/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.178.156/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.180/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.48.0/20", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "54.230.224.0/19", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.240.236.61/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "99.78.188.0/22", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "150.222.3.254/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.15.130/31", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "150.222.129.156/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.234.62/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "184.72.128.0/17", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "205.251.248.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.31.224/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.220.16.0/20", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-las-1" }, { "ip_prefix": "16.154.0.0/16", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "52.93.127.115/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "69.107.7.72/29", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.3.246/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "161.188.134.0/23", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-den-1" }, { "ip_prefix": "3.2.41.64/26", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.0.128/27", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.34.1.32/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.5.13/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.41.160/27", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.34.51.128/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.57.128/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.51.0.0/16", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "15.230.39.38/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.168/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.204/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.93.127.197/32", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.93.127.207/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.94.80.0/20", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.94.198.112/28", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "54.240.197.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "71.152.0.0/17", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.83.76.0/22", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "99.83.80.0/22", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "104.255.59.101/32", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "108.166.232.0/21", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "150.222.122.100/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "216.137.32.0/19", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.14.160/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.34.96/27", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "35.181.0.0/16", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "43.224.76.240/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.191.220/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.138.252/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.153.171/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.95.190.0/24", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "54.80.0.0/13", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.214.0.0/16", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "54.254.0.0/16", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "99.78.176.0/21", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "104.255.59.124/32", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "150.222.139.124/30", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.248.98.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.230.39.16/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.78/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.77.128/26", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.142.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.201.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.20.0.0/14", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.201.0/26", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.248.208/28", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.219.24.0/21", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "69.107.6.168/29", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "99.82.161.0/24", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "150.222.120.250/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "204.246.172.0/24", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "3.152.0.0/13", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.76.64/27", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.34.80.32/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.244.0.0/15", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "43.224.79.32/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.68/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.189.196/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.178.197/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.248.48/28", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "54.242.0.0/15", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "99.151.88.0/21", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.234.24/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "177.72.240.0/21", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "216.182.238.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.5.168.0/23", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.34.6.192/27", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "13.34.48.32/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.49.128/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.75.224/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.0.4/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.230.16.17/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.230.167.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "18.168.0.0/14", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "34.208.0.0/12", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.15.0.0/16", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.93.127.237/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.93.178.226/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.144.209.128/26", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "99.83.101.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.224.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.31.32/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.63.160/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.70.96/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.221.16.0/22", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.230.4.160/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.39.94/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.64.64/26", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "15.231.0.0/16", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "43.224.76.100/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.76.176/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.77.100/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.92/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.79.232/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "43.224.79.252/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.188.232/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.22/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.141.218/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.96.0/20", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.94.192.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "104.255.59.118/32", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "108.175.48.0/22", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "161.188.144.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-msp-1" }, { "ip_prefix": "13.34.8.64/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.23.96/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.47.32/27", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.80.64/27", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.230.16.0/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.230.39.36/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.148.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "18.172.0.0/15", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "18.189.0.0/16", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "35.71.64.0/22", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "43.224.77.140/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.188.40/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.121.189/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.122.218/32", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.178.204/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.240.174/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.95.52.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.95.177.0/24", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "69.107.7.128/29", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "99.77.184.0/24", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "150.222.208.94/31", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "150.222.232.93/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.234.96/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.64.0.0/12", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.2.32/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.12.96/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.230.170.0/23", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "16.27.0.0/16", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "18.88.0.0/18", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-dfw-2" }, { "ip_prefix": "52.93.127.178/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.254.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.95.175.0/24", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "52.219.164.0/22", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "70.232.64.0/20", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "99.82.175.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "99.83.88.0/21", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "99.87.16.0/20", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "120.52.39.128/27", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.28.120/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.232.160/28", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "162.213.234.0/23", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.55.192/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.57.96/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.220.136.0/21", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1-del-1" }, { "ip_prefix": "16.159.0.0/16", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.34.244.0/22", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "18.201.0.0/16", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "43.224.79.206/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "43.224.79.238/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "43.224.79.244/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.190/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.153.168/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.178.191/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.95.186.0/24", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "52.119.214.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.144.215.202/31", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "54.151.128.0/17", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "54.240.236.73/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "99.87.0.0/22", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "118.193.97.64/26", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.3.252/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.234.76/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "208.86.88.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.20.96/27", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "15.230.14.248/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.39.74/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.186/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.90.0/24", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "18.175.0.0/16", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.76.120/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.190.208/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.216.0/22", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.127.203/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.208.0.0/15", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.228.0.0/16", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.240.236.13/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "142.4.160.48/29", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-nyc-1" }, { "ip_prefix": "150.222.208.90/31", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "150.222.213.41/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.65.192/27", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "15.220.146.0/23", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "43.224.76.140/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.76.248/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.126.205/32", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.93.127.147/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.133.181/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.95.246.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.144.215.2/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.239.1.80/28", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "99.83.64.0/21", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.234.64/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.48.0.0/15", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "15.230.39.56/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.182/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.230/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "43.224.76.20/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.142/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.228/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.189.36/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.189.76/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.190.60/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.64.0.0/17", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.93.71.41/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.95.239.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.119.210.0/23", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "104.255.59.132/32", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "150.222.129.69/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "195.17.0.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.5.128/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.33.160/27", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.221.24.0/21", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.39.188/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.236/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.54.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "18.220.0.0/14", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.36.0.0/14", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.178.141/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.112.0/22", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "54.94.0.0/16", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "69.107.6.160/29", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "99.78.184.0/22", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "150.222.129.64/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.207.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "150.222.237.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.65.96/27", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "13.34.72.192/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.152.0.0/16", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.220.226.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-las-1b" }, { "ip_prefix": "15.230.76.192/26", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.230.77.0/26", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.230.169.4/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.104/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.127.180/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.193.197/32", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.93.248.0/24", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.94.198.48/28", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.95.228.0/24", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "54.222.128.0/17", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "96.127.0.0/17", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "136.18.20.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "161.188.132.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-bos-1" }, { "ip_prefix": "3.4.16.0/21", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "13.34.25.192/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.37.192/27", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "15.221.53.0/24", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "15.230.85.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.93.50.144/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.246/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.141.240/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.227/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.224.0/20", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.239.1.240/28", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "68.79.0.0/18", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "69.107.7.80/29", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "69.107.7.104/29", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "99.77.128.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.88.0/24", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "150.222.234.138/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "223.71.71.96/27", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "3.5.248.0/22", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "43.224.76.128/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.190.96/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.191.126/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.18.179/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.126.147/32", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "52.94.152.62/32", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.94.196.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.215.0.0/16", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.226.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.230.112/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.71.64/27", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.230.240.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "18.182.0.0/16", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "43.218.0.0/16", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "52.46.189.112/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.178.175/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.144.230.208/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "54.152.0.0/16", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "176.32.125.240/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.2.8.0/21", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.16.192/27", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "13.34.26.192/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "16.53.0.0/16", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "16.179.0.0/16", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "18.178.0.0/16", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.46.191.54/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.71.37/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.126.234/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.93.178.131/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.217/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.95.164.0/23", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.144.208.128/26", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.144.213.64/26", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "54.202.0.0/15", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "54.240.208.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "99.150.120.0/21", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "150.222.204.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.232.192/28", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.234.20/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.14.224/27", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "13.34.18.128/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "13.34.28.32/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.45.32/27", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.248.71.0/24", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "15.181.128.0/20", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-phx-1" }, { "ip_prefix": "15.230.39.138/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.224/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.69.0/26", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "15.230.217.0/24", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "16.12.8.0/24", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "16.170.0.0/15", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "18.132.0.0/14", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.190.224/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.191.28/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.70.0.0/15", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.116.250/32", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.93.178.214/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.248.0/28", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.119.212.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.144.216.10/31", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "54.239.99.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "108.166.224.0/21", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "150.222.230.118/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.5.48/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.48.128/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.60.32/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.74.0/27", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.220.204.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-den-1" }, { "ip_prefix": "15.230.66.128/25", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.186/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.188.240/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.190.210/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.71.28/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.123.11/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.127.232/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.95.110.0/24", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.240.236.62/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "150.222.115.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "150.222.230.51/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.234.130/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.14.192/27", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.177.70.0/23", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.230.39.98/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.248/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.78.128/26", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.236.0.0/15", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "18.154.0.0/15", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.46.188.248/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.190.64/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.191.36/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.50.168/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.19/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.216/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.247/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.178.135/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.144.211.198/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.219.160.0/23", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "54.222.71.0/24", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "64.252.84.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "99.77.254.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "184.72.0.0/18", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.78.96/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.80.224/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.125.0.0/16", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.248.24.0/22", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.248.103.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.197.28.0/23", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.230.39.52/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.160/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.69.128/26", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "35.71.100.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "43.195.0.0/16", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "43.224.76.56/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.79.54/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.200/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.55.160/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.144.208.0/31", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "54.193.0.0/16", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.222.59.0/24", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "70.232.92.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "99.77.247.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.140.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.234.32/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.2.32.64/26", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.34.9.0/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.39.218/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.251.2/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "43.224.76.112/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.236/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.191.226/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.71.39/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.153.174/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.95.61.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.219.124.0/22", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "54.240.236.82/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "54.240.241.0/24", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "64.252.88.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.234.48/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.234.122/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.235.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "176.32.125.232/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.5.15/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.248.16.0/21", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.181.245.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-den-1" }, { "ip_prefix": "15.230.39.82/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.210/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.46.191.20/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.191.222/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.240.156/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.144.208.2/31", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "54.46.0.0/16", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "54.240.128.0/18", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.240.236.6/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "99.151.96.0/21", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "104.255.59.88/32", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "150.222.12.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.116.0/24", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "205.251.250.0/23", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.5.47/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.177.97.0/24", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "15.230.39.216/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.133.24/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.149.10/32", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.230.247.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "35.71.68.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.8.0.0/16", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.46.191.48/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.92.64/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.121.196/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.126.145/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.126.204/32", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.94.152.68/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.249.192/28", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "52.95.152.0/23", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.95.247.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.219.172.0/22", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "64.252.83.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "150.222.234.136/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.15.0/27", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.34.58.160/27", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.177.64.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.193.9.0/24", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.230.39.20/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.251.0.25/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "43.224.77.132/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.130/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "46.51.208.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.86.0.0/15", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.244/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.178.188/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.201/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.239.1.160/28", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "54.239.1.208/28", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "57.180.0.0/14", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "64.252.80.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "142.4.160.88/29", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-phl-1" }, { "ip_prefix": "150.222.3.218/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.180.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "180.163.57.0/25", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.37.32/27", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "18.136.0.0/16", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "43.224.76.164/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "50.112.0.0/16", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.91.113/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.97.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.206/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.139.250/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "76.162.0.0/15", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "150.222.234.10/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.2.33.64/26", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "3.2.35.192/26", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "3.2.43.64/26", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "3.3.16.0/21", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.40.64/27", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "13.212.0.0/15", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.197.128.0/17", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.220.233.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-atl-1" }, { "ip_prefix": "15.230.39.114/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.150/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.71.64/26", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "18.179.0.0/16", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "43.224.76.8/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.46/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "43.224.79.100/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.189.240/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.190.8/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.162/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.156.0/22", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "52.94.136.0/21", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.95.138.0/24", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "52.219.200.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "64.252.100.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "150.222.120.232/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.230.94/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "205.251.224.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.5.216.0/22", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "3.130.0.0/16", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.56.192/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.57.0.0/16", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.126.0.0/15", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.202.0.0/15", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.181.64.0/20", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-las-1b" }, { "ip_prefix": "15.230.67.192/26", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.251.0.13/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.251.0.29/32", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "52.93.153.175/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.240.172/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.219.202.0/23", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "54.239.4.0/22", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "70.232.96.0/20", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "99.77.140.0/24", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "104.255.59.127/32", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "150.222.3.183/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.232.128/28", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.2.39.128/26", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "13.34.5.78/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.230.39.222/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "16.16.0.0/16", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "40.180.0.0/16", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "43.224.76.80/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.188.96/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.190.56/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.14.0/24", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.94.198.64/28", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.119.216.0/21", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.222.89.0/24", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "150.222.129.242/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.230.114/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.11.0/27", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "13.34.64.128/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.69.96/27", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.34.75.192/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.78.32/27", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "15.206.0.0/15", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.230.204.3/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "16.177.0.0/16", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "50.18.0.0/16", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.14.0.0/16", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.46.0.0/18", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.46.88.0/22", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.46.188.28/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.134/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.3.202/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.129.226/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.230.120/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "223.71.11.0/27", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "3.3.6.0/23", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.16.224/27", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "13.34.64.224/27", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "15.230.16.18/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.230.68.0/26", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.230.204.0/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.188.216/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.191.186/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.63.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.93.120.176/32", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "52.93.178.167/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.172.0.0/15", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "71.137.0.0/22", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "136.18.21.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.11.88/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.239.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "176.34.64.0/18", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.5.146.0/23", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.34.37.224/27", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "13.34.73.224/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.248.128.0/17", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.230.160.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.71.109.0/24", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "43.224.77.188/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.82.128.0/19", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.93.121.187/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.127.94/32", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.127.200/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.152.183/32", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.95.255.96/28", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "99.83.98.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "99.150.88.0/21", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "142.4.160.16/29", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-den-1" }, { "ip_prefix": "150.222.83.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "150.222.208.70/31", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "13.34.60.0/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.70.128/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.230.156.0/24", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.251.0.14/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "18.204.0.0/14", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "35.178.0.0/15", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.79.210/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.188.60/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.44/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.191.92/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.91.110/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.129/32", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.93.178.196/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.9.0/24", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "52.94.204.0/23", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.95.180.0/24", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "54.88.0.0/14", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "75.2.0.0/17", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.78.192.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.3.206/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.34.41.96/27", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.34.74.128/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.189.252/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.94.116.0/22", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.144.215.200/31", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "64.252.119.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.212.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "208.86.90.0/23", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.68.64/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.72.224/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.77.224/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.181.248.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-las-1b" }, { "ip_prefix": "15.230.39.22/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.252/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.188.0/25", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.251.0.21/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.34.252.0/22", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.29.0.0/16", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.46.190.72/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.191.52/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.92/32", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.127.175/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.94.15.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.95.35.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.95.62.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.95.144.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.144.194.64/26", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.144.209.0/26", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "54.240.236.57/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "104.255.59.131/32", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "150.222.230.100/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.234.114/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.43.64/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.52.0.0/16", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.230.59.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "16.12.9.0/24", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "18.180.0.0/15", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "43.224.76.52/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "46.137.128.0/18", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.46.191.192/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.2.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.50.134/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.183/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.139.248/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.178.128/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.248.176/28", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.95.184.0/23", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "54.230.0.0/17", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.230.128.0/18", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.28.104/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.230.110/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.234.118/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.2.2.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-mia-1" }, { "ip_prefix": "3.2.32.192/26", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.4.64/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.26.32/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.28.128/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.39.128/27", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "13.34.48.160/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.246.0.0/16", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "15.221.2.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.4.154/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.79.128/26", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.230.149.4/31", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.46.190.36/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.190.240/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.99.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.93.127.71/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.93.141.244/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.249.240/28", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "52.95.40.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.95.254.0/24", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.144.228.192/26", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "64.252.104.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "69.107.6.208/29", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "150.222.232.96/28", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.232.226/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "176.32.64.0/19", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.34.23.128/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.41.128/27", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.34.47.192/27", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "13.54.0.0/15", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.200.0.0/15", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.248.48.0/21", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "15.230.246.0/24", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "15.248.24.0/22", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.46.188.252/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.190.164/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.191.18/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.50.131/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.193.202/32", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.95.142.0/23", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.95.235.0/24", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "52.95.241.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.144.233.64/31", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "54.239.128.0/18", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "64.252.66.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "64.252.82.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "99.77.144.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "99.78.160.0/21", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "130.176.224.0/20", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.11.74/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.28.128/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.72.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "150.222.120.224/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.232.114/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.12.0.0/16", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.124.0.0/16", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.230.144.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.230.157.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.181.0/24", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "16.28.0.0/16", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "35.71.111.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "36.103.232.128/26", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.84.0.0/15", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.93.122.131/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.127.255/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.133.131/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.94.18.0/24", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.94.248.144/28", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.192.0.0/15", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.219.194.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.116.0.0/16", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "99.150.72.0/21", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "150.222.110.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.234.12/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.3.5.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-pilot-4" }, { "ip_prefix": "13.34.46.160/27", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.230.14.20/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.34.57/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.162/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.13.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.144.233.66/31", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "54.78.0.0/16", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "56.157.0.0/16", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "99.77.139.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "99.82.160.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "150.222.15.128/31", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "150.222.129.158/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.129.250/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.217.17/32", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "204.246.160.0/22", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.43.32/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.63.64/27", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "13.34.72.32/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.193.4.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.230.71.0/26", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.230.203.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "35.71.116.0/24", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "43.224.76.36/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.190.222/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.92.70/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.240.158/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "54.239.106.0/23", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "71.132.0.0/18", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "99.150.40.0/21", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "150.222.120.240/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.232.118/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.2.33.128/26", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "3.5.212.0/23", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "3.5.220.0/22", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "13.34.5.81/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.5.160/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.51.160/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.67.192/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.177.72.0/24", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "15.230.39.64/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.42.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.230.55.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "16.31.0.0/16", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "43.224.79.66/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.2.0.0/15", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.168/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.71.32/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.125/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.152.66/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.144.214.128/26", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "54.222.76.0/22", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "64.252.106.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "103.4.8.0/21", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "104.255.59.105/32", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "150.222.3.228/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.28.17/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "176.32.96.0/21", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "184.72.64.0/18", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.2.41.192/26", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.34.34.160/27", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "13.34.46.224/27", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.248.108.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.251.0.15/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.124.14/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.93.126.206/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.93.240.146/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.95.108.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.144.193.0/26", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "99.78.168.0/23", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "108.166.248.0/21", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "143.204.0.0/16", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.91.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.34.17.0/27", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "13.34.19.224/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.42.224/27", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "13.34.67.0/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.181.192.0/19", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-dfw-1" }, { "ip_prefix": "52.93.55.166/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.123.136/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.178.144/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.154/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.240.162/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.94.23.0/24", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.95.48.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.219.120.0/22", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.222.66.0/23", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "54.240.232.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "69.107.7.48/29", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "99.77.190.0/24", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.78.228.0/22", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "150.222.3.189/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.143.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.234.28/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.2.35.128/26", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "13.34.56.64/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.248.106.0/24", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "15.230.133.17/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.204.1/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.220.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.253.0.0/16", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-lax-1" }, { "ip_prefix": "43.224.77.120/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.111/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.119.224.0/21", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.219.64.0/22", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "54.238.0.0/16", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "99.150.16.0/21", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.28.110/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.117.0/24", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "216.182.232.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.120.0.0/14", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.57.160/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.181.252.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-sea-1" }, { "ip_prefix": "18.198.0.0/15", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "43.224.77.8/29", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.9.0.0/16", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.46.188.160/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.188.188/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.190.238/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.38.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.94.152.69/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.144.216.4/31", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.219.128.0/22", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "69.107.7.0/29", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "99.77.141.0/24", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "150.222.196.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "3.33.44.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.36.0/27", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "13.34.42.160/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.248.20.0/22", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "15.251.0.8/32", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "27.0.0.0/22", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.46.180.0/22", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.188.80/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.180/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.98.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.93.146.5/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.93.178.146/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.152.12/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.144.233.130/31", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "54.240.236.41/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "69.107.7.112/29", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "3.136.0.0/13", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.248.99.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.230.14.12/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.83.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.192.0.0/16", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "43.224.77.212/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.189.228/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.191.164/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.37.223/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.121.188/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.178.178/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.248.192/28", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "54.240.236.94/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "150.222.223.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.44.32/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.248.112.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.230.39.26/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.145.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.239.115.0/25", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "64.252.120.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.3.179/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.3.192/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.28.138/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "3.5.144.0/23", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.34.35.96/27", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "15.230.14.22/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.131.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.230.182.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.222.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.93.50.138/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.92.66/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.127.95/32", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.127.148/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.94.248.112/28", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "144.220.0.0/16", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.234.16/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.234.30/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.60.192/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.61.96/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.70.160/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.181.242.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-phl-1" }, { "ip_prefix": "15.197.2.0/24", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.221.20.0/22", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.230.70.128/26", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.230.92.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.230.245.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.248.8.0/22", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.93.50.152/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.141.226/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.176/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.198.32/28", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "54.232.0.0/16", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "120.52.153.192/26", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.230.126/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "199.127.232.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.42.0/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.60.96/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.65.224/27", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "13.34.69.160/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.177.78.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.193.0.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.230.0.14/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.230.19.18/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.39.76/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.71.192/26", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.66.0.0/16", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.93.127.250/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.240.184/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "54.239.0.64/28", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "99.82.176.0/21", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.230.96/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "204.236.192.0/18", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.44.192/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.71.192/27", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.230.80.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "35.168.0.0/13", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.124/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.190.234/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.64.128.0/17", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.93.127.120/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "104.255.59.136/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "150.222.234.3/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.10.160/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.46.128/27", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.34.55.224/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.209.0.0/16", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.181.40.0/21", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-nyc-1" }, { "ip_prefix": "18.34.48.0/20", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "18.34.232.0/21", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "18.140.0.0/15", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "43.224.79.28/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.248/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.189.224/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.60.0.0/16", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.78.0.0/16", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.93.116.149/32", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.93.178.129/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.145/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.193.192/32", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "69.107.3.176/29", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "72.44.32.0/19", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.28.105/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "205.251.236.0/22", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "3.100.0.0/16", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.52.192/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.181.16.0/20", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-den-1" }, { "ip_prefix": "15.181.96.0/20", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-mci-1" }, { "ip_prefix": "15.221.3.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.248.32.0/22", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.92.0.0/17", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.127.202/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.240.236.46/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "99.150.112.0/21", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "13.58.0.0/15", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "43.224.76.200/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "43.224.79.84/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.189.204/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.51.29/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.178.199/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.119.152.0/22", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "54.194.0.0/15", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.240.244.0/22", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "69.107.7.96/29", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.102.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.5.44/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.21.192/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.67.96/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.1.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.50.160/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.55.154/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.131.217/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.94.30.0/24", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "54.240.236.53/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "54.240.236.77/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "54.240.236.93/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "3.98.0.0/15", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "13.34.17.32/27", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "13.34.70.192/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.39.132/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "43.224.79.40/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "43.224.79.188/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.191.6/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.50.132/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.66.0.0/16", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "142.4.160.160/29", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1-del-1" }, { "ip_prefix": "150.222.15.126/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.129.255/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.234.116/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.236.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "162.222.148.0/22", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-lax-1" }, { "ip_prefix": "3.4.2.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-pilot-5" }, { "ip_prefix": "13.34.4.96/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.31.0/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.177.75.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.24.0/22", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.230.39.130/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.24.0.0/14", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.170.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.95.56.0/22", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.119.160.0/20", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.222.0.0/17", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "64.252.65.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "119.147.182.0/25", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.9.32/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.62.96/27", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "13.248.65.0/24", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "15.251.0.23/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "43.224.79.164/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "43.224.79.218/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.224/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.188.140/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.42/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.69.0/24", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "52.93.141.242/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.151/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.144.210.192/26", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.144.233.134/31", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "54.239.1.144/28", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "120.232.236.0/25", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.234.40/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.13.0.0/16", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "3.248.0.0/13", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.39.180/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "43.224.76.172/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.92.128.0/17", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.239.0.0/28", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "99.77.133.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "104.255.56.11/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "104.255.59.83/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "150.222.233.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "150.222.234.58/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.49.64/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.67.32/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.72.128/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.210.0.0/15", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "16.48.0.0/16", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "43.224.77.144/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.55.164/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.127.251/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.178.140/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.174/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.17.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.95.154.0/23", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.95.212.0/22", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.119.156.0/22", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "54.239.0.240/28", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "54.241.0.0/16", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "99.77.151.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "104.255.59.91/32", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "104.255.59.115/32", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "150.222.164.210/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "184.169.128.0/17", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "216.182.224.0/21", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.41.0/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.61.128/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.6.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.248.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "35.72.0.0/13", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "43.224.77.84/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.202/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.91.98/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.152.178/32", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "54.240.236.65/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "69.107.6.224/29", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.150.24.0/21", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "104.255.59.85/32", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "150.222.230.128/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.234.124/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.8.0.0/14", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "13.248.60.0/22", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.246.0.0/16", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.190.216/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.160/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.93.133.127/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.93.139.252/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.141.230/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.232/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.198.0/28", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.219.176.0/22", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "54.204.0.0/15", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "69.107.7.8/29", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.67.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "150.222.120.255/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.129.110/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.232.112/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.75.128/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.39.202/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.180.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "16.12.12.0/23", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "52.46.191.150/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.204/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.178.132/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.194.0.0/15", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.155.0.0/16", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.196.0.0/15", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "99.78.170.0/23", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "176.32.125.226/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.5.80.0/21", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.42.32/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.190.16.0/20", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "15.230.4.158/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.39.42/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.250/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.169.0/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "18.34.240.0/22", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "35.71.97.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "35.152.0.0/16", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.46.188.52/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.188.64/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.194/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.119/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.127.153/32", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.94.252.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.144.215.198/31", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.219.156.0/22", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "54.222.57.0/24", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "99.83.128.0/17", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.150.0.0/21", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "150.222.129.146/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.2.38.0/26", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "13.34.53.128/27", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.34.55.128/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.57.192/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.66.224/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.248.123.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.230.35.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.77.168/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.189.12/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.26/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.127.100/32", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.249.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.129.126/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.234.22/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.234.72/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "207.171.160.0/20", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.51.96/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.58.192/27", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.230.39.8/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "43.224.77.148/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.190.226/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.94.7.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.95.60.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "136.18.23.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.34.25.128/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.29.32/27", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "13.34.68.128/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.78.128/27", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "15.220.220.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-mia-1" }, { "ip_prefix": "15.221.48.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "35.156.0.0/14", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.93.18.178/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.178.177/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.144.209.64/26", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "54.239.102.162/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "136.18.19.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.92.0/22", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "161.188.138.0/23", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-sea-1" }, { "ip_prefix": "3.16.0.0/14", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.30.32/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.40.32/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.191.0.0/16", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.0.8/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.230.39.164/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.251.0.6/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "16.79.0.0/16", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "18.130.0.0/16", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.188.224/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.72.0.0/15", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.82.180.0/22", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.35.213/32", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "52.93.141.222/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.182.0.0/16", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.222.70.0/24", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "58.254.138.128/26", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.77.24.0/22", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "99.151.64.0/21", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "120.253.245.192/27", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.208.80/31", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "150.222.232.144/28", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.5.79/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.54.192/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.58.96/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "43.224.76.232/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.112/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.202/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.62.0.0/15", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.93.0.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.19.237/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.93.126.212/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.141.236/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.249.224/28", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "52.219.44.0/22", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "54.222.92.0/22", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "54.239.192.0/19", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "98.130.0.0/16", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "99.82.162.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.28.118/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.70.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.122.116/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "176.32.125.192/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "176.32.125.238/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.60.0/24", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "16.12.14.0/24", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "16.50.0.0/15", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "43.224.77.104/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.191.90/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.224/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.133.179/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.94.152.176/32", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.144.211.200/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.219.56.0/22", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "54.160.0.0/13", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.118.0/24", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "150.222.232.51/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.234.38/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "157.175.0.0/16", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "176.34.32.0/19", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.34.22.128/27", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "13.34.36.32/27", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "13.34.66.32/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.248.125.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.39.234/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.66.0/25", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "16.23.0.0/16", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "40.164.0.0/16", "region": "ap-southeast-6", "service": "AMAZON", "network_border_group": "ap-southeast-6" }, { "ip_prefix": "43.224.76.12/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.2/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.182/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.126.130/32", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.93.127.164/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.245.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.94.152.179/32", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.95.16.0/21", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "54.234.0.0/15", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.33.128/27", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.76.32/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.220.248.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-phl-1" }, { "ip_prefix": "15.230.39.116/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.58.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "18.68.0.0/16", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "43.224.76.44/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.67.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.95.64.0/20", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.95.225.0/24", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "52.219.169.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "54.240.236.66/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "99.77.32.0/20", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "99.77.154.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.11.0/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.11.80/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "172.96.97.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.14.0.0/15", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.177.81.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "16.12.0.0/23", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.64.0.0/14", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "18.228.0.0/16", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "43.224.79.160/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.16.0.0/15", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.46.191.240/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.126.122/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.199/32", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.95.28.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.95.146.0/23", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.95.242.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.144.212.192/26", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.219.184.0/21", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "120.52.12.64/26", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.27.234/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.208.86/31", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "161.189.0.0/16", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "13.34.50.192/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.80.128/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.177.84.0/24", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.220.250.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-msp-1" }, { "ip_prefix": "43.224.79.62/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.79.192/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.188.108/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.32.180/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.87.96/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.102/32", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.94.249.176/28", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "52.94.254.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.153.0.0/17", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "71.136.64.0/18", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "13.34.38.32/27", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "13.34.42.128/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.47.128/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.79.32/27", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.177.98.0/24", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "15.200.0.0/16", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "15.220.236.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-mci-1" }, { "ip_prefix": "15.230.39.128/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "35.154.0.0/16", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "43.224.76.132/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.190.120/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.82.0.0/17", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.127.185/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.153.172/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.94.249.32/28", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "54.239.0.160/28", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "54.240.227.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "104.255.59.102/32", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "150.222.129.130/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.2.36.0/25", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.5.17/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.26.128/27", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.34.69.128/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.39.176/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.82.0/24", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.230.252.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.251.0.22/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "35.71.107.0/24", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "43.224.79.108/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.190.4/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.108/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.120/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.149.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.150/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.164/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.198/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.203/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.250.32/28", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "52.144.228.64/26", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.218.128.0/17", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "76.223.0.0/17", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.84.0.0/16", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.139.116/30", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.59.192/27", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.39.198/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.52.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.230.72.128/26", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "15.230.86.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.79.180/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.191.46/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.228/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.124.210/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.93.127.157/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.94.160.0/20", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.144.228.2/31", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "54.240.199.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "64.252.115.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.77.161.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.234.103/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.2.39.64/26", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "13.34.8.96/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.23.160/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.49.96/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.136.0/24", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.46.188.144/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.130/32", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.93.247.0/25", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "99.83.112.0/21", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "104.255.59.87/32", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "104.255.59.139/32", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "150.222.208.92/31", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "13.34.24.192/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.33.32/27", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.52.224/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.181.249.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-msp-1" }, { "ip_prefix": "15.220.205.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-den-1" }, { "ip_prefix": "15.230.39.80/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.68.64/26", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.230.223.0/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "16.164.0.0/16", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "43.224.76.196/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "43.224.76.236/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.77.172/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.190.12/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.88.0.0/15", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.32.176/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.193.194/32", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "69.107.7.64/29", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.5.244.0/22", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "13.34.5.12/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.192.0.0/13", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.221.40.0/21", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.230.39.144/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.149.0/31", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.230.206.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "18.253.0.0/16", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "52.46.190.244/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.192.0/20", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.82.187.0/24", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.126.76/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.139.253/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.178.139/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.249.112/28", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "52.219.140.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "54.240.236.21/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "198.99.2.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.18.224/27", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "13.34.47.160/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.188.152/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.121.198/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.150.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.95.112.0/20", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.95.188.0/23", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "63.246.120.0/21", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.78.196.0/22", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "104.255.59.106/32", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "130.176.192.0/19", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.3.192/27", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "13.34.28.0/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.230.16.22/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.230.143.0/24", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "18.153.0.0/16", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.202.0.0/15", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.46.188.184/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.189.44/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.132/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.178.229/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.239.1.48/28", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "54.240.236.25/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "150.222.231.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "176.32.104.0/21", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.54.0/27", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.230.39.106/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.198.0/24", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "52.46.188.180/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.126.207/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.93.127.249/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.178.158/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.95.163.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "54.240.236.50/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "64.252.98.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "99.78.220.0/22", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "150.222.129.124/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "216.182.236.0/23", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.5.32.0/22", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "3.208.0.0/12", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.248.64.0/24", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "15.221.0.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.0.5/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.230.39.48/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.238/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.166.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "43.224.79.120/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.178/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "54.222.64.0/23", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "54.240.236.58/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "99.77.157.0/24", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "99.83.99.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "130.176.254.0/24", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "142.4.160.72/29", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "142.4.160.152/29", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1-waw-1" }, { "ip_prefix": "150.222.3.188/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "185.48.120.0/22", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.77.0/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "40.165.0.0/16", "region": "ap-southeast-6", "service": "AMAZON", "network_border_group": "ap-southeast-6" }, { "ip_prefix": "52.46.188.56/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.190.232/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.106/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.138/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.93.153.173/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.178.173/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.206.0/23", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "54.233.128.0/17", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "142.4.160.104/29", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-sea-1" }, { "ip_prefix": "150.222.122.110/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.129.20/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.129.240/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.139.120/30", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.232.208/28", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "203.83.220.0/22", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "204.45.0.0/16", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.80.96/27", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.220.206.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-sea-1" }, { "ip_prefix": "15.221.52.0/24", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "15.230.39.156/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.77.192/26", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "43.224.76.0/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.191.122/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.91.103/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.146/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.95.80.0/20", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.219.132.0/22", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.129.150/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.208.65/32", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "150.222.217.234/31", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "161.188.152.0/23", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-las-1b" }, { "ip_prefix": "176.32.124.128/25", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "184.73.0.0/16", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.73.128/27", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.248.109.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.160.0.0/16", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.177.80.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.230.129.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "43.196.0.0/16", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.46.191.34/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.34.42/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.127.26/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.144.224.192/26", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "52.219.80.0/20", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "54.174.0.0/15", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.240.236.90/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "150.222.234.46/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.12.224/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.35.128/27", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "13.230.0.0/15", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.248.111.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.5.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.230.196.0/24", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "43.224.77.208/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.249.46.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.93.4.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.59.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.109/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.94.198.96/28", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.94.249.160/28", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "52.144.194.128/26", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.144.201.64/26", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.144.210.128/26", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.144.211.202/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.219.112.0/21", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.224.0.0/15", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.239.32.0/21", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.120.244/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.49.32/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.248.28.0/22", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.220.234.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-mia-1" }, { "ip_prefix": "15.230.74.0/26", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.176.0.0/15", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.127.154/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.219.144.0/22", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "54.239.56.0/21", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "54.240.236.17/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "64.252.86.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "99.82.165.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.3.194/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.3.204/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.6.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.28.134/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "3.20.0.0/14", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.44.160/27", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.156.0.0/15", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.230.16.252/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.230.39.246/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.254.0.0/16", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-lax-1" }, { "ip_prefix": "18.196.0.0/15", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "43.224.79.90/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.79.138/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.188.164/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.189.48/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.170/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.50.194/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.66.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.76.0.0/15", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.3.210/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.28.124/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "205.251.192.0/21", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "3.80.0.0/12", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.101.0.0/16", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.47.96/27", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.230.39.228/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.93.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "43.224.77.76/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.40.0.0/14", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.190.180/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.50.154/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.124.15/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.93.126.213/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.152.64/32", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.95.170.0/23", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.124.128.0/17", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.240.236.29/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "150.222.3.224/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.77.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "150.222.90.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.34.75.32/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.39.90/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "43.198.0.0/15", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "43.224.79.204/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.189.0/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.189.136/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.11.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.144.200.128/26", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.240.196.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "71.137.4.0/24", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "99.150.104.0/21", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "150.222.66.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.129.246/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "204.246.164.0/22", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.43.224/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.64.0/27", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.34.80.192/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.230.28.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "16.178.0.0/16", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "35.71.101.0/24", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "43.224.77.32/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.127.165/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.198.128/28", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.95.248.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "54.239.0.176/28", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "64.252.70.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "64.252.116.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.234.44/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.234.82/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.5.16/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.26.160/27", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.35.0.0/16", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.230.39.178/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.75.64/26", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.230.194.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.230.207.0/24", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "16.12.4.0/23", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "18.88.128.0/18", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-phx-2" }, { "ip_prefix": "34.240.0.0/13", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "43.224.79.122/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.14.19/32", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.178.218/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.193.193/32", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.94.248.16/28", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.94.249.96/28", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "52.144.216.8/31", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "54.240.200.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.253.0.0/16", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "150.222.15.127/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.234.66/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.17.96/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.29.192/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.73.0/26", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.162.0.0/16", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "52.46.191.70/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.141.224/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.146.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.95.30.0/23", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.95.96.0/22", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.95.145.0/24", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.144.223.64/26", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "54.47.0.0/16", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "150.222.219.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "176.32.125.246/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.2.34.192/26", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "3.2.35.0/26", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.3.0.0/23", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.7.64/27", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "13.34.58.224/27", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.34.76.192/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.32.0.0/14", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.126.144/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.155/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.95.252.0/24", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.119.192.0/22", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.222.36.0/22", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "150.222.129.136/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.142.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "150.222.222.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.240.0.0/13", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.27.64/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.251.0.24/32", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "43.224.76.156/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.189.56/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.0/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.94/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.121.190/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.127.110/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.93.127.181/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.245/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.94.248.64/28", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.95.229.0/24", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "54.72.0.0/15", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.3.184/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.3.191/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.129.128/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.234.70/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.2.42.0/26", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "13.34.12.192/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.39.0/27", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "15.230.16.198/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "15.230.186.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "43.224.79.116/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.126.214/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.173/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.178.202/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.95.250.0/24", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.144.211.0/26", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "64.252.67.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "130.176.255.0/24", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.3.230/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.113.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "3.5.148.0/22", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.34.74.192/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.230.163.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.177.2/31", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "43.224.79.102/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.191.172/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.117/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.93.127.156/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.198.0.0/16", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "64.252.77.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "150.222.122.108/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.30.192/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.34.32/27", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "15.164.0.0/15", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.230.150.0/23", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.251.0.1/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "43.224.79.98/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.96.0/19", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "52.46.128.0/19", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.214/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.82.171.0/24", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.127.166/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.178.228/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.239.0.128/28", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "54.239.1.32/28", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "176.32.125.242/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "176.34.128.0/17", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.33.224/27", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "16.165.0.0/16", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "43.224.76.72/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.189.172/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.128/32", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.93.127.205/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.178.216/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.152.181/32", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "54.6.0.0/16", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "54.239.0.192/28", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "99.83.96.0/24", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "3.2.32.0/26", "region": "ap-southeast-6", "service": "AMAZON", "network_border_group": "ap-southeast-6" }, { "ip_prefix": "13.34.18.160/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "13.34.40.224/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.52.128/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "13.34.64.160/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.221.1.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.230.39.214/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.68.128/26", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.46.191.4/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.71.43/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.91.109/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.123/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.210.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "150.222.234.60/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.33.192/27", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.34.59.0/27", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "13.34.69.192/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.184.0.0/13", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.177.0.0/18", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.181.244.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-phl-1" }, { "ip_prefix": "15.230.53.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.74.64/26", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.194.0.0/15", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "43.224.79.140/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.230/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.64.0/20", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.46.191.152/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.50.186/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.126.136/32", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.93.178.212/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.197.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.94.249.128/28", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.144.193.64/26", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.184.0.0/13", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "54.239.16.0/20", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "99.82.163.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "142.4.160.96/29", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-phx-1" }, { "ip_prefix": "150.222.0.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.11.96/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.230.93/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.6.0.0/15", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.44.128/27", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.34.45.192/27", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.181.120.0/21", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-atl-1" }, { "ip_prefix": "15.193.1.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.230.39.96/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.251.0.11/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "35.71.108.0/24", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "43.224.76.68/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.79.168/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.80.0/21", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.46.184.0/22", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.46.189.64/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.189.104/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.191.86/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.67.0.0/16", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.93.43.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.78.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "54.239.116.0/22", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "150.222.28.112/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "150.222.217.232/31", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.75.160/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.4.176/28", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.22.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.230.62.0/24", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "15.230.69.192/26", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "18.138.0.0/15", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "40.181.0.0/16", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.46.188.236/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.126.251/32", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.93.193.201/32", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.94.249.48/28", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.95.255.144/28", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "54.239.1.176/28", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "54.239.1.192/28", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "63.246.114.0/23", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "204.246.174.0/23", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "3.2.33.192/26", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.16.64/27", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "13.34.22.224/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.30.224/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.76.224/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.78.0/27", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "13.248.115.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.230.154.0/23", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "43.224.79.78/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.189.4/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.52.0.0/15", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.32.179/32", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.144.197.128/26", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.219.152.0/22", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.233.64.0/18", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "70.232.120.0/22", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "150.222.129.144/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.129.224/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "161.188.150.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-pilot-5" }, { "ip_prefix": "3.34.0.0/15", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.34.50.160/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.53.64/27", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "13.34.57.224/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.67.128/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.177.74.0/24", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.197.3.0/24", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.230.56.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.75.128/26", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "35.71.121.0/24", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "43.224.77.36/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.172.0/22", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.46.191.12/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.65.0.0/16", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.93.19.236/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.94.200.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.119.188.0/22", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.144.194.0/26", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.150.0.0/16", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "150.222.7.0/24", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "150.222.208.78/31", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "150.222.232.120/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.65.32/27", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "13.34.70.32/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.71.128/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.40.0.0/14", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "13.248.104.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.177.96.0/24", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "15.181.251.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-den-1" }, { "ip_prefix": "34.248.0.0/13", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "43.224.76.204/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "43.224.79.216/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.189.92/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.237.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.148.0/22", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.144.233.132/31", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "64.252.109.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "69.234.192.0/18", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "142.4.160.32/29", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-pdx-1" }, { "ip_prefix": "142.4.160.112/29", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-pilot-5" }, { "ip_prefix": "161.188.160.0/23", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-pdx-1" }, { "ip_prefix": "3.5.0.0/19", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.221.128.0/22", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.230.73.64/26", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.230.78.0/26", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "36.103.232.0/25", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "43.224.76.244/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.164.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.178.0.0/16", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "67.220.224.0/20", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.82.168.0/24", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "104.255.59.137/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "108.128.0.0/13", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.3.216/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.15.132/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "150.222.221.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.232.124/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.74.160/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.248.126.0/24", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.230.39.120/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.251.0.26/32", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "18.100.0.0/15", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "52.93.91.106/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.119.205.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.144.227.64/26", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "54.239.1.64/28", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "54.240.236.14/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "54.240.236.30/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "119.147.182.128/26", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.234.8/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.234.134/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.41.32/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.55.160/27", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.34.61.160/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.76.128/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.248.66.0/24", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "15.177.87.0/24", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "15.230.50.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.249.0/24", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "43.224.77.80/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.4.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.94.72.0/22", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.250.0/28", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "54.222.48.0/22", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "54.240.228.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "64.252.71.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "64.252.114.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "104.255.56.12/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.234.106/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "176.32.120.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.31.128/27", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.177.85.0/24", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "15.181.246.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-mci-1" }, { "ip_prefix": "15.230.75.0/26", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.46.189.52/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.50.170/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.50.192/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.178.233/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.152.61/32", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.95.251.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "54.239.102.236/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "72.41.0.0/20", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-iah-1" }, { "ip_prefix": "118.193.97.128/25", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "136.18.22.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.129.66/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.25.160/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.48.96/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "13.34.50.96/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.55.96/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.73.64/27", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.177.91.0/24", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "15.230.39.102/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.41.0/24", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "15.230.223.2/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.242.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "35.155.0.0/16", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.191.100/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.141.216/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.95.181.0/24", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "52.144.230.0/26", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.210.0.0/15", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.239.2.0/23", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "54.240.236.70/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "64.252.75.0/24", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "99.151.136.0/21", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "150.222.3.181/32", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.3.248/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.76.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.13.128/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.34.36.64/27", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.34.46.64/27", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "13.34.66.64/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.248.116.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.181.240.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-dfw-1" }, { "ip_prefix": "16.78.0.0/16", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "52.76.0.0/17", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.93.48.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.125.42/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.193.203/32", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.93.240.200/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.144.216.6/31", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.219.208.0/23", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "54.240.220.0/22", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.77.28.0/22", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "120.232.236.128/26", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.28.114/31", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "13.34.23.32/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.23.192/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.27.96/27", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "13.34.27.128/27", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "13.34.34.128/27", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "13.248.69.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "43.224.79.44/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.18.0.0/15", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.21.14/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.76.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.91.99/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.98/32", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.178.171/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.19.0/24", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "54.222.68.0/23", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "54.239.1.112/28", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "54.239.52.0/23", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "107.176.0.0/15", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "108.166.240.0/21", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "175.41.192.0/18", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "205.251.228.0/22", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.2.160/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.36.128/27", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.220.44.0/22", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1-han-1" }, { "ip_prefix": "15.230.195.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.248.48.0/21", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "43.224.76.48/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.190.206/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.239.0.32/28", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "99.151.144.0/21", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "104.255.59.81/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "150.222.3.196/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.122.114/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.9.76/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.49.192/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.39.172/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.205.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.77.156/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.10.0.0/15", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.188.132/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.188.172/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.82.164.0/22", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.127.184/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.178.149/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.240.230.0/23", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "75.79.0.0/16", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "100.24.0.0/13", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "104.255.59.125/32", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "13.34.39.224/27", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "13.34.63.192/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.6/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.176.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.248.40.0/22", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.190.52/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.191.84/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.149/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.144.208.64/26", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.78.172.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.129.138/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.136.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.4.4.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-pilot-2" }, { "ip_prefix": "3.33.128.0/17", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.251.0.4/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "43.224.79.114/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.191.232/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.46.249.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.127.220/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.240.190/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.144.216.0/31", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "54.239.1.0/28", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "99.150.64.0/21", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "150.222.129.114/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.217.226/31", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "162.213.233.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.72.96/27", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.248.101.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.230.39.84/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.190/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.161.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.46.190.190/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.91.97/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.91.107/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.95.255.0/28", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "54.176.0.0/15", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.246.0.0/16", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "64.252.112.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "99.83.72.0/22", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "150.222.3.222/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.129.120/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.230.4.152/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.169.2/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "16.162.0.0/15", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.148.0.0/14", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.93.127.168/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.119.184.0/22", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.144.211.194/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "54.239.104.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.240.236.86/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "99.77.16.0/21", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "204.246.176.0/20", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.34.2.128/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.62.128/27", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.44.0.0/14", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.181.32.0/21", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-chi-1" }, { "ip_prefix": "15.181.116.0/22", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-phx-1" }, { "ip_prefix": "15.197.24.0/22", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.230.43.0/24", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "35.71.106.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "43.224.76.116/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.152/32", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.93.178.208/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.219.196.0/22", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.222.96.0/22", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "65.8.0.0/16", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.122.112/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "150.222.230.116/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.11.160/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.48.64/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.177.93.0/24", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "15.181.243.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-phl-1" }, { "ip_prefix": "15.230.23.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.230.39.142/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "43.224.76.216/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.178.172/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.225/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.20.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "54.240.236.37/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "99.77.189.0/24", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.122.98/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.5.232.0/22", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "3.28.0.0/15", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "13.34.44.96/27", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.34.52.160/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "13.34.78.192/27", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "15.230.61.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.88.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "43.224.77.88/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "51.16.0.0/15", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "52.46.191.166/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.58.32/28", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.178.190/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.144.230.210/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "54.79.0.0/16", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "54.240.236.42/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "54.251.0.0/16", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "104.255.59.86/32", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "150.222.11.94/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.206.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "209.54.176.0/21", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.128.0.0/15", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.39.160/27", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "13.34.56.128/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.248.107.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.230.39.70/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.232/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.57.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "18.254.0.0/16", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "43.224.76.220/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.240/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.93.50.172/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.240.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.144.210.64/26", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "64.252.105.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.11.76/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.15.125/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.138.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.234.2/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.4.24.0/21", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "13.34.61.192/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "15.220.224.0/23", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-pdx-1" }, { "ip_prefix": "15.230.30.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.64.128/26", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "15.230.84.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "43.224.76.224/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.188.208/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.126.134/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.144.212.64/26", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.207.0.0/16", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "65.9.0.0/17", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "69.107.6.112/29", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "99.77.145.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "99.150.96.0/21", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "108.138.0.0/15", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "120.253.241.160/27", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "150.222.234.120/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.69.32/27", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.197.20.0/22", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "35.71.105.0/24", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "43.224.79.220/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.28.0.0/16", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.46.166.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.176.0/22", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "52.93.32.183/32", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.93.178.235/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "99.87.8.0/21", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ip_prefix": "13.34.46.96/27", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "13.34.49.160/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.34.54.160/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.73.32/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "40.166.0.0/16", "region": "ap-southeast-6", "service": "AMAZON", "network_border_group": "ap-southeast-6" }, { "ip_prefix": "43.224.79.60/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.190.44/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.191.188/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.103/32", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.178.163/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.193/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.0.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "99.77.48.0/21", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "150.222.129.151/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "205.251.240.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.0.0.0/15", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "3.33.34.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.14.128/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.53.96/27", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "13.34.57.32/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.79.224/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.248.102.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.220.112.0/21", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-bue-1" }, { "ip_prefix": "15.230.19.252/31", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.199.0/28", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "43.224.79.26/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.250.193.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.46.190.242/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.77.0.0/16", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.93.21.15/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.178.160/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.178.207/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "64.252.99.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "69.107.7.32/29", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "150.222.129.142/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.5.236.0/22", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "13.34.7.96/27", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "15.181.250.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-den-1" }, { "ip_prefix": "15.190.0.0/22", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "15.193.10.0/24", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "15.230.94.0/24", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.230.133.30/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.46.191.110/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.116.251/32", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.93.153.178/32", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.144.192.64/26", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "54.240.192.0/22", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "54.240.236.9/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "99.151.152.0/21", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ip_prefix": "150.222.97.0/24", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.232.94/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.234.0/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.34.50.64/27", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.230.39.58/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.100/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.39.112/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.244.0/24", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "18.166.0.0/15", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "43.224.79.184/31", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.46.188.168/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.102/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.140/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.240.0/22", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.92.128.0/17", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.71.47/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.178.148/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.240.176/31", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.94.28.0/23", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.94.248.128/28", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.239.100.0/23", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "99.77.160.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "99.77.250.0/24", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "150.222.214.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "176.32.125.248/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.20.32/27", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "13.34.36.96/27", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.34.51.64/27", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "13.34.77.128/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.220.128.0/21", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1-del-1" }, { "ip_prefix": "15.230.39.62/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.179.0/29", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "18.183.0.0/16", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "46.137.0.0/17", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.93.34.124/31", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.93.60.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.132/32", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.93.127.158/32", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "70.232.112.0/21", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "99.77.135.0/24", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "104.255.59.135/32", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "13.34.5.112/32", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.59.32/27", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "15.177.92.0/24", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "15.193.8.0/24", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.197.30.0/23", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.220.160.0/21", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "15.230.177.4/32", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "52.82.192.0/18", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.12.13/32", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.50.150/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.91.104/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.123.99/32", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.178.186/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.239.96.0/24", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.240.226.0/24", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "54.240.236.81/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "99.78.216.0/22", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "136.8.0.0/16", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "150.222.75.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "150.222.229.0/24", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "176.32.125.224/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.3.2.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.5.134.0/23", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.34.34.224/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.228.0.0/15", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.220.40.0/22", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-den-1" }, { "ip_prefix": "15.230.39.86/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "43.224.76.160/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.79.36/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.176/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.93.178.221/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.248.96/28", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.119.128.0/20", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.119.144.0/21", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.196.0.0/14", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.240.236.89/32", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "99.77.150.0/24", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "99.78.208.0/22", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "150.222.3.220/31", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "150.222.230.122/31", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "209.54.184.0/21", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.5.52.0/22", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ip_prefix": "3.5.224.0/22", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.34.51.0/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "15.230.39.148/31", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "52.46.188.156/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.191.82/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.82.188.0/22", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.93.178.153/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "54.222.58.32/28", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "69.107.7.120/29", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "99.77.186.0/24", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "150.222.208.96/31", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "150.222.234.102/32", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "176.32.125.0/25", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.28.192/27", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "13.34.60.64/27", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "13.34.80.160/27", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.177.68.0/23", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.230.71.128/26", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "15.230.190.0/25", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.76.4/30", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "43.224.76.228/30", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "43.224.79.166/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.46.188.92/30", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.93.50.158/31", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "52.93.127.252/32", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "150.222.208.64/32", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "177.71.128.0/17", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "99.77.253.0/24", "region": "us-west-2", "service": "CHIME_VOICECONNECTOR", "network_border_group": "us-west-2" }, { "ip_prefix": "99.77.254.0/24", "region": "us-east-1", "service": "CHIME_VOICECONNECTOR", "network_border_group": "us-east-1" }, { "ip_prefix": "99.77.247.0/24", "region": "eu-central-1", "service": "CHIME_VOICECONNECTOR", "network_border_group": "eu-central-1" }, { "ip_prefix": "99.77.250.0/24", "region": "eu-west-1", "service": "CHIME_VOICECONNECTOR", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.177.0.0/18", "region": "GLOBAL", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "GLOBAL" }, { "ip_prefix": "3.5.140.0/22", "region": "ap-northeast-2", "service": "S3", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.219.170.0/23", "region": "eu-central-1", "service": "S3", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.219.168.0/24", "region": "eu-central-1", "service": "S3", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.95.150.0/24", "region": "eu-west-2", "service": "S3", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.219.60.0/23", "region": "ap-northeast-2", "service": "S3", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "16.12.6.0/23", "region": "ap-east-1", "service": "S3", "network_border_group": "ap-east-1" }, { "ip_prefix": "52.219.204.0/22", "region": "ap-northeast-2", "service": "S3", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "76.223.102.0/24", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.95.182.0/23", "region": "ap-northeast-3", "service": "S3", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "18.34.248.0/22", "region": "ap-southeast-1", "service": "S3", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "76.223.96.0/24", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ip_prefix": "108.175.56.0/22", "region": "us-gov-west-1", "service": "S3", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "52.219.192.0/23", "region": "us-west-1", "service": "S3", "network_border_group": "us-west-1" }, { "ip_prefix": "52.95.136.0/23", "region": "eu-south-2", "service": "S3", "network_border_group": "eu-south-2" }, { "ip_prefix": "52.219.143.0/24", "region": "us-east-2", "service": "S3", "network_border_group": "us-east-2" }, { "ip_prefix": "3.5.40.0/22", "region": "ap-southeast-4", "service": "S3", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "3.5.136.0/22", "region": "eu-central-1", "service": "S3", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.219.72.0/22", "region": "eu-central-1", "service": "S3", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.219.68.0/22", "region": "ap-northeast-1", "service": "S3", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.5.160.0/22", "region": "us-west-1", "service": "S3", "network_border_group": "us-west-1" }, { "ip_prefix": "13.248.230.0/24", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.95.174.0/24", "region": "me-south-1", "service": "S3", "network_border_group": "me-south-1" }, { "ip_prefix": "52.95.187.0/24", "region": "me-central-1", "service": "S3", "network_border_group": "me-central-1" }, { "ip_prefix": "52.219.141.0/24", "region": "us-east-2", "service": "S3", "network_border_group": "us-east-2" }, { "ip_prefix": "52.95.139.0/24", "region": "eu-central-2", "service": "S3", "network_border_group": "eu-central-2" }, { "ip_prefix": "52.95.128.0/21", "region": "ap-southeast-2", "service": "S3", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.95.178.0/23", "region": "ap-southeast-3", "service": "S3", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "3.5.36.0/22", "region": "ap-southeast-3", "service": "S3", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "18.34.32.0/20", "region": "eu-west-1", "service": "S3", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.95.168.0/24", "region": "ap-southeast-4", "service": "S3", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "52.219.16.0/22", "region": "ap-northeast-1", "service": "S3", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.5.208.0/22", "region": "ap-south-1", "service": "S3", "network_border_group": "ap-south-1" }, { "ip_prefix": "18.34.0.0/19", "region": "us-east-1", "service": "S3", "network_border_group": "us-east-1" }, { "ip_prefix": "16.12.15.0/24", "region": "eu-west-2", "service": "S3", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.34.72.0/21", "region": "us-east-2", "service": "S3", "network_border_group": "us-east-2" }, { "ip_prefix": "16.12.10.0/23", "region": "eu-north-1", "service": "S3", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.219.148.0/23", "region": "ap-northeast-2", "service": "S3", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.5.128.0/22", "region": "us-east-2", "service": "S3", "network_border_group": "us-east-2" }, { "ip_prefix": "52.219.195.0/24", "region": "ap-northeast-1", "service": "S3", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.5.72.0/23", "region": "eu-west-1", "service": "S3", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.95.166.0/23", "region": "ap-southeast-4", "service": "S3", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "52.95.169.0/24", "region": "eu-north-1", "service": "S3", "network_border_group": "eu-north-1" }, { "ip_prefix": "3.5.152.0/21", "region": "ap-northeast-1", "service": "S3", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "16.12.16.0/23", "region": "eu-west-2", "service": "S3", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.218.0.0/17", "region": "eu-west-1", "service": "S3", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.219.142.0/24", "region": "us-east-2", "service": "S3", "network_border_group": "us-east-2" }, { "ip_prefix": "52.219.0.0/20", "region": "ap-northeast-1", "service": "S3", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.5.252.0/22", "region": "ca-central-1", "service": "S3", "network_border_group": "ca-central-1" }, { "ip_prefix": "13.248.231.0/24", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ip_prefix": "76.223.104.0/24", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.219.32.0/21", "region": "ap-southeast-1", "service": "S3", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "3.5.228.0/22", "region": "af-south-1", "service": "S3", "network_border_group": "af-south-1" }, { "ip_prefix": "52.95.157.0/24", "region": "ap-northeast-3", "service": "S3", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "108.175.52.0/22", "region": "us-gov-east-1", "service": "S3", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "52.95.176.0/24", "region": "af-south-1", "service": "S3", "network_border_group": "af-south-1" }, { "ip_prefix": "76.223.99.0/24", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ip_prefix": "3.5.48.0/22", "region": "me-central-1", "service": "S3", "network_border_group": "me-central-1" }, { "ip_prefix": "52.95.140.0/23", "region": "eu-central-2", "service": "S3", "network_border_group": "eu-central-2" }, { "ip_prefix": "52.95.156.0/24", "region": "eu-west-3", "service": "S3", "network_border_group": "eu-west-3" }, { "ip_prefix": "16.12.2.0/24", "region": "sa-east-1", "service": "S3", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.95.160.0/23", "region": "ap-east-1", "service": "S3", "network_border_group": "ap-east-1" }, { "ip_prefix": "52.219.62.0/23", "region": "ap-south-1", "service": "S3", "network_border_group": "ap-south-1" }, { "ip_prefix": "108.175.60.0/22", "region": "us-gov-east-1", "service": "S3", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "13.248.225.0/24", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ip_prefix": "3.5.164.0/22", "region": "ap-southeast-2", "service": "S3", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.95.151.0/24", "region": "eu-south-1", "service": "S3", "network_border_group": "eu-south-1" }, { "ip_prefix": "3.5.240.0/22", "region": "ap-northeast-3", "service": "S3", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.248.229.0/24", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.231.0.0/16", "region": "us-east-1", "service": "S3", "network_border_group": "us-east-1" }, { "ip_prefix": "52.95.158.0/23", "region": "ap-northeast-3", "service": "S3", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "52.216.0.0/15", "region": "us-east-1", "service": "S3", "network_border_group": "us-east-1" }, { "ip_prefix": "52.219.210.0/24", "region": "eu-central-1", "service": "S3", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.219.96.0/20", "region": "us-east-2", "service": "S3", "network_border_group": "us-east-2" }, { "ip_prefix": "18.34.64.0/21", "region": "ap-southeast-1", "service": "S3", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.95.148.0/23", "region": "eu-west-2", "service": "S3", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.95.162.0/24", "region": "ap-east-1", "service": "S3", "network_border_group": "ap-east-1" }, { "ip_prefix": "76.223.97.0/24", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ip_prefix": "3.5.76.0/22", "region": "us-west-2", "service": "S3", "network_border_group": "us-west-2" }, { "ip_prefix": "3.5.44.0/22", "region": "ap-south-2", "service": "S3", "network_border_group": "ap-south-2" }, { "ip_prefix": "13.248.228.0/24", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.219.180.0/22", "region": "ap-southeast-1", "service": "S3", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.95.172.0/23", "region": "me-south-1", "service": "S3", "network_border_group": "me-south-1" }, { "ip_prefix": "3.5.64.0/21", "region": "eu-west-1", "service": "S3", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.219.40.0/22", "region": "ap-southeast-1", "service": "S3", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.219.136.0/22", "region": "ap-northeast-1", "service": "S3", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.222.52.0/22", "region": "cn-north-1", "service": "S3", "network_border_group": "cn-north-1" }, { "ip_prefix": "3.5.132.0/23", "region": "us-east-2", "service": "S3", "network_border_group": "us-east-2" }, { "ip_prefix": "52.95.190.0/24", "region": "ca-central-1", "service": "S3", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.219.24.0/21", "region": "us-west-1", "service": "S3", "network_border_group": "us-west-1" }, { "ip_prefix": "3.5.168.0/23", "region": "ap-southeast-2", "service": "S3", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "108.175.48.0/22", "region": "us-gov-west-1", "service": "S3", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "52.95.177.0/24", "region": "ap-southeast-3", "service": "S3", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "13.248.224.0/24", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.95.175.0/24", "region": "af-south-1", "service": "S3", "network_border_group": "af-south-1" }, { "ip_prefix": "52.219.164.0/22", "region": "ap-southeast-1", "service": "S3", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.34.244.0/22", "region": "us-west-2", "service": "S3", "network_border_group": "us-west-2" }, { "ip_prefix": "52.95.186.0/24", "region": "ap-south-2", "service": "S3", "network_border_group": "ap-south-2" }, { "ip_prefix": "76.223.95.0/24", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.248.227.0/24", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ip_prefix": "3.5.248.0/22", "region": "eu-south-1", "service": "S3", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.95.164.0/23", "region": "sa-east-1", "service": "S3", "network_border_group": "sa-east-1" }, { "ip_prefix": "16.12.8.0/24", "region": "ap-east-1", "service": "S3", "network_border_group": "ap-east-1" }, { "ip_prefix": "76.223.101.0/24", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.219.160.0/23", "region": "ap-south-1", "service": "S3", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.219.124.0/22", "region": "ap-southeast-1", "service": "S3", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.95.152.0/23", "region": "eu-south-1", "service": "S3", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.219.172.0/22", "region": "ap-northeast-1", "service": "S3", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.95.138.0/24", "region": "eu-south-2", "service": "S3", "network_border_group": "eu-south-2" }, { "ip_prefix": "52.219.200.0/24", "region": "ap-northeast-1", "service": "S3", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.5.216.0/22", "region": "eu-north-1", "service": "S3", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.219.202.0/23", "region": "ap-northeast-2", "service": "S3", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.5.146.0/23", "region": "ap-southeast-1", "service": "S3", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.95.180.0/24", "region": "af-south-1", "service": "S3", "network_border_group": "af-south-1" }, { "ip_prefix": "18.34.252.0/22", "region": "us-east-2", "service": "S3", "network_border_group": "us-east-2" }, { "ip_prefix": "52.95.144.0/24", "region": "eu-west-2", "service": "S3", "network_border_group": "eu-west-2" }, { "ip_prefix": "16.12.9.0/24", "region": "eu-north-1", "service": "S3", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.95.184.0/23", "region": "ap-south-2", "service": "S3", "network_border_group": "ap-south-2" }, { "ip_prefix": "76.223.100.0/24", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.95.142.0/23", "region": "eu-west-2", "service": "S3", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.219.194.0/24", "region": "us-west-1", "service": "S3", "network_border_group": "us-west-1" }, { "ip_prefix": "3.5.212.0/23", "region": "ap-south-1", "service": "S3", "network_border_group": "ap-south-1" }, { "ip_prefix": "3.5.220.0/22", "region": "me-south-1", "service": "S3", "network_border_group": "me-south-1" }, { "ip_prefix": "52.219.120.0/22", "region": "us-west-1", "service": "S3", "network_border_group": "us-west-1" }, { "ip_prefix": "52.219.64.0/22", "region": "ap-south-1", "service": "S3", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.219.128.0/22", "region": "ap-southeast-1", "service": "S3", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "3.5.144.0/23", "region": "ap-northeast-2", "service": "S3", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "18.34.48.0/20", "region": "us-west-2", "service": "S3", "network_border_group": "us-west-2" }, { "ip_prefix": "18.34.232.0/21", "region": "us-east-1", "service": "S3", "network_border_group": "us-east-1" }, { "ip_prefix": "52.92.0.0/17", "region": "eu-west-1", "service": "S3", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.95.154.0/23", "region": "eu-west-3", "service": "S3", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.219.176.0/22", "region": "us-east-2", "service": "S3", "network_border_group": "us-east-2" }, { "ip_prefix": "16.12.12.0/23", "region": "il-central-1", "service": "S3", "network_border_group": "il-central-1" }, { "ip_prefix": "76.223.103.0/24", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ip_prefix": "3.5.80.0/21", "region": "us-west-2", "service": "S3", "network_border_group": "us-west-2" }, { "ip_prefix": "18.34.240.0/22", "region": "eu-west-1", "service": "S3", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.219.156.0/22", "region": "ap-south-1", "service": "S3", "network_border_group": "ap-south-1" }, { "ip_prefix": "76.223.98.0/24", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.219.44.0/22", "region": "eu-central-1", "service": "S3", "network_border_group": "eu-central-1" }, { "ip_prefix": "16.12.14.0/24", "region": "il-central-1", "service": "S3", "network_border_group": "il-central-1" }, { "ip_prefix": "52.219.56.0/22", "region": "ap-northeast-2", "service": "S3", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.219.169.0/24", "region": "eu-central-1", "service": "S3", "network_border_group": "eu-central-1" }, { "ip_prefix": "16.12.0.0/23", "region": "sa-east-1", "service": "S3", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.95.146.0/23", "region": "ca-central-1", "service": "S3", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.219.184.0/21", "region": "ap-southeast-1", "service": "S3", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.218.128.0/17", "region": "us-west-2", "service": "S3", "network_border_group": "us-west-2" }, { "ip_prefix": "3.5.244.0/22", "region": "eu-west-2", "service": "S3", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.219.140.0/24", "region": "eu-central-1", "service": "S3", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.95.188.0/23", "region": "me-central-1", "service": "S3", "network_border_group": "me-central-1" }, { "ip_prefix": "13.248.232.0/24", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.95.163.0/24", "region": "sa-east-1", "service": "S3", "network_border_group": "sa-east-1" }, { "ip_prefix": "3.5.32.0/22", "region": "eu-south-2", "service": "S3", "network_border_group": "eu-south-2" }, { "ip_prefix": "52.219.132.0/22", "region": "ap-southeast-1", "service": "S3", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.219.80.0/20", "region": "us-east-2", "service": "S3", "network_border_group": "us-east-2" }, { "ip_prefix": "52.219.112.0/21", "region": "us-west-1", "service": "S3", "network_border_group": "us-west-1" }, { "ip_prefix": "52.219.144.0/22", "region": "ap-northeast-2", "service": "S3", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.95.170.0/23", "region": "eu-north-1", "service": "S3", "network_border_group": "eu-north-1" }, { "ip_prefix": "16.12.4.0/23", "region": "ca-central-1", "service": "S3", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.95.145.0/24", "region": "ca-central-1", "service": "S3", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.5.148.0/22", "region": "ap-southeast-1", "service": "S3", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.219.152.0/22", "region": "ap-northeast-1", "service": "S3", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.5.0.0/19", "region": "us-east-1", "service": "S3", "network_border_group": "us-east-1" }, { "ip_prefix": "54.222.48.0/22", "region": "cn-north-1", "service": "S3", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.95.181.0/24", "region": "ap-northeast-3", "service": "S3", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.248.226.0/24", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.219.208.0/23", "region": "eu-central-1", "service": "S3", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.82.164.0/22", "region": "cn-northwest-1", "service": "S3", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.219.196.0/22", "region": "ap-northeast-1", "service": "S3", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.222.96.0/22", "region": "cn-north-1", "service": "S3", "network_border_group": "cn-north-1" }, { "ip_prefix": "3.5.232.0/22", "region": "sa-east-1", "service": "S3", "network_border_group": "sa-east-1" }, { "ip_prefix": "3.5.236.0/22", "region": "ap-east-1", "service": "S3", "network_border_group": "ap-east-1" }, { "ip_prefix": "52.92.128.0/17", "region": "us-west-2", "service": "S3", "network_border_group": "us-west-2" }, { "ip_prefix": "13.248.233.0/24", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ip_prefix": "3.5.134.0/23", "region": "eu-central-1", "service": "S3", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.5.52.0/22", "region": "eu-central-2", "service": "S3", "network_border_group": "eu-central-2" }, { "ip_prefix": "3.5.224.0/22", "region": "eu-west-3", "service": "S3", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.82.188.0/22", "region": "cn-northwest-1", "service": "S3", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.94.24.0/23", "region": "eu-west-1", "service": "DYNAMODB", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.248.70.0/24", "region": "ap-northeast-1", "service": "DYNAMODB", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.71.115.0/24", "region": "us-gov-east-1", "service": "DYNAMODB", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "52.94.26.0/23", "region": "eu-west-1", "service": "DYNAMODB", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.248.72.0/24", "region": "il-central-1", "service": "DYNAMODB", "network_border_group": "il-central-1" }, { "ip_prefix": "35.71.99.0/24", "region": "me-south-1", "service": "DYNAMODB", "network_border_group": "me-south-1" }, { "ip_prefix": "52.119.252.0/22", "region": "us-west-2", "service": "DYNAMODB", "network_border_group": "us-west-2" }, { "ip_prefix": "52.94.6.0/24", "region": "ap-northeast-2", "service": "DYNAMODB", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.248.67.0/24", "region": "ap-southeast-4", "service": "DYNAMODB", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "3.218.180.0/22", "region": "us-east-1", "service": "DYNAMODB", "network_border_group": "us-east-1" }, { "ip_prefix": "35.71.114.0/24", "region": "ap-northeast-1", "service": "DYNAMODB", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.94.12.0/24", "region": "us-west-1", "service": "DYNAMODB", "network_border_group": "us-west-1" }, { "ip_prefix": "35.71.118.0/24", "region": "ap-southeast-1", "service": "DYNAMODB", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.119.249.0/24", "region": "me-south-1", "service": "DYNAMODB", "network_border_group": "me-south-1" }, { "ip_prefix": "52.94.8.0/24", "region": "ap-northeast-1", "service": "DYNAMODB", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.71.119.0/24", "region": "ca-central-1", "service": "DYNAMODB", "network_border_group": "ca-central-1" }, { "ip_prefix": "13.248.68.0/24", "region": "eu-central-2", "service": "DYNAMODB", "network_border_group": "eu-central-2" }, { "ip_prefix": "35.71.104.0/24", "region": "me-central-1", "service": "DYNAMODB", "network_border_group": "me-central-1" }, { "ip_prefix": "35.71.117.0/24", "region": "us-west-1", "service": "DYNAMODB", "network_border_group": "us-west-1" }, { "ip_prefix": "52.119.248.0/24", "region": "ap-east-1", "service": "DYNAMODB", "network_border_group": "ap-east-1" }, { "ip_prefix": "52.119.232.0/21", "region": "us-east-1", "service": "DYNAMODB", "network_border_group": "us-east-1" }, { "ip_prefix": "35.71.96.0/24", "region": "ap-southeast-3", "service": "DYNAMODB", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "52.119.240.0/21", "region": "eu-west-1", "service": "DYNAMODB", "network_border_group": "eu-west-1" }, { "ip_prefix": "35.71.72.0/22", "region": "eu-west-1", "service": "DYNAMODB", "network_border_group": "eu-west-1" }, { "ip_prefix": "35.71.113.0/24", "region": "eu-south-1", "service": "DYNAMODB", "network_border_group": "eu-south-1" }, { "ip_prefix": "35.71.120.0/24", "region": "eu-south-2", "service": "DYNAMODB", "network_border_group": "eu-south-2" }, { "ip_prefix": "35.71.98.0/24", "region": "eu-north-1", "service": "DYNAMODB", "network_border_group": "eu-north-1" }, { "ip_prefix": "35.71.112.0/24", "region": "ap-southeast-4", "service": "DYNAMODB", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "52.94.5.0/24", "region": "eu-west-1", "service": "DYNAMODB", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.94.16.0/24", "region": "eu-west-3", "service": "DYNAMODB", "network_border_group": "eu-west-3" }, { "ip_prefix": "35.71.102.0/24", "region": "us-east-2", "service": "DYNAMODB", "network_border_group": "us-east-2" }, { "ip_prefix": "52.94.10.0/24", "region": "us-west-2", "service": "DYNAMODB", "network_border_group": "us-west-2" }, { "ip_prefix": "35.71.103.0/24", "region": "af-south-1", "service": "DYNAMODB", "network_border_group": "af-south-1" }, { "ip_prefix": "35.71.110.0/24", "region": "ap-northeast-3", "service": "DYNAMODB", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "52.94.22.0/24", "region": "us-gov-east-1", "service": "DYNAMODB", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "35.71.64.0/22", "region": "us-west-2", "service": "DYNAMODB", "network_border_group": "us-west-2" }, { "ip_prefix": "13.248.71.0/24", "region": "ap-southeast-3", "service": "DYNAMODB", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "35.71.100.0/24", "region": "ap-south-1", "service": "DYNAMODB", "network_border_group": "ap-south-1" }, { "ip_prefix": "35.71.68.0/22", "region": "us-east-1", "service": "DYNAMODB", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.14.0/24", "region": "ca-central-1", "service": "DYNAMODB", "network_border_group": "ca-central-1" }, { "ip_prefix": "35.71.109.0/24", "region": "ap-northeast-2", "service": "DYNAMODB", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.94.9.0/24", "region": "us-gov-west-1", "service": "DYNAMODB", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "52.94.15.0/24", "region": "eu-west-2", "service": "DYNAMODB", "network_border_group": "eu-west-2" }, { "ip_prefix": "35.71.111.0/24", "region": "eu-west-2", "service": "DYNAMODB", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.94.18.0/24", "region": "eu-south-1", "service": "DYNAMODB", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.94.13.0/24", "region": "ap-southeast-2", "service": "DYNAMODB", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "35.71.116.0/24", "region": "us-gov-west-1", "service": "DYNAMODB", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "52.94.23.0/24", "region": "eu-north-1", "service": "DYNAMODB", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.119.224.0/21", "region": "us-east-1", "service": "DYNAMODB", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.30.0/24", "region": "af-south-1", "service": "DYNAMODB", "network_border_group": "af-south-1" }, { "ip_prefix": "13.248.65.0/24", "region": "eu-south-2", "service": "DYNAMODB", "network_border_group": "eu-south-2" }, { "ip_prefix": "52.94.17.0/24", "region": "eu-central-1", "service": "DYNAMODB", "network_border_group": "eu-central-1" }, { "ip_prefix": "35.71.97.0/24", "region": "ap-southeast-2", "service": "DYNAMODB", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "54.222.57.0/24", "region": "cn-north-1", "service": "DYNAMODB", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.94.7.0/24", "region": "sa-east-1", "service": "DYNAMODB", "network_border_group": "sa-east-1" }, { "ip_prefix": "35.71.107.0/24", "region": "ap-east-1", "service": "DYNAMODB", "network_border_group": "ap-east-1" }, { "ip_prefix": "52.82.187.0/24", "region": "cn-northwest-1", "service": "DYNAMODB", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "13.248.64.0/24", "region": "ap-south-2", "service": "DYNAMODB", "network_border_group": "ap-south-2" }, { "ip_prefix": "52.94.11.0/24", "region": "ap-southeast-1", "service": "DYNAMODB", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "35.71.101.0/24", "region": "eu-west-3", "service": "DYNAMODB", "network_border_group": "eu-west-3" }, { "ip_prefix": "35.71.108.0/24", "region": "ap-south-2", "service": "DYNAMODB", "network_border_group": "ap-south-2" }, { "ip_prefix": "35.71.121.0/24", "region": "eu-central-2", "service": "DYNAMODB", "network_border_group": "eu-central-2" }, { "ip_prefix": "13.248.66.0/24", "region": "me-central-1", "service": "DYNAMODB", "network_border_group": "me-central-1" }, { "ip_prefix": "52.94.4.0/24", "region": "us-east-2", "service": "DYNAMODB", "network_border_group": "us-east-2" }, { "ip_prefix": "13.248.69.0/24", "region": "ap-northeast-1", "service": "DYNAMODB", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.94.19.0/24", "region": "ap-northeast-3", "service": "DYNAMODB", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "35.71.106.0/24", "region": "sa-east-1", "service": "DYNAMODB", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.94.20.0/24", "region": "ap-south-1", "service": "DYNAMODB", "network_border_group": "ap-south-1" }, { "ip_prefix": "35.71.105.0/24", "region": "eu-central-1", "service": "DYNAMODB", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.94.0.0/22", "region": "us-east-1", "service": "DYNAMODB", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.28.0/23", "region": "us-west-2", "service": "DYNAMODB", "network_border_group": "us-west-2" }, { "ip_prefix": "3.2.34.0/26", "region": "af-south-1", "service": "EC2", "network_border_group": "af-south-1" }, { "ip_prefix": "3.5.140.0/22", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "35.180.0.0/16", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ip_prefix": "3.2.35.64/26", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "3.108.0.0/14", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.181.232.0/21", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-iah-1" }, { "ip_prefix": "142.4.160.136/29", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-msp-1" }, { "ip_prefix": "3.2.0.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-iah-1" }, { "ip_prefix": "161.188.154.0/23", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-chi-1" }, { "ip_prefix": "52.4.0.0/14", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "54.222.88.0/24", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ip_prefix": "64.252.81.0/24", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "142.4.160.80/29", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-chi-1" }, { "ip_prefix": "50.16.0.0/15", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "52.95.224.0/24", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.193.3.0/24", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.220.196.0/22", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-mia-1" }, { "ip_prefix": "15.220.216.0/22", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1-del-2" }, { "ip_prefix": "35.71.115.0/24", "region": "us-gov-east-1", "service": "EC2", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "15.205.0.0/16", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "64.252.69.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "71.131.192.0/18", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ip_prefix": "13.236.0.0/14", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "43.206.0.0/15", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.95.226.0/24", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ip_prefix": "142.4.160.56/29", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-las-1" }, { "ip_prefix": "3.4.0.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-pilot-6" }, { "ip_prefix": "15.177.83.0/24", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.185.0.0/16", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ip_prefix": "15.220.252.0/22", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-las-1" }, { "ip_prefix": "54.247.0.0/16", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.248.0.0/15", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.2.40.0/25", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "18.34.248.0/22", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "35.71.99.0/24", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ip_prefix": "54.148.0.0/15", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "99.77.130.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "18.200.0.0/16", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.206.0.0/16", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "99.150.56.0/21", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "108.175.56.0/22", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "15.193.2.0/24", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.220.222.0/23", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-mci-1" }, { "ip_prefix": "99.77.132.0/24", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "161.188.146.0/23", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-atl-1" }, { "ip_prefix": "15.181.247.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-atl-1" }, { "ip_prefix": "18.232.0.0/14", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "52.82.169.0/28", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "64.252.118.0/24", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "142.4.160.144/29", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1-tpe-1" }, { "ip_prefix": "15.220.120.0/21", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-bue-1" }, { "ip_prefix": "54.74.0.0/15", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.220.207.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-sea-1" }, { "ip_prefix": "18.102.0.0/16", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.83.0.0/16", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "64.252.122.0/24", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "52.47.0.0/16", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.94.249.144/28", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ip_prefix": "52.95.255.64/28", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.208.0.0/16", "region": "ap-northeast-3", "service": "EC2", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.193.7.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "54.156.0.0/14", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "54.236.0.0/15", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "99.150.8.0/21", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "3.5.40.0/22", "region": "ap-southeast-4", "service": "EC2", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "3.5.136.0/22", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.181.160.0/20", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-nyc-1" }, { "ip_prefix": "18.191.0.0/16", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "99.77.159.0/24", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.177.82.0/24", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.181.80.0/20", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-atl-1" }, { "ip_prefix": "47.128.0.0/14", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "54.153.128.0/17", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "122.248.192.0/18", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.247.0.0/16", "region": "af-south-1", "service": "EC2", "network_border_group": "af-south-1" }, { "ip_prefix": "18.192.0.0/15", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "35.71.114.0/24", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.229.0.0/16", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.2.34.128/26", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.250.0.0/16", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "64.252.89.0/24", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "107.20.0.0/14", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "3.5.160.0/22", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "46.51.192.0/20", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.77.149.0/24", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "3.132.0.0/14", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "63.32.0.0/14", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "64.252.85.0/24", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "13.36.0.0/14", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.177.94.0/24", "region": "ap-south-2", "service": "EC2", "network_border_group": "ap-south-2" }, { "ip_prefix": "52.95.255.16/28", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "18.236.0.0/15", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "52.94.249.80/28", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "64.252.74.0/24", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "99.77.183.0/24", "region": "us-gov-east-1", "service": "EC2", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "64.252.79.0/24", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "161.188.148.0/23", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-phx-1" }, { "ip_prefix": "15.188.0.0/16", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ip_prefix": "18.116.0.0/14", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "54.200.0.0/15", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "3.5.36.0/22", "region": "ap-southeast-3", "service": "EC2", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "18.34.32.0/20", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.144.0.0/14", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "54.169.0.0/16", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "63.246.113.0/24", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.77.136.0/24", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "161.188.158.0/23", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-nyc-1" }, { "ip_prefix": "35.71.118.0/24", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "64.252.72.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "99.77.148.0/24", "region": "af-south-1", "service": "EC2", "network_border_group": "af-south-1" }, { "ip_prefix": "52.95.240.0/24", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "75.101.128.0/17", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "99.77.55.3/32", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "3.4.3.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-pilot-1" }, { "ip_prefix": "15.222.0.0/15", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ip_prefix": "69.235.128.0/18", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "3.2.41.0/26", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "204.236.128.0/18", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "3.5.208.0/22", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.177.76.0/24", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.30.0.0/15", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.94.249.64/28", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "54.92.0.0/17", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.154.0.0/16", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "64.252.76.0/24", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "67.202.0.0/18", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "161.188.156.0/23", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-las-1" }, { "ip_prefix": "3.30.0.0/15", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "15.181.253.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-sea-1" }, { "ip_prefix": "18.34.0.0/19", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "35.71.119.0/24", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ip_prefix": "54.226.0.0/15", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "162.250.237.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "3.112.0.0/14", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.144.0.0/13", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "52.95.244.0/24", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "64.187.128.0/20", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-mia-1" }, { "ip_prefix": "64.252.111.0/24", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.2.37.128/26", "region": "ap-northeast-3", "service": "EC2", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "18.231.0.0/16", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "54.252.0.0/16", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.224.0.0/12", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "35.71.104.0/24", "region": "me-central-1", "service": "EC2", "network_border_group": "me-central-1" }, { "ip_prefix": "35.71.117.0/24", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "54.221.0.0/16", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "54.255.0.0/16", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "142.4.160.40/29", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-iah-1" }, { "ip_prefix": "15.228.0.0/15", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "142.4.160.8/29", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-bos-1" }, { "ip_prefix": "157.241.0.0/16", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ip_prefix": "15.181.112.0/22", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-bos-1" }, { "ip_prefix": "52.94.249.208/28", "region": "ap-south-2", "service": "EC2", "network_border_group": "ap-south-2" }, { "ip_prefix": "54.233.0.0/18", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "68.66.112.0/20", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-bos-1" }, { "ip_prefix": "69.231.128.0/18", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "99.151.120.0/21", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "108.136.0.0/15", "region": "ap-southeast-3", "service": "EC2", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "18.34.72.0/21", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "35.176.0.0/15", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "70.224.192.0/18", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-lax-1" }, { "ip_prefix": "99.77.153.0/24", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "161.188.136.0/23", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-phl-1" }, { "ip_prefix": "3.4.7.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "99.77.155.0/24", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.95.255.32/28", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "69.230.192.0/18", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "160.1.0.0/16", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "3.5.128.0/22", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "15.181.241.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-dfw-1" }, { "ip_prefix": "18.216.0.0/14", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "34.192.0.0/12", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "3.104.0.0/14", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.177.99.0/24", "region": "il-central-1", "service": "EC2", "network_border_group": "il-central-1" }, { "ip_prefix": "15.193.5.0/24", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.220.32.0/21", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-phx-1" }, { "ip_prefix": "52.80.0.0/16", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.94.250.16/28", "region": "ap-southeast-4", "service": "EC2", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "64.252.121.0/24", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "99.150.32.0/21", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "175.41.128.0/18", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "64.252.68.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "161.188.130.0/23", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-mia-1" }, { "ip_prefix": "18.229.0.0/16", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "54.219.0.0/16", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "3.32.0.0/16", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "35.182.0.0/15", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ip_prefix": "70.232.124.0/22", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.77.191.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "3.5.72.0/23", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.250.0.0/15", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "44.192.0.0/11", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "64.252.102.0/24", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "64.252.108.0/24", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "99.77.156.0/24", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "161.188.140.0/23", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-dfw-1" }, { "ip_prefix": "15.168.0.0/16", "region": "ap-northeast-3", "service": "EC2", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "99.77.55.24/32", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "99.77.138.0/24", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ip_prefix": "162.250.238.0/23", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "3.5.152.0/21", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "18.224.0.0/14", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "52.56.0.0/16", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "54.245.0.0/16", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "142.4.160.0/29", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-atl-1" }, { "ip_prefix": "18.230.0.0/16", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.58.0.0/15", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "70.232.86.125/32", "region": "ap-southeast-4", "service": "EC2", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "99.77.152.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "3.131.0.0/16", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "15.220.80.0/20", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1-tpe-1" }, { "ip_prefix": "3.96.0.0/15", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.220.48.0/21", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1-waw-1" }, { "ip_prefix": "54.216.0.0/15", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.5.252.0/22", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.220.232.0/24", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1-ccu-2" }, { "ip_prefix": "23.20.0.0/14", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.248.80/28", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "64.252.64.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "99.77.55.26/32", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "99.77.143.0/24", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "3.4.1.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-pilot-3" }, { "ip_prefix": "13.56.0.0/16", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "18.184.0.0/15", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "161.188.128.0/23", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-iah-1" }, { "ip_prefix": "35.160.0.0/13", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "52.48.0.0/14", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.77.137.0/24", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ip_prefix": "3.2.38.128/26", "region": "ap-southeast-4", "service": "EC2", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "13.112.0.0/14", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.181.144.0/20", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-phl-1" }, { "ip_prefix": "35.71.96.0/24", "region": "ap-southeast-3", "service": "EC2", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "43.200.0.0/14", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.68.0.0/15", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.67.0.0/16", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "15.181.254.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-mia-1" }, { "ip_prefix": "18.60.0.0/15", "region": "ap-south-2", "service": "EC2", "network_border_group": "ap-south-2" }, { "ip_prefix": "52.57.0.0/16", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "99.151.80.0/21", "region": "eu-central-2", "service": "EC2", "network_border_group": "eu-central-2" }, { "ip_prefix": "3.36.0.0/14", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "161.188.142.0/23", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-mci-1" }, { "ip_prefix": "18.190.0.0/16", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "52.82.168.0/24", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "162.213.232.0/24", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "35.71.72.0/22", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.95.227.0/24", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ip_prefix": "54.68.0.0/14", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "54.93.0.0/16", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.50.0.0/16", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.44.0.0/15", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "52.76.128.0/17", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "54.95.0.0/16", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.212.0.0/15", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "3.5.228.0/22", "region": "af-south-1", "service": "EC2", "network_border_group": "af-south-1" }, { "ip_prefix": "15.181.176.0/20", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-chi-1" }, { "ip_prefix": "15.220.202.0/23", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-pdx-1" }, { "ip_prefix": "142.4.160.128/29", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-mia-1" }, { "ip_prefix": "3.124.0.0/14", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.181.48.0/20", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-msp-1" }, { "ip_prefix": "52.82.176.0/22", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "54.183.0.0/16", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "142.4.160.64/29", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-las-1b" }, { "ip_prefix": "3.24.0.0/14", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.2.39.0/26", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.193.6.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "35.71.113.0/24", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ip_prefix": "64.252.103.0/24", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "142.4.160.24/29", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-dfw-1" }, { "ip_prefix": "15.177.86.0/24", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.144.0.0/15", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "52.90.0.0/15", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.144.0/23", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "15.220.64.0/20", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1-waw-1" }, { "ip_prefix": "52.0.0.0/15", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "52.82.184.0/23", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.95.253.0/24", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "140.179.0.0/16", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ip_prefix": "142.4.160.120/29", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-mci-1" }, { "ip_prefix": "208.110.48.0/20", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "3.2.37.0/26", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.33.35.0/24", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.95.255.128/28", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.208.0.0/13", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "16.62.0.0/15", "region": "eu-central-2", "service": "EC2", "network_border_group": "eu-central-2" }, { "ip_prefix": "52.54.0.0/15", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "52.95.230.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-lax-1" }, { "ip_prefix": "3.5.48.0/22", "region": "me-central-1", "service": "EC2", "network_border_group": "me-central-1" }, { "ip_prefix": "15.220.152.0/21", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1-ham-1" }, { "ip_prefix": "52.74.0.0/16", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "54.168.0.0/16", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.177.89.0/24", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "18.156.0.0/14", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.82.170.0/24", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "64.252.113.0/24", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "79.125.0.0/17", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.77.134.0/24", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "3.2.41.128/26", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.214.0.0/15", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.177.77.0/24", "region": "ap-northeast-3", "service": "EC2", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.177.90.0/24", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ip_prefix": "54.180.0.0/15", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "99.77.253.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "99.78.238.255/32", "region": "ap-southeast-3", "service": "EC2", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "3.4.6.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-pilot-3" }, { "ip_prefix": "15.177.79.0/24", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.220.208.128/26", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-las-1b" }, { "ip_prefix": "54.64.0.0/15", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "176.34.0.0/19", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.71.120.0/24", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "35.80.0.0/12", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "99.77.147.0/24", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ip_prefix": "15.220.144.0/23", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1-ham-1" }, { "ip_prefix": "54.223.0.0/16", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ip_prefix": "99.77.129.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "108.175.60.0/22", "region": "us-gov-east-1", "service": "EC2", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "15.220.200.0/23", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-las-1b" }, { "ip_prefix": "43.204.0.0/15", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "46.51.224.0/19", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.179.0.0/16", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "99.77.55.254/32", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "3.2.38.192/26", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ip_prefix": "54.170.0.0/15", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.5.164.0/22", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.220.96.0/20", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1-han-1" }, { "ip_prefix": "35.71.98.0/24", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ip_prefix": "99.77.131.0/24", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "3.5.240.0/22", "region": "ap-northeast-3", "service": "EC2", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "35.71.112.0/24", "region": "ap-southeast-4", "service": "EC2", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "35.153.0.0/16", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "52.61.0.0/16", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "52.79.0.0/16", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "99.150.48.0/21", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.220.228.0/22", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1-ccu-2" }, { "ip_prefix": "52.12.0.0/15", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "52.220.0.0/15", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "99.78.238.253/32", "region": "ap-southeast-3", "service": "EC2", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "162.250.236.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "3.4.8.0/24", "region": "GLOBAL", "service": "EC2", "network_border_group": "GLOBAL" }, { "ip_prefix": "18.163.0.0/16", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ip_prefix": "54.199.0.0/16", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "18.142.0.0/15", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "46.137.192.0/19", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.200.0.0/13", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "54.222.32.0/22", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ip_prefix": "64.252.123.0/24", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "99.77.55.25/32", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "99.151.112.0/21", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.34.64.0/21", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "34.224.0.0/12", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "52.75.0.0/16", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "15.177.66.0/23", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "52.94.248.224/28", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "52.95.255.48/28", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.218.0.0/16", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "3.5.76.0/22", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "16.168.0.0/15", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ip_prefix": "64.252.78.0/24", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "99.78.238.251/32", "region": "ap-southeast-3", "service": "EC2", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "15.181.0.0/20", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-sea-1" }, { "ip_prefix": "64.252.117.0/24", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.151.104.0/21", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "99.151.128.0/21", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ip_prefix": "35.71.102.0/24", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "99.80.0.0/15", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.5.44.0/22", "region": "ap-south-2", "service": "EC2", "network_border_group": "ap-south-2" }, { "ip_prefix": "52.95.249.0/24", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "54.244.0.0/16", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "64.252.87.0/24", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "46.137.224.0/19", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "65.0.0.0/14", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "99.150.80.0/21", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ip_prefix": "63.246.112.0/24", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ip_prefix": "63.246.119.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "50.19.0.0/16", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "99.79.0.0/16", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ip_prefix": "44.224.0.0/11", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "52.81.0.0/16", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ip_prefix": "3.2.3.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-bos-1" }, { "ip_prefix": "35.71.103.0/24", "region": "af-south-1", "service": "EC2", "network_border_group": "af-south-1" }, { "ip_prefix": "64.252.73.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "99.151.72.0/21", "region": "ap-southeast-4", "service": "EC2", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "174.129.0.0/16", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "3.2.43.0/26", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "35.71.110.0/24", "region": "ap-northeast-3", "service": "EC2", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "52.95.255.80/28", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "64.252.101.0/24", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "3.2.42.64/26", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.95.255.112/28", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "3.2.32.128/26", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ip_prefix": "15.181.224.0/21", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-dfw-1" }, { "ip_prefix": "15.220.227.0/24", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1-del-2" }, { "ip_prefix": "18.208.0.0/13", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "52.95.245.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "54.240.17.0/24", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ip_prefix": "99.77.142.0/24", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ip_prefix": "99.77.187.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "15.177.73.0/24", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "46.51.216.0/21", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "3.5.64.0/21", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.94.248.32/28", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "54.220.0.0/16", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "100.20.0.0/14", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "52.94.248.160/28", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "54.151.0.0/17", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "15.161.0.0/16", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ip_prefix": "54.222.52.0/22", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ip_prefix": "64.252.110.0/24", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "99.77.158.0/24", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.188.0.0/16", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "18.252.0.0/16", "region": "us-gov-east-1", "service": "EC2", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "46.51.128.0/18", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "64.252.107.0/24", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.232.0.0/14", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.220.0.0/20", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-pdx-1" }, { "ip_prefix": "52.95.243.0/24", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.5.132.0/23", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "13.53.0.0/16", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ip_prefix": "15.177.88.0/24", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.184.0.0/16", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ip_prefix": "15.220.56.0/21", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1-tpe-1" }, { "ip_prefix": "184.72.128.0/17", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "15.220.16.0/20", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-las-1" }, { "ip_prefix": "161.188.134.0/23", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-den-1" }, { "ip_prefix": "3.2.41.64/26", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "13.51.0.0/16", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ip_prefix": "35.181.0.0/16", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ip_prefix": "54.80.0.0/13", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "54.214.0.0/16", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "54.254.0.0/16", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.20.0.0/14", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.201.0/26", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.248.208/28", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ip_prefix": "13.244.0.0/15", "region": "af-south-1", "service": "EC2", "network_border_group": "af-south-1" }, { "ip_prefix": "52.94.248.48/28", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "54.242.0.0/15", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "99.151.88.0/21", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "216.182.238.0/23", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "3.5.168.0/23", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "18.168.0.0/14", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "34.208.0.0/12", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "52.15.0.0/16", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "161.188.144.0/23", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-msp-1" }, { "ip_prefix": "18.189.0.0/16", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "35.71.64.0/22", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "99.77.184.0/24", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "3.64.0.0/12", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.88.0.0/18", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-dfw-2" }, { "ip_prefix": "162.213.234.0/23", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.220.136.0/21", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1-del-1" }, { "ip_prefix": "18.34.244.0/22", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "18.201.0.0/16", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.151.128.0/17", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "208.86.88.0/23", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "18.175.0.0/16", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "54.208.0.0/15", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "54.228.0.0/16", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "142.4.160.48/29", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-nyc-1" }, { "ip_prefix": "15.220.146.0/23", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ip_prefix": "52.95.246.0/24", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "13.48.0.0/15", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.64.0.0/17", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.95.239.0/24", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "195.17.0.0/24", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "18.220.0.0/14", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "52.36.0.0/14", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "54.94.0.0/16", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.152.0.0/16", "region": "ap-northeast-3", "service": "EC2", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.220.226.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-las-1b" }, { "ip_prefix": "52.95.228.0/24", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ip_prefix": "54.222.128.0/17", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ip_prefix": "96.127.0.0/17", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "161.188.132.0/23", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-bos-1" }, { "ip_prefix": "3.4.16.0/21", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "68.79.0.0/18", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "99.77.128.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "3.5.248.0/22", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ip_prefix": "54.215.0.0/16", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "18.182.0.0/16", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "43.218.0.0/16", "region": "ap-southeast-3", "service": "EC2", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "54.152.0.0/16", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "99.77.55.14/32", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "18.178.0.0/16", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.202.0.0/15", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "99.150.120.0/21", "region": "me-central-1", "service": "EC2", "network_border_group": "me-central-1" }, { "ip_prefix": "15.181.128.0/20", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-phx-1" }, { "ip_prefix": "16.170.0.0/15", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ip_prefix": "18.132.0.0/14", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.70.0.0/15", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.248.0/28", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "15.220.204.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-den-1" }, { "ip_prefix": "15.177.70.0/23", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.236.0.0/15", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ip_prefix": "64.252.84.0/24", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "99.77.254.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "184.72.0.0/18", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "13.125.0.0/16", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "35.71.100.0/24", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "54.193.0.0/16", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "54.222.59.0/24", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ip_prefix": "70.232.92.0/22", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "99.77.55.0/32", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "99.77.247.0/24", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.2.32.64/26", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ip_prefix": "64.252.88.0/24", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "99.77.55.2/32", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "15.181.245.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-den-1" }, { "ip_prefix": "99.151.96.0/21", "region": "us-gov-east-1", "service": "EC2", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "15.177.97.0/24", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "35.71.68.0/22", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "52.8.0.0/16", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "52.94.249.192/28", "region": "ap-southeast-3", "service": "EC2", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "52.95.247.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "64.252.83.0/24", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "99.77.55.253/32", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "15.177.64.0/23", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "15.193.9.0/24", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "46.51.208.0/22", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "52.86.0.0/15", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "64.252.80.0/24", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "142.4.160.88/29", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-phl-1" }, { "ip_prefix": "18.136.0.0/16", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "50.112.0.0/16", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "3.2.33.64/26", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ip_prefix": "3.2.35.192/26", "region": "ap-south-2", "service": "EC2", "network_border_group": "ap-south-2" }, { "ip_prefix": "3.2.43.64/26", "region": "eu-central-2", "service": "EC2", "network_border_group": "eu-central-2" }, { "ip_prefix": "13.212.0.0/15", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.220.233.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-atl-1" }, { "ip_prefix": "18.179.0.0/16", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "64.252.100.0/24", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "3.5.216.0/22", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ip_prefix": "3.130.0.0/16", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "13.57.0.0/16", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "13.126.0.0/15", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.181.64.0/20", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-las-1b" }, { "ip_prefix": "99.77.140.0/24", "region": "ap-northeast-3", "service": "EC2", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "3.2.39.128/26", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "16.16.0.0/16", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ip_prefix": "54.222.89.0/24", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ip_prefix": "15.206.0.0/15", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "50.18.0.0/16", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "52.14.0.0/16", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "54.172.0.0/15", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "176.34.64.0/18", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.5.146.0/23", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "35.71.109.0/24", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.95.255.96/28", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "99.150.88.0/21", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ip_prefix": "142.4.160.16/29", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-den-1" }, { "ip_prefix": "18.204.0.0/14", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "35.178.0.0/15", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "54.88.0.0/14", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "52.94.116.0/22", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "64.252.119.0/24", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "208.86.90.0/23", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.181.248.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-las-1b" }, { "ip_prefix": "18.34.252.0/22", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "52.29.0.0/16", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.52.0.0/16", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "18.180.0.0/15", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "46.137.128.0/18", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.94.248.176/28", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.2.2.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-mia-1" }, { "ip_prefix": "3.2.32.192/26", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.246.0.0/16", "region": "af-south-1", "service": "EC2", "network_border_group": "af-south-1" }, { "ip_prefix": "52.94.249.240/28", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "52.95.254.0/24", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ip_prefix": "64.252.104.0/24", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "176.32.64.0/19", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.54.0.0/15", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.200.0.0/15", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.95.235.0/24", "region": "ap-southeast-3", "service": "EC2", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "52.95.241.0/24", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "64.252.66.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "64.252.82.0/24", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "99.77.144.0/24", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.12.0.0/16", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "13.124.0.0/16", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "35.71.111.0/24", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.94.248.144/28", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.192.0.0/15", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "99.150.72.0/21", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ip_prefix": "3.3.5.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-pilot-4" }, { "ip_prefix": "54.78.0.0/16", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.77.139.0/24", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.193.4.0/24", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "35.71.116.0/24", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "71.132.0.0/18", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ip_prefix": "99.150.40.0/21", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "3.2.33.128/26", "region": "ap-southeast-3", "service": "EC2", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "3.5.212.0/23", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "3.5.220.0/22", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ip_prefix": "15.177.72.0/24", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ip_prefix": "52.2.0.0/15", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "64.252.106.0/24", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "103.4.8.0/21", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "184.72.64.0/18", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "3.2.41.192/26", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "99.77.55.1/32", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "15.181.192.0/19", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-dfw-1" }, { "ip_prefix": "3.2.35.128/26", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ip_prefix": "15.253.0.0/16", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-lax-1" }, { "ip_prefix": "54.238.0.0/16", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "99.150.16.0/21", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "216.182.232.0/22", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "3.120.0.0/14", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.181.252.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-sea-1" }, { "ip_prefix": "18.198.0.0/15", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.9.0.0/16", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "99.77.141.0/24", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.46.180.0/22", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "3.136.0.0/13", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "43.192.0.0/16", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.94.248.192/28", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "64.252.120.0/24", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "3.5.144.0/23", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.94.248.112/28", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.181.242.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-phl-1" }, { "ip_prefix": "54.232.0.0/16", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.177.78.0/24", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.193.0.0/24", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.66.0.0/16", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "204.236.192.0/18", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "35.168.0.0/13", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "52.64.128.0/17", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.209.0.0/16", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.181.40.0/21", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-nyc-1" }, { "ip_prefix": "18.34.48.0/20", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "18.34.232.0/21", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "18.140.0.0/15", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.60.0.0/16", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ip_prefix": "52.78.0.0/16", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "72.44.32.0/19", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "15.181.16.0/20", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-den-1" }, { "ip_prefix": "15.181.96.0/20", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-mci-1" }, { "ip_prefix": "99.150.112.0/21", "region": "ap-south-2", "service": "EC2", "network_border_group": "ap-south-2" }, { "ip_prefix": "13.58.0.0/15", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "54.194.0.0/15", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.98.0.0/15", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ip_prefix": "54.66.0.0/16", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "142.4.160.160/29", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1-del-1" }, { "ip_prefix": "162.222.148.0/22", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-lax-1" }, { "ip_prefix": "3.4.2.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-pilot-5" }, { "ip_prefix": "15.177.75.0/24", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.24.0.0/14", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "52.222.0.0/17", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "64.252.65.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "3.13.0.0/16", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "3.248.0.0/13", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.92.128.0/17", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "99.77.133.0/24", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.210.0.0/15", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "54.241.0.0/16", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "99.77.151.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "184.169.128.0/17", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "216.182.224.0/21", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "35.72.0.0/13", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "99.150.24.0/21", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.8.0.0/14", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.246.0.0/16", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "54.204.0.0/15", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "52.194.0.0/15", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.155.0.0/16", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.196.0.0/15", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "3.5.80.0/21", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "18.34.240.0/22", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "35.71.97.0/24", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "35.152.0.0/16", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ip_prefix": "99.150.0.0/21", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "3.2.38.0/26", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.220.220.0/23", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-mia-1" }, { "ip_prefix": "35.156.0.0/14", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "161.188.138.0/23", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-sea-1" }, { "ip_prefix": "3.16.0.0/14", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "15.191.0.0/16", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "18.130.0.0/16", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.72.0.0/15", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "52.82.180.0/22", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "99.151.64.0/21", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "52.62.0.0/15", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.94.249.224/28", "region": "me-central-1", "service": "EC2", "network_border_group": "me-central-1" }, { "ip_prefix": "16.50.0.0/15", "region": "ap-southeast-4", "service": "EC2", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "54.160.0.0/13", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "157.175.0.0/16", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ip_prefix": "176.34.32.0/19", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.234.0.0/15", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "70.232.86.126/32", "region": "ap-southeast-4", "service": "EC2", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "15.220.248.0/23", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-phl-1" }, { "ip_prefix": "52.95.225.0/24", "region": "ap-northeast-3", "service": "EC2", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "99.77.154.0/24", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "3.14.0.0/15", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "15.177.81.0/24", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "18.228.0.0/16", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.16.0.0/15", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.95.242.0/24", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "161.189.0.0/16", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "15.177.84.0/24", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.220.250.0/23", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-msp-1" }, { "ip_prefix": "52.94.249.176/28", "region": "af-south-1", "service": "EC2", "network_border_group": "af-south-1" }, { "ip_prefix": "54.153.0.0/17", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "71.136.64.0/18", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ip_prefix": "15.177.98.0/24", "region": "eu-central-2", "service": "EC2", "network_border_group": "eu-central-2" }, { "ip_prefix": "15.200.0.0/16", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "15.220.236.0/22", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-mci-1" }, { "ip_prefix": "35.154.0.0/16", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.82.0.0/17", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.94.249.32/28", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ip_prefix": "3.2.36.0/25", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "35.71.107.0/24", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ip_prefix": "52.94.250.32/28", "region": "il-central-1", "service": "EC2", "network_border_group": "il-central-1" }, { "ip_prefix": "64.252.115.0/24", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.77.161.0/24", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "3.2.39.64/26", "region": "us-gov-east-1", "service": "EC2", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "15.181.249.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-msp-1" }, { "ip_prefix": "15.220.205.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-den-1" }, { "ip_prefix": "52.88.0.0/15", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "3.5.244.0/22", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.253.0.0/16", "region": "us-gov-east-1", "service": "EC2", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "52.94.249.112/28", "region": "us-gov-east-1", "service": "EC2", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "198.99.2.0/24", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "18.153.0.0/16", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.202.0.0/15", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "64.252.98.0/24", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "216.182.236.0/23", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "3.5.32.0/22", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "3.208.0.0/12", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "54.222.64.0/23", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ip_prefix": "70.232.86.124/32", "region": "ap-southeast-4", "service": "EC2", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "99.77.157.0/24", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ip_prefix": "142.4.160.72/29", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "142.4.160.152/29", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1-waw-1" }, { "ip_prefix": "185.48.120.0/22", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.233.128.0/17", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "142.4.160.104/29", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-sea-1" }, { "ip_prefix": "204.45.0.0/16", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "15.220.206.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-sea-1" }, { "ip_prefix": "161.188.152.0/23", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-las-1b" }, { "ip_prefix": "184.73.0.0/16", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "15.160.0.0/16", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.177.80.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "43.196.0.0/16", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ip_prefix": "54.174.0.0/15", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "13.230.0.0/15", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.94.249.160/28", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ip_prefix": "54.224.0.0/15", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "15.220.234.0/23", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-mia-1" }, { "ip_prefix": "18.176.0.0/15", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "64.252.86.0/24", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.20.0.0/14", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "15.156.0.0/15", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.254.0.0/16", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-lax-1" }, { "ip_prefix": "18.196.0.0/15", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "54.76.0.0/15", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.80.0.0/12", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "3.101.0.0/16", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "52.40.0.0/14", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "43.198.0.0/15", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ip_prefix": "71.137.4.0/24", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ip_prefix": "99.150.104.0/21", "region": "af-south-1", "service": "EC2", "network_border_group": "af-south-1" }, { "ip_prefix": "35.71.101.0/24", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.95.248.0/24", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "64.252.70.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "64.252.116.0/24", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "18.88.128.0/18", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-phx-2" }, { "ip_prefix": "34.240.0.0/13", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.94.248.16/28", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.94.249.96/28", "region": "ap-northeast-3", "service": "EC2", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "54.253.0.0/16", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "18.162.0.0/16", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ip_prefix": "52.94.146.0/24", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.2.34.192/26", "region": "me-central-1", "service": "EC2", "network_border_group": "me-central-1" }, { "ip_prefix": "3.2.35.0/26", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.32.0.0/14", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "52.95.252.0/24", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "54.222.36.0/22", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.94.248.64/28", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "52.95.229.0/24", "region": "af-south-1", "service": "EC2", "network_border_group": "af-south-1" }, { "ip_prefix": "54.72.0.0/15", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.2.42.0/26", "region": "il-central-1", "service": "EC2", "network_border_group": "il-central-1" }, { "ip_prefix": "52.95.250.0/24", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ip_prefix": "64.252.67.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "3.5.148.0/22", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "54.198.0.0/16", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "64.252.77.0/24", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "15.164.0.0/15", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "99.77.55.15/32", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "176.34.128.0/17", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.2.32.0/26", "region": "ap-southeast-6", "service": "EC2", "network_border_group": "ap-southeast-6" }, { "ip_prefix": "15.177.0.0/18", "region": "GLOBAL", "service": "EC2", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.181.244.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-phl-1" }, { "ip_prefix": "18.194.0.0/15", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.94.249.128/28", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ip_prefix": "54.184.0.0/13", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "142.4.160.96/29", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-phx-1" }, { "ip_prefix": "3.6.0.0/15", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.181.120.0/21", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-atl-1" }, { "ip_prefix": "15.193.1.0/24", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.71.108.0/24", "region": "ap-south-2", "service": "EC2", "network_border_group": "ap-south-2" }, { "ip_prefix": "52.46.184.0/22", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.67.0.0/16", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.138.0.0/15", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.94.249.48/28", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ip_prefix": "52.95.255.144/28", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ip_prefix": "3.2.33.192/26", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "52.52.0.0/15", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "54.233.64.0/18", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "161.188.150.0/23", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-pilot-5" }, { "ip_prefix": "3.34.0.0/15", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.177.74.0/24", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ip_prefix": "35.71.121.0/24", "region": "eu-central-2", "service": "EC2", "network_border_group": "eu-central-2" }, { "ip_prefix": "52.65.0.0/16", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "54.150.0.0/16", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.40.0.0/14", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.177.96.0/24", "region": "ap-southeast-4", "service": "EC2", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "15.181.251.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-den-1" }, { "ip_prefix": "34.248.0.0/13", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "64.252.109.0/24", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "69.234.192.0/18", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "142.4.160.32/29", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-pdx-1" }, { "ip_prefix": "142.4.160.112/29", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-pilot-5" }, { "ip_prefix": "161.188.160.0/23", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-pdx-1" }, { "ip_prefix": "3.5.0.0/19", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "54.178.0.0/16", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "99.77.55.12/32", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "99.77.55.27/32", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "108.128.0.0/13", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "18.100.0.0/15", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "52.119.205.0/24", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.177.87.0/24", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ip_prefix": "52.94.250.0/28", "region": "eu-central-2", "service": "EC2", "network_border_group": "eu-central-2" }, { "ip_prefix": "64.252.71.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "64.252.114.0/24", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.177.85.0/24", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ip_prefix": "15.181.246.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-mci-1" }, { "ip_prefix": "52.95.251.0/24", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "72.41.0.0/20", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-iah-1" }, { "ip_prefix": "15.177.91.0/24", "region": "af-south-1", "service": "EC2", "network_border_group": "af-south-1" }, { "ip_prefix": "35.155.0.0/16", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "54.210.0.0/15", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "64.252.75.0/24", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "99.151.136.0/21", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.181.240.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-dfw-1" }, { "ip_prefix": "52.76.0.0/17", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.18.0.0/15", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "107.176.0.0/15", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ip_prefix": "175.41.192.0/18", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.220.44.0/22", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1-han-1" }, { "ip_prefix": "99.151.144.0/21", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.10.0.0/15", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "52.82.164.0/22", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "100.24.0.0/13", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "3.4.4.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-pilot-2" }, { "ip_prefix": "99.150.64.0/21", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ip_prefix": "162.213.233.0/24", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.95.255.0/28", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "54.176.0.0/15", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "54.246.0.0/16", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "64.252.112.0/24", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "16.162.0.0/15", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ip_prefix": "15.181.32.0/21", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-chi-1" }, { "ip_prefix": "15.181.116.0/22", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-phx-1" }, { "ip_prefix": "35.71.106.0/24", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.177.93.0/24", "region": "me-central-1", "service": "EC2", "network_border_group": "me-central-1" }, { "ip_prefix": "15.181.243.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-phl-1" }, { "ip_prefix": "3.5.232.0/22", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "3.28.0.0/15", "region": "me-central-1", "service": "EC2", "network_border_group": "me-central-1" }, { "ip_prefix": "51.16.0.0/15", "region": "il-central-1", "service": "EC2", "network_border_group": "il-central-1" }, { "ip_prefix": "54.79.0.0/16", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "54.251.0.0/16", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "3.128.0.0/15", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ip_prefix": "18.254.0.0/16", "region": "us-gov-east-1", "service": "EC2", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "64.252.105.0/24", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "3.4.24.0/21", "region": "us-gov-east-1", "service": "EC2", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "15.220.224.0/23", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-pdx-1" }, { "ip_prefix": "54.207.0.0/16", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "99.77.145.0/24", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "99.150.96.0/21", "region": "ap-northeast-3", "service": "EC2", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "35.71.105.0/24", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.28.0.0/16", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.0.0.0/15", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "3.33.34.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "15.220.112.0/21", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-bue-1" }, { "ip_prefix": "52.77.0.0/16", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "64.252.99.0/24", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ip_prefix": "99.77.55.255/32", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "3.5.236.0/22", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ip_prefix": "15.181.250.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-den-1" }, { "ip_prefix": "15.193.10.0/24", "region": "af-south-1", "service": "EC2", "network_border_group": "af-south-1" }, { "ip_prefix": "99.151.152.0/21", "region": "il-central-1", "service": "EC2", "network_border_group": "il-central-1" }, { "ip_prefix": "18.166.0.0/15", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ip_prefix": "52.94.248.128/28", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ip_prefix": "99.77.55.13/32", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ip_prefix": "99.77.160.0/24", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "99.77.250.0/24", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.220.128.0/21", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1-del-1" }, { "ip_prefix": "18.183.0.0/16", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "46.137.0.0/17", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.77.135.0/24", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.177.92.0/24", "region": "ap-southeast-3", "service": "EC2", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "15.193.8.0/24", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.220.160.0/21", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ip_prefix": "3.3.2.0/24", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ip_prefix": "3.5.134.0/23", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.228.0.0/15", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.220.40.0/22", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-den-1" }, { "ip_prefix": "52.94.248.96/28", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "52.196.0.0/14", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "99.77.150.0/24", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.5.52.0/22", "region": "eu-central-2", "service": "EC2", "network_border_group": "eu-central-2" }, { "ip_prefix": "3.5.224.0/22", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ip_prefix": "54.222.58.32/28", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ip_prefix": "99.77.186.0/24", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ip_prefix": "15.177.68.0/23", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ip_prefix": "177.71.128.0/17", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ip_prefix": "52.95.110.0/24", "region": "GLOBAL", "service": "ROUTE53", "network_border_group": "GLOBAL" }, { "ip_prefix": "205.251.192.0/21", "region": "GLOBAL", "service": "ROUTE53", "network_border_group": "GLOBAL" }, { "ip_prefix": "63.246.114.0/23", "region": "GLOBAL", "service": "ROUTE53", "network_border_group": "GLOBAL" }, { "ip_prefix": "120.52.22.96/27", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "205.251.249.0/24", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "180.163.57.128/26", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "204.246.168.0/22", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "18.160.0.0/15", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "205.251.252.0/23", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.192.0.0/16", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "204.246.173.0/24", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.230.200.0/21", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "120.253.240.192/26", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "116.129.226.128/26", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "130.176.0.0/17", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "108.156.0.0/14", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.86.0.0/16", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "205.251.200.0/21", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "223.71.71.128/25", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.32.0.0/15", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "120.253.245.128/26", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.224.0.0/14", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "70.132.0.0/18", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.158.0.0/16", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.249.0.0/16", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "18.238.0.0/15", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "18.244.0.0/15", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "205.251.208.0/20", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "65.9.128.0/18", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "130.176.128.0/18", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "58.254.138.0/25", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.230.208.0/20", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "116.129.226.0/25", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.222.128.0/17", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "18.164.0.0/15", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "64.252.128.0/18", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "205.251.254.0/24", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.230.224.0/19", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "71.152.0.0/17", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "216.137.32.0/19", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "204.246.172.0/24", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "18.172.0.0/15", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "120.52.39.128/27", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "118.193.97.64/26", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "223.71.71.96/27", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "18.154.0.0/15", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.240.128.0/18", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "205.251.250.0/23", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "180.163.57.0/25", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.46.0.0/18", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "223.71.11.0/27", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.82.128.0/19", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.230.0.0/17", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.230.128.0/18", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.239.128.0/18", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "130.176.224.0/20", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "36.103.232.128/26", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.84.0.0/15", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "143.204.0.0/16", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "144.220.0.0/16", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "120.52.153.192/26", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "119.147.182.0/25", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "120.232.236.0/25", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.182.0.0/16", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "58.254.138.128/26", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "120.253.245.192/27", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.239.192.0/19", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "18.68.0.0/16", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "18.64.0.0/14", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "120.52.12.64/26", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.84.0.0/16", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "130.176.192.0/19", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.124.128.0/17", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "204.246.164.0/22", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.35.0.0/16", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "204.246.174.0/23", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "36.103.232.0/25", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "119.147.182.128/26", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "118.193.97.128/25", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "120.232.236.128/26", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "204.246.176.0/20", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "65.8.0.0/16", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "65.9.0.0/17", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "108.138.0.0/15", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "120.253.241.160/27", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.248.117.0/24", "region": "ap-south-1", "service": "GLOBALACCELERATOR", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.197.34.0/23", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.197.36.0/22", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.248.124.0/24", "region": "us-east-1", "service": "GLOBALACCELERATOR", "network_border_group": "us-east-1" }, { "ip_prefix": "13.248.119.0/24", "region": "eu-west-1", "service": "GLOBALACCELERATOR", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.248.100.0/24", "region": "eu-north-1", "service": "GLOBALACCELERATOR", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.248.113.0/24", "region": "eu-west-1", "service": "GLOBALACCELERATOR", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.248.110.0/24", "region": "ap-southeast-3", "service": "GLOBALACCELERATOR", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "15.197.32.0/23", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.197.0.0/23", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.83.102.0/24", "region": "ap-southeast-1", "service": "GLOBALACCELERATOR", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "99.82.172.0/24", "region": "us-west-1", "service": "GLOBALACCELERATOR", "network_border_group": "us-west-1" }, { "ip_prefix": "99.83.100.0/24", "region": "ap-northeast-3", "service": "GLOBALACCELERATOR", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.197.16.0/23", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.230.192.0/21", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.248.105.0/24", "region": "ap-south-1", "service": "GLOBALACCELERATOR", "network_border_group": "ap-south-1" }, { "ip_prefix": "99.82.173.0/24", "region": "ap-southeast-1", "service": "GLOBALACCELERATOR", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "99.82.166.0/24", "region": "us-east-1", "service": "GLOBALACCELERATOR", "network_border_group": "us-east-1" }, { "ip_prefix": "13.248.97.0/24", "region": "eu-central-1", "service": "GLOBALACCELERATOR", "network_border_group": "eu-central-1" }, { "ip_prefix": "15.197.8.0/22", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.197.18.0/23", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.248.120.0/24", "region": "eu-west-2", "service": "GLOBALACCELERATOR", "network_border_group": "eu-west-2" }, { "ip_prefix": "35.71.128.0/17", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "3.3.8.0/21", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.248.127.0/24", "region": "ap-southeast-1", "service": "GLOBALACCELERATOR", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "99.82.171.0/24", "region": "us-east-1", "service": "GLOBALACCELERATOR", "network_border_group": "us-east-1" }, { "ip_prefix": "13.248.96.0/24", "region": "eu-west-1", "service": "GLOBALACCELERATOR", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.82.169.0/24", "region": "eu-west-2", "service": "GLOBALACCELERATOR", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.223.0.0/17", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.82.164.0/24", "region": "sa-east-1", "service": "GLOBALACCELERATOR", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.197.4.0/22", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.77.188.0/24", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.248.121.0/24", "region": "eu-west-1", "service": "GLOBALACCELERATOR", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.82.170.0/24", "region": "ap-northeast-1", "service": "GLOBALACCELERATOR", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.248.122.0/24", "region": "eu-north-1", "service": "GLOBALACCELERATOR", "network_border_group": "eu-north-1" }, { "ip_prefix": "99.82.174.0/24", "region": "ca-central-1", "service": "GLOBALACCELERATOR", "network_border_group": "ca-central-1" }, { "ip_prefix": "99.82.156.0/22", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.197.12.0/22", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.248.118.0/24", "region": "eu-west-1", "service": "GLOBALACCELERATOR", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.82.167.0/24", "region": "us-east-1", "service": "GLOBALACCELERATOR", "network_border_group": "us-east-1" }, { "ip_prefix": "13.248.114.0/24", "region": "sa-east-1", "service": "GLOBALACCELERATOR", "network_border_group": "sa-east-1" }, { "ip_prefix": "13.248.98.0/24", "region": "ap-northeast-1", "service": "GLOBALACCELERATOR", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "99.82.161.0/24", "region": "eu-west-3", "service": "GLOBALACCELERATOR", "network_border_group": "eu-west-3" }, { "ip_prefix": "99.83.101.0/24", "region": "us-east-1", "service": "GLOBALACCELERATOR", "network_border_group": "us-east-1" }, { "ip_prefix": "99.82.175.0/24", "region": "us-east-1", "service": "GLOBALACCELERATOR", "network_border_group": "us-east-1" }, { "ip_prefix": "3.2.8.0/21", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.248.103.0/24", "region": "us-east-1", "service": "GLOBALACCELERATOR", "network_border_group": "us-east-1" }, { "ip_prefix": "15.197.28.0/23", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.197.128.0/17", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "3.3.6.0/23", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.248.128.0/17", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.83.98.0/24", "region": "us-west-1", "service": "GLOBALACCELERATOR", "network_border_group": "us-west-1" }, { "ip_prefix": "75.2.0.0/17", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.82.160.0/24", "region": "ap-south-1", "service": "GLOBALACCELERATOR", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.248.108.0/24", "region": "us-east-1", "service": "GLOBALACCELERATOR", "network_border_group": "us-east-1" }, { "ip_prefix": "99.77.190.0/24", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.248.106.0/24", "region": "me-south-1", "service": "GLOBALACCELERATOR", "network_border_group": "me-south-1" }, { "ip_prefix": "13.248.99.0/24", "region": "us-west-1", "service": "GLOBALACCELERATOR", "network_border_group": "us-west-1" }, { "ip_prefix": "13.248.112.0/24", "region": "us-west-2", "service": "GLOBALACCELERATOR", "network_border_group": "us-west-2" }, { "ip_prefix": "15.197.2.0/24", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.83.128.0/17", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.248.123.0/24", "region": "eu-central-1", "service": "GLOBALACCELERATOR", "network_border_group": "eu-central-1" }, { "ip_prefix": "99.82.162.0/24", "region": "eu-west-1", "service": "GLOBALACCELERATOR", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.248.125.0/24", "region": "ap-southeast-1", "service": "GLOBALACCELERATOR", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "76.223.0.0/17", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "63.246.120.0/21", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.83.99.0/24", "region": "eu-central-1", "service": "GLOBALACCELERATOR", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.248.109.0/24", "region": "ap-southeast-2", "service": "GLOBALACCELERATOR", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.248.111.0/24", "region": "us-east-2", "service": "GLOBALACCELERATOR", "network_border_group": "us-east-2" }, { "ip_prefix": "99.82.165.0/24", "region": "us-east-1", "service": "GLOBALACCELERATOR", "network_border_group": "us-east-1" }, { "ip_prefix": "3.3.0.0/23", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.83.96.0/24", "region": "ap-east-1", "service": "GLOBALACCELERATOR", "network_border_group": "ap-east-1" }, { "ip_prefix": "99.82.163.0/24", "region": "eu-central-1", "service": "GLOBALACCELERATOR", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.248.115.0/24", "region": "ap-northeast-1", "service": "GLOBALACCELERATOR", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.197.3.0/24", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.248.104.0/24", "region": "sa-east-1", "service": "GLOBALACCELERATOR", "network_border_group": "sa-east-1" }, { "ip_prefix": "99.82.168.0/24", "region": "ap-northeast-2", "service": "GLOBALACCELERATOR", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.248.126.0/24", "region": "ca-central-1", "service": "GLOBALACCELERATOR", "network_border_group": "ca-central-1" }, { "ip_prefix": "13.248.116.0/24", "region": "us-east-1", "service": "GLOBALACCELERATOR", "network_border_group": "us-east-1" }, { "ip_prefix": "3.33.128.0/17", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.248.101.0/24", "region": "eu-west-2", "service": "GLOBALACCELERATOR", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.197.24.0/22", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.77.189.0/24", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.248.107.0/24", "region": "ap-southeast-1", "service": "GLOBALACCELERATOR", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.197.20.0/22", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "13.248.102.0/24", "region": "ap-southeast-2", "service": "GLOBALACCELERATOR", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.197.30.0/23", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.193.0.0/19", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.193.0.0/19", "region": "GLOBAL", "service": "AMAZON_CONNECT", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.177.83.0/24", "region": "ap-southeast-2", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "15.177.82.0/24", "region": "ap-southeast-1", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "15.177.94.0/24", "region": "ap-south-2", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "ap-south-2" }, { "ip_prefix": "15.177.76.0/24", "region": "ap-northeast-2", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.177.99.0/24", "region": "il-central-1", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "il-central-1" }, { "ip_prefix": "15.177.86.0/24", "region": "ap-east-1", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "ap-east-1" }, { "ip_prefix": "15.177.89.0/24", "region": "eu-west-1", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.177.77.0/24", "region": "ap-northeast-3", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.177.90.0/24", "region": "eu-south-1", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.177.79.0/24", "region": "ap-northeast-1", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "15.177.66.0/23", "region": "us-east-2", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "us-east-2" }, { "ip_prefix": "15.177.73.0/24", "region": "ap-south-1", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.177.88.0/24", "region": "sa-east-1", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.177.70.0/23", "region": "sa-east-1", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.177.97.0/24", "region": "eu-south-2", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "eu-south-2" }, { "ip_prefix": "15.177.64.0/23", "region": "us-east-1", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "us-east-1" }, { "ip_prefix": "15.177.72.0/24", "region": "eu-north-1", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "eu-north-1" }, { "ip_prefix": "15.177.78.0/24", "region": "eu-west-2", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "eu-west-2" }, { "ip_prefix": "15.177.75.0/24", "region": "eu-west-1", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "eu-west-1" }, { "ip_prefix": "15.177.81.0/24", "region": "us-west-1", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "us-west-1" }, { "ip_prefix": "15.177.84.0/24", "region": "ca-central-1", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.177.98.0/24", "region": "eu-central-2", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "eu-central-2" }, { "ip_prefix": "15.177.80.0/24", "region": "us-west-2", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "us-west-2" }, { "ip_prefix": "15.177.74.0/24", "region": "eu-west-3", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.177.96.0/24", "region": "ap-southeast-4", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "ap-southeast-4" }, { "ip_prefix": "15.177.87.0/24", "region": "me-south-1", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "me-south-1" }, { "ip_prefix": "15.177.85.0/24", "region": "ap-east-1", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "ap-east-1" }, { "ip_prefix": "15.177.91.0/24", "region": "af-south-1", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "af-south-1" }, { "ip_prefix": "15.177.93.0/24", "region": "me-central-1", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "me-central-1" }, { "ip_prefix": "15.177.92.0/24", "region": "ap-southeast-3", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "15.177.68.0/23", "region": "eu-central-1", "service": "ROUTE53_HEALTHCHECKS_PUBLISHING", "network_border_group": "eu-central-1" }, { "ip_prefix": "64.252.64.0/18", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "64.252.64.0/18", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.77.128.0/18", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ip_prefix": "99.77.128.0/18", "region": "GLOBAL", "service": "CHIME_MEETINGS", "network_border_group": "GLOBAL" }, { "ip_prefix": "130.176.88.0/21", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.239.134.0/23", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.82.134.0/23", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "130.176.86.0/23", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "130.176.140.0/22", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "130.176.0.0/18", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.239.204.0/22", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "130.176.160.0/19", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "70.132.0.0/18", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "15.158.0.0/16", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "130.176.136.0/23", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.239.170.0/23", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.46.0.0/22", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "130.176.96.0/19", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.182.184.0/22", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "204.246.166.0/24", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "130.176.64.0/21", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.182.172.0/22", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "205.251.218.0/24", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.46.4.0/23", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "130.176.144.0/20", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.182.176.0/21", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "130.176.78.0/23", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.182.248.0/22", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "64.252.128.0/18", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.182.154.0/23", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "64.252.64.0/18", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.182.144.0/21", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.182.224.0/21", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "130.176.128.0/21", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.46.32.0/19", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.82.128.0/23", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "18.68.0.0/16", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.182.156.0/22", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.182.160.0/21", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.182.240.0/21", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "130.176.192.0/19", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "130.176.76.0/24", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "52.46.16.0/20", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.239.208.0/21", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.182.188.0/23", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "130.176.80.0/22", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "54.182.128.0/20", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "130.176.72.0/22", "region": "GLOBAL", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "GLOBAL" }, { "ip_prefix": "140.179.1.64/27", "region": "cn-north-1", "service": "CLOUD9", "network_border_group": "cn-north-1" }, { "ip_prefix": "140.179.1.96/27", "region": "cn-north-1", "service": "CLOUD9", "network_border_group": "cn-north-1" }, { "ip_prefix": "140.179.113.248/29", "region": "cn-north-1", "service": "CODEBUILD", "network_border_group": "cn-north-1" }, { "ip_prefix": "140.179.144.128/25", "region": "cn-north-1", "service": "API_GATEWAY", "network_border_group": "cn-north-1" }, { "ip_prefix": "140.179.15.0/26", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "140.179.15.64/26", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "140.179.176.0/23", "region": "cn-north-1", "service": "API_GATEWAY", "network_border_group": "cn-north-1" }, { "ip_prefix": "140.179.36.16/29", "region": "cn-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-north-1" }, { "ip_prefix": "140.179.36.32/27", "region": "cn-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-north-1" }, { "ip_prefix": "140.179.36.64/27", "region": "cn-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-north-1" }, { "ip_prefix": "140.179.57.0/24", "region": "cn-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-north-1" }, { "ip_prefix": "140.179.58.0/26", "region": "cn-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-north-1" }, { "ip_prefix": "140.179.58.88/29", "region": "cn-north-1", "service": "EBS", "network_border_group": "cn-north-1" }, { "ip_prefix": "140.179.59.0/24", "region": "cn-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-north-1" }, { "ip_prefix": "140.179.79.160/27", "region": "cn-north-1", "service": "CLOUD9", "network_border_group": "cn-north-1" }, { "ip_prefix": "140.179.79.192/27", "region": "cn-north-1", "service": "CLOUD9", "network_border_group": "cn-north-1" }, { "ip_prefix": "140.179.79.244/30", "region": "cn-north-1", "service": "EBS", "network_border_group": "cn-north-1" }, { "ip_prefix": "140.179.79.64/26", "region": "cn-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.80.197.0/25", "region": "cn-north-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.80.197.128/25", "region": "cn-north-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.80.198.0/25", "region": "cn-north-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.80.198.136/29", "region": "cn-north-1", "service": "CODEBUILD", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.80.51.200/29", "region": "cn-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.80.51.208/29", "region": "cn-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.80.51.216/29", "region": "cn-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.80.51.224/29", "region": "cn-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.80.51.240/29", "region": "cn-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.80.51.248/29", "region": "cn-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.81.113.32/27", "region": "cn-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.81.113.64/27", "region": "cn-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.81.113.96/27", "region": "cn-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.81.124.0/23", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.81.135.128/25", "region": "cn-north-1", "service": "API_GATEWAY", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.81.137.0/24", "region": "cn-north-1", "service": "API_GATEWAY", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.81.151.0/27", "region": "cn-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.81.167.128/27", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.81.167.192/26", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.81.216.0/23", "region": "cn-north-1", "service": "API_GATEWAY", "network_border_group": "cn-north-1" }, { "ip_prefix": "52.81.232.0/26", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "71.131.196.128/26", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ip_prefix": "161.189.148.0/23", "region": "cn-northwest-1", "service": "API_GATEWAY", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "161.189.23.0/27", "region": "cn-northwest-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "161.189.23.32/27", "region": "cn-northwest-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "161.189.66.128/26", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "161.189.66.192/26", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.82.1.0/29", "region": "cn-northwest-1", "service": "CODEBUILD", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.82.127.0/24", "region": "cn-northwest-1", "service": "API_GATEWAY", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.82.92.0/23", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.83.25.128/27", "region": "cn-northwest-1", "service": "CLOUD9", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.83.25.160/27", "region": "cn-northwest-1", "service": "CLOUD9", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.83.26.0/26", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.83.26.192/27", "region": "cn-northwest-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.83.26.224/27", "region": "cn-northwest-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.83.26.64/26", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.83.33.104/29", "region": "cn-northwest-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.83.33.112/29", "region": "cn-northwest-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.83.33.72/29", "region": "cn-northwest-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.83.33.80/29", "region": "cn-northwest-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.83.33.88/29", "region": "cn-northwest-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.83.33.96/29", "region": "cn-northwest-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.83.34.128/25", "region": "cn-northwest-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.83.34.72/29", "region": "cn-northwest-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.83.34.80/29", "region": "cn-northwest-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.83.34.88/29", "region": "cn-northwest-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.83.34.96/27", "region": "cn-northwest-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.83.35.0/25", "region": "cn-northwest-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.83.35.128/25", "region": "cn-northwest-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.83.5.0/26", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "52.83.58.0/24", "region": "cn-northwest-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "68.79.2.244/30", "region": "cn-northwest-1", "service": "EBS", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "68.79.2.248/29", "region": "cn-northwest-1", "service": "EBS", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "68.79.2.64/27", "region": "cn-northwest-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "69.230.219.0/24", "region": "cn-northwest-1", "service": "API_GATEWAY", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "69.230.226.0/24", "region": "cn-northwest-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "69.230.227.0/24", "region": "cn-northwest-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "69.230.228.0/24", "region": "cn-northwest-1", "service": "ROUTE53_RESOLVER", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "69.234.197.192/26", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "69.234.197.72/29", "region": "cn-northwest-1", "service": "CODEBUILD", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "69.235.162.0/24", "region": "cn-northwest-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "69.235.170.0/23", "region": "cn-northwest-1", "service": "API_GATEWAY", "network_border_group": "cn-northwest-1" }, { "ip_prefix": "18.252.4.0/30", "region": "us-gov-east-1", "service": "EC2_INSTANCE_CONNECT", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "15.200.28.80/30", "region": "us-gov-west-1", "service": "EC2_INSTANCE_CONNECT", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "18.252.126.0/25", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "18.252.145.156/30", "region": "us-gov-east-1", "service": "EBS", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "18.252.145.160/29", "region": "us-gov-east-1", "service": "EBS", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "18.252.145.168/29", "region": "us-gov-east-1", "service": "CODEBUILD", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "18.252.145.192/28", "region": "us-gov-east-1", "service": "S3", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "18.252.145.208/28", "region": "us-gov-east-1", "service": "S3", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "18.252.165.0/26", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "18.252.165.140/30", "region": "us-gov-east-1", "service": "KINESIS_VIDEO_STREAMS", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "18.252.4.16/29", "region": "us-gov-east-1", "service": "CODEBUILD", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "18.252.56.0/23", "region": "us-gov-east-1", "service": "API_GATEWAY", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "18.252.58.0/23", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "18.253.186.0/24", "region": "us-gov-east-1", "service": "API_GATEWAY", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "18.254.23.64/26", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "18.254.61.128/26", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "18.254.68.0/23", "region": "us-gov-east-1", "service": "API_GATEWAY", "network_border_group": "us-gov-east-1" }, { "ip_prefix": "15.200.141.0/25", "region": "us-gov-west-1", "service": "API_GATEWAY", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "15.200.150.0/23", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "15.200.176.128/28", "region": "us-gov-west-1", "service": "S3", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "15.200.176.192/26", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "15.200.28.240/28", "region": "us-gov-west-1", "service": "S3", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "15.200.28.88/29", "region": "us-gov-west-1", "service": "CODEBUILD", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "15.205.82.0/23", "region": "us-gov-west-1", "service": "API_GATEWAY", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "15.205.84.0/23", "region": "us-gov-west-1", "service": "API_GATEWAY", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "160.1.128.0/24", "region": "us-gov-west-1", "service": "API_GATEWAY", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "3.30.129.0/24", "region": "us-gov-west-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "3.30.130.0/23", "region": "us-gov-west-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "3.30.40.84/30", "region": "us-gov-west-1", "service": "KINESIS_VIDEO_STREAMS", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "3.30.98.128/26", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "3.30.98.64/26", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "3.32.139.0/24", "region": "us-gov-west-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "3.32.190.0/25", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "3.32.190.244/30", "region": "us-gov-west-1", "service": "EBS", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "3.32.190.248/29", "region": "us-gov-west-1", "service": "EBS", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "52.61.193.0/24", "region": "us-gov-west-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "52.61.40.104/29", "region": "us-gov-west-1", "service": "CODEBUILD", "network_border_group": "us-gov-west-1" }, { "ip_prefix": "3.112.23.0/29", "region": "ap-northeast-1", "service": "EC2_INSTANCE_CONNECT", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "18.202.216.48/29", "region": "eu-west-1", "service": "EC2_INSTANCE_CONNECT", "network_border_group": "eu-west-1" }, { "ip_prefix": "18.206.107.24/29", "region": "us-east-1", "service": "EC2_INSTANCE_CONNECT", "network_border_group": "us-east-1" }, { "ip_prefix": "18.237.140.160/29", "region": "us-west-2", "service": "EC2_INSTANCE_CONNECT", "network_border_group": "us-west-2" }, { "ip_prefix": "13.52.6.112/29", "region": "us-west-1", "service": "EC2_INSTANCE_CONNECT", "network_border_group": "us-west-1" }, { "ip_prefix": "3.0.5.32/29", "region": "ap-southeast-1", "service": "EC2_INSTANCE_CONNECT", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.233.177.0/29", "region": "ap-south-1", "service": "EC2_INSTANCE_CONNECT", "network_border_group": "ap-south-1" }, { "ip_prefix": "3.120.181.40/29", "region": "eu-central-1", "service": "EC2_INSTANCE_CONNECT", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.228.70.32/29", "region": "sa-east-1", "service": "EC2_INSTANCE_CONNECT", "network_border_group": "sa-east-1" }, { "ip_prefix": "13.209.1.56/29", "region": "ap-northeast-2", "service": "EC2_INSTANCE_CONNECT", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.239.158.0/29", "region": "ap-southeast-2", "service": "EC2_INSTANCE_CONNECT", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.48.4.200/30", "region": "eu-north-1", "service": "EC2_INSTANCE_CONNECT", "network_border_group": "eu-north-1" }, { "ip_prefix": "35.180.112.80/29", "region": "eu-west-3", "service": "EC2_INSTANCE_CONNECT", "network_border_group": "eu-west-3" }, { "ip_prefix": "3.16.146.0/29", "region": "us-east-2", "service": "EC2_INSTANCE_CONNECT", "network_border_group": "us-east-2" }, { "ip_prefix": "3.8.37.24/29", "region": "eu-west-2", "service": "EC2_INSTANCE_CONNECT", "network_border_group": "eu-west-2" }, { "ip_prefix": "35.183.92.176/29", "region": "ca-central-1", "service": "EC2_INSTANCE_CONNECT", "network_border_group": "ca-central-1" }, { "ip_prefix": "13.244.121.0/26", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "13.244.121.196/30", "region": "af-south-1", "service": "EC2_INSTANCE_CONNECT", "network_border_group": "af-south-1" }, { "ip_prefix": "13.244.122.0/24", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "13.244.132.0/23", "region": "af-south-1", "service": "API_GATEWAY", "network_border_group": "af-south-1" }, { "ip_prefix": "13.244.165.192/26", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "13.244.176.128/26", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "13.244.176.64/26", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "13.244.202.40/29", "region": "af-south-1", "service": "CODEBUILD", "network_border_group": "af-south-1" }, { "ip_prefix": "13.244.244.192/27", "region": "af-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "af-south-1" }, { "ip_prefix": "13.244.244.224/27", "region": "af-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "af-south-1" }, { "ip_prefix": "13.244.33.0/26", "region": "af-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "af-south-1" }, { "ip_prefix": "13.244.33.128/26", "region": "af-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "af-south-1" }, { "ip_prefix": "13.244.33.64/26", "region": "af-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "af-south-1" }, { "ip_prefix": "13.244.35.128/26", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "13.244.35.192/26", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "13.245.1.32/27", "region": "af-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "af-south-1" }, { "ip_prefix": "13.245.112.0/24", "region": "af-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "af-south-1" }, { "ip_prefix": "13.245.113.0/24", "region": "af-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "af-south-1" }, { "ip_prefix": "13.245.114.0/24", "region": "af-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "af-south-1" }, { "ip_prefix": "13.245.127.232/30", "region": "af-south-1", "service": "AMAZON_APPFLOW", "network_border_group": "af-south-1" }, { "ip_prefix": "13.245.155.128/27", "region": "af-south-1", "service": "CLOUD9", "network_border_group": "af-south-1" }, { "ip_prefix": "13.245.155.224/27", "region": "af-south-1", "service": "CLOUD9", "network_border_group": "af-south-1" }, { "ip_prefix": "13.245.166.128/30", "region": "af-south-1", "service": "AMAZON_APPFLOW", "network_border_group": "af-south-1" }, { "ip_prefix": "13.245.166.132/30", "region": "af-south-1", "service": "AMAZON_APPFLOW", "network_border_group": "af-south-1" }, { "ip_prefix": "13.245.166.176/29", "region": "af-south-1", "service": "CODEBUILD", "network_border_group": "af-south-1" }, { "ip_prefix": "13.245.241.64/26", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ip_prefix": "13.245.93.140/30", "region": "af-south-1", "service": "EBS", "network_border_group": "af-south-1" }, { "ip_prefix": "13.245.93.160/29", "region": "af-south-1", "service": "EBS", "network_border_group": "af-south-1" }, { "ip_prefix": "13.245.93.176/28", "region": "af-south-1", "service": "S3", "network_border_group": "af-south-1" }, { "ip_prefix": "13.245.93.192/28", "region": "af-south-1", "service": "S3", "network_border_group": "af-south-1" }, { "ip_prefix": "13.246.108.0/22", "region": "af-south-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "af-south-1" }, { "ip_prefix": "13.246.70.0/23", "region": "af-south-1", "service": "API_GATEWAY", "network_border_group": "af-south-1" }, { "ip_prefix": "16.162.162.96/29", "region": "ap-east-1", "service": "CODEBUILD", "network_border_group": "ap-east-1" }, { "ip_prefix": "16.162.52.0/24", "region": "ap-east-1", "service": "API_GATEWAY", "network_border_group": "ap-east-1" }, { "ip_prefix": "16.163.196.0/22", "region": "ap-east-1", "service": "API_GATEWAY", "network_border_group": "ap-east-1" }, { "ip_prefix": "16.163.206.0/23", "region": "ap-east-1", "service": "API_GATEWAY", "network_border_group": "ap-east-1" }, { "ip_prefix": "16.163.63.64/26", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.162.127.0/27", "region": "ap-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.162.127.32/27", "region": "ap-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.162.127.64/27", "region": "ap-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.162.189.0/24", "region": "ap-east-1", "service": "API_GATEWAY", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.162.221.128/27", "region": "ap-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.162.221.160/27", "region": "ap-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.162.221.192/27", "region": "ap-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.163.139.32/27", "region": "ap-east-1", "service": "CLOUD9", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.163.201.0/26", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.163.201.96/27", "region": "ap-east-1", "service": "CLOUD9", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.163.204.0/23", "region": "ap-east-1", "service": "API_GATEWAY", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.163.66.0/23", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.163.68.0/26", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.166.20.128/26", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.166.20.192/26", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.166.20.64/26", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.166.237.128/27", "region": "ap-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.166.237.64/27", "region": "ap-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.166.237.96/27", "region": "ap-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.167.111.0/24", "region": "ap-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.167.112.0/24", "region": "ap-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.167.113.0/24", "region": "ap-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.167.88.112/28", "region": "ap-east-1", "service": "S3", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.167.88.72/29", "region": "ap-east-1", "service": "EBS", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.167.88.80/30", "region": "ap-east-1", "service": "EBS", "network_border_group": "ap-east-1" }, { "ip_prefix": "18.167.88.96/28", "region": "ap-east-1", "service": "S3", "network_border_group": "ap-east-1" }, { "ip_prefix": "13.112.191.184/29", "region": "ap-northeast-1", "service": "CODEBUILD", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.113.196.64/26", "region": "ap-northeast-1", "service": "CLOUDFRONT", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.113.203.0/24", "region": "ap-northeast-1", "service": "CLOUDFRONT", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.230.21.128/26", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.230.21.224/28", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.230.21.240/28", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.231.6.104/29", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.231.6.112/28", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.231.6.192/28", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.231.6.208/29", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.231.6.64/29", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.231.6.72/29", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.231.6.80/29", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.231.6.88/29", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "18.176.203.120/30", "region": "ap-northeast-1", "service": "AMAZON_APPFLOW", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "18.177.156.192/26", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "18.179.48.128/27", "region": "ap-northeast-1", "service": "CLOUD9", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "18.179.48.96/27", "region": "ap-northeast-1", "service": "CLOUD9", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "18.180.178.0/24", "region": "ap-northeast-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "18.180.180.0/23", "region": "ap-northeast-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "18.180.88.0/23", "region": "ap-northeast-1", "service": "API_GATEWAY", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "18.181.204.128/26", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "18.181.204.192/26", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "18.181.242.0/23", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "18.182.96.64/26", "region": "ap-northeast-1", "service": "AMAZON_CONNECT", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "18.183.37.0/26", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.112.162.0/23", "region": "ap-northeast-1", "service": "API_GATEWAY", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.112.64.0/23", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.112.85.96/27", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.112.96.0/26", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.112.96.128/27", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.112.96.160/27", "region": "ap-northeast-1", "service": "API_GATEWAY", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.112.96.64/26", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.113.218.0/26", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.113.218.112/28", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.113.218.128/27", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.113.218.68/30", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.113.218.72/30", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.113.218.76/30", "region": "ap-northeast-1", "service": "AMAZON_APPFLOW", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "3.114.164.0/22", "region": "ap-northeast-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.72.164.212/30", "region": "ap-northeast-1", "service": "EBS", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.72.164.232/29", "region": "ap-northeast-1", "service": "EBS", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.72.164.240/28", "region": "ap-northeast-1", "service": "S3", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.72.255.0/24", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.72.36.140/31", "region": "ap-northeast-1", "service": "KINESIS_VIDEO_STREAMS", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.72.36.142/31", "region": "ap-northeast-1", "service": "KINESIS_VIDEO_STREAMS", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.72.36.144/30", "region": "ap-northeast-1", "service": "KINESIS_VIDEO_STREAMS", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.72.36.148/30", "region": "ap-northeast-1", "service": "KINESIS_VIDEO_STREAMS", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.72.36.192/27", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.72.36.224/27", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.72.37.0/25", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.72.37.128/25", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.73.115.0/28", "region": "ap-northeast-1", "service": "S3", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.73.115.128/25", "region": "ap-northeast-1", "service": "API_GATEWAY", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.73.4.0/24", "region": "ap-northeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.74.77.240/30", "region": "ap-northeast-1", "service": "AMAZON_APPFLOW", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.75.130.0/24", "region": "ap-northeast-1", "service": "API_GATEWAY", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.75.131.0/26", "region": "ap-northeast-1", "service": "API_GATEWAY", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.75.131.80/29", "region": "ap-northeast-1", "service": "CODEBUILD", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.76.252.0/23", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.77.0.128/26", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.77.112.0/22", "region": "ap-northeast-1", "service": "API_GATEWAY", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "35.77.124.0/23", "region": "ap-northeast-1", "service": "API_GATEWAY", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "52.199.127.192/26", "region": "ap-northeast-1", "service": "CLOUDFRONT", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.248.220.0/26", "region": "ap-northeast-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.250.251.0/24", "region": "ap-northeast-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "54.250.253.192/26", "region": "ap-northeast-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "ap-northeast-1" }, { "ip_prefix": "13.124.145.104/29", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.124.145.112/29", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.124.145.120/29", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.124.145.16/29", "region": "ap-northeast-2", "service": "CODEBUILD", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.124.145.24/29", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.124.145.64/29", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.124.145.72/29", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.124.145.80/29", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.124.145.88/29", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.124.145.96/29", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.124.199.0/24", "region": "ap-northeast-2", "service": "CLOUDFRONT", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.124.199.0/24", "region": "ap-northeast-2", "service": "CLOUDFRONT_ORIGIN_FACING", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.124.247.0/24", "region": "ap-northeast-2", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.209.1.0/29", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.209.1.8/29", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.209.1.96/27", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.209.71.128/27", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.209.71.224/27", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.164.156.0/23", "region": "ap-northeast-2", "service": "API_GATEWAY", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.164.243.0/28", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.164.243.192/27", "region": "ap-northeast-2", "service": "CLOUD9", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.164.243.224/27", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.164.243.32/27", "region": "ap-northeast-2", "service": "CLOUD9", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.165.193.128/26", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.165.193.64/26", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "15.165.224.0/23", "region": "ap-northeast-2", "service": "API_GATEWAY", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.34.101.192/26", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.34.228.0/26", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.34.228.64/26", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.34.37.0/24", "region": "ap-northeast-2", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.34.38.0/23", "region": "ap-northeast-2", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.34.89.192/30", "region": "ap-northeast-2", "service": "AMAZON_APPFLOW", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.34.89.196/30", "region": "ap-northeast-2", "service": "AMAZON_APPFLOW", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.34.89.64/26", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.35.130.128/25", "region": "ap-northeast-2", "service": "CLOUDFRONT", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.35.160.0/22", "region": "ap-northeast-2", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.36.167.128/25", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.36.167.28/30", "region": "ap-northeast-2", "service": "EBS", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.36.167.48/29", "region": "ap-northeast-2", "service": "EBS", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.36.167.64/28", "region": "ap-northeast-2", "service": "S3", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.36.167.80/28", "region": "ap-northeast-2", "service": "S3", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.36.190.0/23", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.36.192.0/23", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.36.194.0/23", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.36.202.0/25", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.36.245.204/30", "region": "ap-northeast-2", "service": "EBS", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.36.245.232/30", "region": "ap-northeast-2", "service": "AMAZON_APPFLOW", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.36.3.160/28", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.36.3.192/27", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.36.3.224/27", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.36.3.96/27", "region": "ap-northeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.38.131.192/26", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.38.229.0/25", "region": "ap-northeast-2", "service": "API_GATEWAY", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.38.248.0/23", "region": "ap-northeast-2", "service": "API_GATEWAY", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.38.90.8/29", "region": "ap-northeast-2", "service": "CODEBUILD", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.39.113.0/24", "region": "ap-northeast-2", "service": "API_GATEWAY", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.39.114.0/23", "region": "ap-northeast-2", "service": "API_GATEWAY", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.39.116.0/26", "region": "ap-northeast-2", "service": "API_GATEWAY", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "3.39.82.128/25", "region": "ap-northeast-2", "service": "API_GATEWAY", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "52.78.247.128/26", "region": "ap-northeast-2", "service": "CLOUDFRONT", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "54.180.184.0/23", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ip_prefix": "13.208.131.0/29", "region": "ap-northeast-3", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.131.128/27", "region": "ap-northeast-3", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.131.16/29", "region": "ap-northeast-3", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.131.160/27", "region": "ap-northeast-3", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.131.192/27", "region": "ap-northeast-3", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.131.224/30", "region": "ap-northeast-3", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.131.228/30", "region": "ap-northeast-3", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.131.232/30", "region": "ap-northeast-3", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.131.24/29", "region": "ap-northeast-3", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.131.32/29", "region": "ap-northeast-3", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.131.40/29", "region": "ap-northeast-3", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.131.8/29", "region": "ap-northeast-3", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.170.0/23", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.177.224/27", "region": "ap-northeast-3", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.180.0/24", "region": "ap-northeast-3", "service": "API_GATEWAY", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.194.0/23", "region": "ap-northeast-3", "service": "API_GATEWAY", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.217.64/27", "region": "ap-northeast-3", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.217.96/27", "region": "ap-northeast-3", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.227.0/25", "region": "ap-northeast-3", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.227.128/25", "region": "ap-northeast-3", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.228.0/25", "region": "ap-northeast-3", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.228.128/29", "region": "ap-northeast-3", "service": "EBS", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.228.136/30", "region": "ap-northeast-3", "service": "EBS", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.33.16/29", "region": "ap-northeast-3", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.33.24/29", "region": "ap-northeast-3", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.208.33.8/29", "region": "ap-northeast-3", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.152.10.0/24", "region": "ap-northeast-3", "service": "API_GATEWAY", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.152.133.112/28", "region": "ap-northeast-3", "service": "S3", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.152.133.128/28", "region": "ap-northeast-3", "service": "S3", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.152.174.0/23", "region": "ap-northeast-3", "service": "API_GATEWAY", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.152.176.0/22", "region": "ap-northeast-3", "service": "API_GATEWAY", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.152.24.0/27", "region": "ap-northeast-3", "service": "CLOUD9", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.152.24.128/29", "region": "ap-northeast-3", "service": "CODEBUILD", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.152.24.192/26", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.152.24.32/27", "region": "ap-northeast-3", "service": "CLOUD9", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.152.24.64/26", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "15.152.8.192/26", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ip_prefix": "13.126.23.136/29", "region": "ap-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.126.23.144/29", "region": "ap-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.126.23.152/29", "region": "ap-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.126.23.160/27", "region": "ap-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.126.23.192/27", "region": "ap-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.126.243.0/24", "region": "ap-south-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.127.70.128/29", "region": "ap-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.127.70.136/29", "region": "ap-south-1", "service": "CODEBUILD", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.127.70.144/29", "region": "ap-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.127.70.152/29", "region": "ap-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.127.70.160/29", "region": "ap-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.232.67.128/27", "region": "ap-south-1", "service": "CLOUD9", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.232.67.160/27", "region": "ap-south-1", "service": "CLOUD9", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.233.177.192/26", "region": "ap-south-1", "service": "CLOUDFRONT", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.233.177.32/27", "region": "ap-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.234.221.136/29", "region": "ap-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.234.221.192/26", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.234.8.0/23", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.235.197.96/27", "region": "ap-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.235.228.0/24", "region": "ap-south-1", "service": "API_GATEWAY", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.235.6.0/23", "region": "ap-south-1", "service": "API_GATEWAY", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.206.137.128/26", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.206.137.192/26", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.207.13.0/26", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.207.13.128/25", "region": "ap-south-1", "service": "CLOUDFRONT", "network_border_group": "ap-south-1" }, { "ip_prefix": "15.207.213.128/25", "region": "ap-south-1", "service": "CLOUDFRONT", "network_border_group": "ap-south-1" }, { "ip_prefix": "3.108.13.124/30", "region": "ap-south-1", "service": "AMAZON_APPFLOW", "network_border_group": "ap-south-1" }, { "ip_prefix": "3.109.72.0/25", "region": "ap-south-1", "service": "API_GATEWAY", "network_border_group": "ap-south-1" }, { "ip_prefix": "3.109.72.152/29", "region": "ap-south-1", "service": "CODEBUILD", "network_border_group": "ap-south-1" }, { "ip_prefix": "3.110.57.0/24", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "3.110.71.0/26", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "3.111.110.0/23", "region": "ap-south-1", "service": "API_GATEWAY", "network_border_group": "ap-south-1" }, { "ip_prefix": "3.111.251.0/24", "region": "ap-south-1", "service": "API_GATEWAY", "network_border_group": "ap-south-1" }, { "ip_prefix": "3.111.90.0/23", "region": "ap-south-1", "service": "API_GATEWAY", "network_border_group": "ap-south-1" }, { "ip_prefix": "3.6.70.128/26", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "3.6.70.76/30", "region": "ap-south-1", "service": "AMAZON_APPFLOW", "network_border_group": "ap-south-1" }, { "ip_prefix": "3.7.10.0/23", "region": "ap-south-1", "service": "API_GATEWAY", "network_border_group": "ap-south-1" }, { "ip_prefix": "3.7.25.48/30", "region": "ap-south-1", "service": "AMAZON_APPFLOW", "network_border_group": "ap-south-1" }, { "ip_prefix": "52.66.194.128/26", "region": "ap-south-1", "service": "CLOUDFRONT", "network_border_group": "ap-south-1" }, { "ip_prefix": "65.0.192.176/28", "region": "ap-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-south-1" }, { "ip_prefix": "65.0.192.224/27", "region": "ap-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-south-1" }, { "ip_prefix": "65.0.234.0/26", "region": "ap-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-south-1" }, { "ip_prefix": "65.1.103.192/29", "region": "ap-south-1", "service": "EBS", "network_border_group": "ap-south-1" }, { "ip_prefix": "65.1.103.200/30", "region": "ap-south-1", "service": "EBS", "network_border_group": "ap-south-1" }, { "ip_prefix": "65.1.103.208/28", "region": "ap-south-1", "service": "S3", "network_border_group": "ap-south-1" }, { "ip_prefix": "65.1.103.224/28", "region": "ap-south-1", "service": "S3", "network_border_group": "ap-south-1" }, { "ip_prefix": "65.1.156.0/22", "region": "ap-south-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ap-south-1" }, { "ip_prefix": "65.1.170.0/23", "region": "ap-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-south-1" }, { "ip_prefix": "65.1.172.0/23", "region": "ap-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-south-1" }, { "ip_prefix": "65.1.174.0/23", "region": "ap-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-south-1" }, { "ip_prefix": "65.2.14.0/23", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "65.2.16.0/23", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ip_prefix": "13.212.132.0/22", "region": "ap-southeast-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.212.209.128/26", "region": "ap-southeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.212.209.94/31", "region": "ap-southeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.212.209.96/27", "region": "ap-southeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.212.3.128/26", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.212.3.64/26", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.213.20.132/30", "region": "ap-southeast-1", "service": "EBS", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.213.20.136/29", "region": "ap-southeast-1", "service": "EBS", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.213.20.144/28", "region": "ap-southeast-1", "service": "S3", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.213.20.160/28", "region": "ap-southeast-1", "service": "S3", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.213.21.0/24", "region": "ap-southeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.213.22.0/23", "region": "ap-southeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.213.24.0/23", "region": "ap-southeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.213.75.224/29", "region": "ap-southeast-1", "service": "CODEBUILD", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.214.118.0/23", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.214.124.128/26", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.214.224.0/23", "region": "ap-southeast-1", "service": "API_GATEWAY", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.214.228.0/22", "region": "ap-southeast-1", "service": "API_GATEWAY", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.215.92.0/24", "region": "ap-southeast-1", "service": "API_GATEWAY", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.215.93.0/25", "region": "ap-southeast-1", "service": "API_GATEWAY", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.215.93.128/26", "region": "ap-southeast-1", "service": "API_GATEWAY", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.228.69.0/24", "region": "ap-southeast-1", "service": "CLOUDFRONT", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.229.187.192/27", "region": "ap-southeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.229.187.232/29", "region": "ap-southeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.250.186.0/29", "region": "ap-southeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.250.186.128/27", "region": "ap-southeast-1", "service": "CLOUD9", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.250.186.16/29", "region": "ap-southeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.250.186.160/27", "region": "ap-southeast-1", "service": "CLOUD9", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.250.186.192/29", "region": "ap-southeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.250.186.200/29", "region": "ap-southeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.250.186.208/29", "region": "ap-southeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.250.186.8/29", "region": "ap-southeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.251.113.64/26", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.251.116.0/23", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.136.1.192/27", "region": "ap-southeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.136.1.224/27", "region": "ap-southeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.138.134.128/25", "region": "ap-southeast-1", "service": "API_GATEWAY", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.138.244.0/23", "region": "ap-southeast-1", "service": "API_GATEWAY", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.139.204.176/28", "region": "ap-southeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.139.204.192/27", "region": "ap-southeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.140.177.0/26", "region": "ap-southeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.140.177.64/26", "region": "ap-southeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.141.148.0/26", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.141.148.128/25", "region": "ap-southeast-1", "service": "API_GATEWAY", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.141.150.0/23", "region": "ap-southeast-1", "service": "API_GATEWAY", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.141.152.0/24", "region": "ap-southeast-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.141.154.0/23", "region": "ap-southeast-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.141.226.0/23", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.141.238.0/26", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.141.238.68/30", "region": "ap-southeast-1", "service": "AMAZON_APPFLOW", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.141.66.248/30", "region": "ap-southeast-1", "service": "AMAZON_APPFLOW", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "18.141.66.252/30", "region": "ap-southeast-1", "service": "AMAZON_APPFLOW", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "3.0.5.224/27", "region": "ap-southeast-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.220.191.0/26", "region": "ap-southeast-1", "service": "CLOUDFRONT", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.221.221.128/29", "region": "ap-southeast-1", "service": "CODEBUILD", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "52.76.127.0/24", "region": "ap-southeast-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "54.251.31.128/26", "region": "ap-southeast-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "54.255.254.192/26", "region": "ap-southeast-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "ap-southeast-1" }, { "ip_prefix": "13.210.2.192/26", "region": "ap-southeast-2", "service": "AMAZON_CONNECT", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.210.67.128/26", "region": "ap-southeast-2", "service": "CLOUDFRONT", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.211.12.160/27", "region": "ap-southeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.211.12.192/29", "region": "ap-southeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.211.12.200/29", "region": "ap-southeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.211.12.208/29", "region": "ap-southeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.211.12.216/29", "region": "ap-southeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.211.12.248/29", "region": "ap-southeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.211.166.192/29", "region": "ap-southeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.211.166.200/29", "region": "ap-southeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.236.8.0/25", "region": "ap-southeast-2", "service": "AMAZON_CONNECT", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.236.82.128/27", "region": "ap-southeast-2", "service": "CLOUD9", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.236.82.96/27", "region": "ap-southeast-2", "service": "CLOUD9", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.54.63.128/26", "region": "ap-southeast-2", "service": "CLOUDFRONT", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "13.55.255.216/29", "region": "ap-southeast-2", "service": "CODEBUILD", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.104.82.0/23", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.105.172.0/22", "region": "ap-southeast-2", "service": "API_GATEWAY", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.105.5.0/27", "region": "ap-southeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.105.5.32/27", "region": "ap-southeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.24.1.208/28", "region": "ap-southeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.24.227.192/26", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.25.138.0/26", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.25.138.64/26", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.25.178.128/26", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.25.248.0/22", "region": "ap-southeast-2", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.25.37.128/25", "region": "ap-southeast-2", "service": "API_GATEWAY", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.25.37.64/26", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.25.38.0/23", "region": "ap-southeast-2", "service": "API_GATEWAY", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.25.40.0/24", "region": "ap-southeast-2", "service": "API_GATEWAY", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.25.43.0/24", "region": "ap-southeast-2", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.25.44.0/23", "region": "ap-southeast-2", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.25.47.28/30", "region": "ap-southeast-2", "service": "AMAZON_APPFLOW", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.25.47.32/30", "region": "ap-southeast-2", "service": "AMAZON_APPFLOW", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.26.109.216/30", "region": "ap-southeast-2", "service": "AMAZON_APPFLOW", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.26.127.24/29", "region": "ap-southeast-2", "service": "CODEBUILD", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.26.137.0/24", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.26.138.0/23", "region": "ap-southeast-2", "service": "API_GATEWAY", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.26.140.64/26", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.26.246.0/23", "region": "ap-southeast-2", "service": "API_GATEWAY", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.26.248.0/22", "region": "ap-southeast-2", "service": "API_GATEWAY", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.26.58.224/27", "region": "ap-southeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.26.81.0/27", "region": "ap-southeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.26.81.32/27", "region": "ap-southeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.26.82.236/30", "region": "ap-southeast-2", "service": "EBS", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.26.82.240/29", "region": "ap-southeast-2", "service": "EBS", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.26.83.0/24", "region": "ap-southeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.26.84.0/23", "region": "ap-southeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.26.86.0/23", "region": "ap-southeast-2", "service": "ROUTE53_RESOLVER", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.26.88.0/28", "region": "ap-southeast-2", "service": "S3", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "3.26.88.16/28", "region": "ap-southeast-2", "service": "S3", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "54.153.254.0/24", "region": "ap-southeast-2", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "54.252.254.192/26", "region": "ap-southeast-2", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "54.252.79.128/26", "region": "ap-southeast-2", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "ap-southeast-2" }, { "ip_prefix": "108.136.151.0/24", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "108.136.154.16/28", "region": "ap-southeast-3", "service": "S3", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "108.136.154.32/28", "region": "ap-southeast-3", "service": "S3", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "108.136.154.48/28", "region": "ap-southeast-3", "service": "S3", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "108.136.221.0/26", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "108.137.114.0/28", "region": "ap-southeast-3", "service": "CODEBUILD", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "108.137.58.0/26", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "108.137.58.128/26", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "108.137.58.192/26", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "108.137.58.64/26", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ip_prefix": "15.222.16.32/27", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.222.16.8/29", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.222.16.96/27", "region": "ca-central-1", "service": "CLOUD9", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.222.43.0/27", "region": "ca-central-1", "service": "CLOUD9", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.222.43.128/26", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.222.43.32/27", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.222.43.64/26", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.223.100.0/24", "region": "ca-central-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.223.102.0/23", "region": "ca-central-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ca-central-1" }, { "ip_prefix": "15.223.52.0/23", "region": "ca-central-1", "service": "API_GATEWAY", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.96.143.128/26", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.96.143.192/26", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.96.2.68/30", "region": "ca-central-1", "service": "AMAZON_APPFLOW", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.96.2.72/30", "region": "ca-central-1", "service": "AMAZON_APPFLOW", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.96.84.0/26", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.97.192.112/29", "region": "ca-central-1", "service": "EBS", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.97.192.128/25", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.97.20.0/22", "region": "ca-central-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.97.217.0/24", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.97.218.0/24", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.97.219.0/24", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.97.230.0/25", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.97.49.128/25", "region": "ca-central-1", "service": "API_GATEWAY", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.97.99.128/27", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.97.99.160/27", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.97.99.64/28", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.97.99.96/27", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.98.171.196/30", "region": "ca-central-1", "service": "AMAZON_APPFLOW", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.98.171.224/29", "region": "ca-central-1", "service": "CODEBUILD", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.98.171.92/30", "region": "ca-central-1", "service": "EBS", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.98.24.0/28", "region": "ca-central-1", "service": "S3", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.98.24.16/28", "region": "ca-central-1", "service": "S3", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.98.86.0/23", "region": "ca-central-1", "service": "API_GATEWAY", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.99.124.0/26", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.99.194.0/23", "region": "ca-central-1", "service": "API_GATEWAY", "network_border_group": "ca-central-1" }, { "ip_prefix": "3.99.196.0/22", "region": "ca-central-1", "service": "API_GATEWAY", "network_border_group": "ca-central-1" }, { "ip_prefix": "35.182.14.208/29", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "35.182.14.216/29", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "35.182.14.48/29", "region": "ca-central-1", "service": "CODEBUILD", "network_border_group": "ca-central-1" }, { "ip_prefix": "35.183.255.0/24", "region": "ca-central-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "ca-central-1" }, { "ip_prefix": "35.183.38.0/27", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "35.183.38.32/29", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "35.183.38.40/29", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "35.183.38.48/29", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "35.183.38.56/29", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "35.183.38.64/29", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "99.79.126.0/24", "region": "ca-central-1", "service": "API_GATEWAY", "network_border_group": "ca-central-1" }, { "ip_prefix": "99.79.169.0/24", "region": "ca-central-1", "service": "CLOUDFRONT", "network_border_group": "ca-central-1" }, { "ip_prefix": "99.79.20.192/27", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "99.79.20.224/27", "region": "ca-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "ca-central-1" }, { "ip_prefix": "99.79.34.0/23", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ip_prefix": "18.156.52.0/24", "region": "eu-central-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.156.54.0/23", "region": "eu-central-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.157.237.128/26", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.157.237.192/26", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.157.71.192/26", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.184.138.224/27", "region": "eu-central-1", "service": "CLOUD9", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.184.2.128/25", "region": "eu-central-1", "service": "AMAZON_CONNECT", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.184.203.128/27", "region": "eu-central-1", "service": "CLOUD9", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.192.142.0/23", "region": "eu-central-1", "service": "CLOUDFRONT", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.192.216.0/22", "region": "eu-central-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.196.161.0/27", "region": "eu-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.196.161.184/29", "region": "eu-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.196.161.192/29", "region": "eu-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.196.161.200/29", "region": "eu-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.196.161.32/27", "region": "eu-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.196.161.80/29", "region": "eu-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-central-1" }, { "ip_prefix": "18.196.161.88/29", "region": "eu-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.120.181.224/27", "region": "eu-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.122.128.0/23", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.123.12.192/26", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.123.14.0/24", "region": "eu-central-1", "service": "API_GATEWAY", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.123.15.0/25", "region": "eu-central-1", "service": "API_GATEWAY", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.123.44.0/27", "region": "eu-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.123.44.128/27", "region": "eu-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.123.44.160/27", "region": "eu-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.123.44.80/28", "region": "eu-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.123.44.96/27", "region": "eu-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.127.48.128/26", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.127.48.244/30", "region": "eu-central-1", "service": "AMAZON_APPFLOW", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.127.48.248/30", "region": "eu-central-1", "service": "AMAZON_APPFLOW", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.127.74.0/23", "region": "eu-central-1", "service": "API_GATEWAY", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.64.1.0/26", "region": "eu-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.64.1.128/26", "region": "eu-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.64.1.192/29", "region": "eu-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.64.1.200/29", "region": "eu-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.64.1.64/26", "region": "eu-central-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.64.226.232/29", "region": "eu-central-1", "service": "EBS", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.64.226.240/30", "region": "eu-central-1", "service": "EBS", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.65.246.0/28", "region": "eu-central-1", "service": "S3", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.65.246.16/28", "region": "eu-central-1", "service": "S3", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.66.172.0/24", "region": "eu-central-1", "service": "API_GATEWAY", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.68.251.176/30", "region": "eu-central-1", "service": "AMAZON_APPFLOW", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.68.251.232/29", "region": "eu-central-1", "service": "CODEBUILD", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.70.195.128/25", "region": "eu-central-1", "service": "API_GATEWAY", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.70.195.64/26", "region": "eu-central-1", "service": "API_GATEWAY", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.70.211.0/25", "region": "eu-central-1", "service": "API_GATEWAY", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.70.212.128/26", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.71.104.0/24", "region": "eu-central-1", "service": "API_GATEWAY", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.71.120.0/22", "region": "eu-central-1", "service": "API_GATEWAY", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.72.168.0/24", "region": "eu-central-1", "service": "API_GATEWAY", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.72.33.128/25", "region": "eu-central-1", "service": "API_GATEWAY", "network_border_group": "eu-central-1" }, { "ip_prefix": "3.74.148.128/26", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ip_prefix": "35.157.127.248/29", "region": "eu-central-1", "service": "CODEBUILD", "network_border_group": "eu-central-1" }, { "ip_prefix": "35.158.127.64/26", "region": "eu-central-1", "service": "AMAZON_CONNECT", "network_border_group": "eu-central-1" }, { "ip_prefix": "35.158.136.0/24", "region": "eu-central-1", "service": "CLOUDFRONT", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.57.254.0/24", "region": "eu-central-1", "service": "CLOUDFRONT", "network_border_group": "eu-central-1" }, { "ip_prefix": "52.59.127.0/24", "region": "eu-central-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "eu-central-1" }, { "ip_prefix": "13.48.186.128/27", "region": "eu-north-1", "service": "CLOUD9", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.48.186.160/27", "region": "eu-north-1", "service": "CLOUD9", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.48.186.192/27", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.48.32.0/24", "region": "eu-north-1", "service": "CLOUDFRONT", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.48.4.128/28", "region": "eu-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.48.4.144/28", "region": "eu-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.48.4.160/28", "region": "eu-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.48.4.192/29", "region": "eu-north-1", "service": "CODEBUILD", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.48.4.208/29", "region": "eu-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.48.4.216/29", "region": "eu-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.48.4.224/29", "region": "eu-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.48.74.0/24", "region": "eu-north-1", "service": "API_GATEWAY", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.49.126.128/26", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.49.143.0/26", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.49.143.64/26", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.49.253.224/27", "region": "eu-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.49.40.64/26", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.49.42.0/23", "region": "eu-north-1", "service": "API_GATEWAY", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.50.12.192/26", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.51.120.0/24", "region": "eu-north-1", "service": "API_GATEWAY", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.51.253.80/29", "region": "eu-north-1", "service": "CODEBUILD", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.51.29.0/27", "region": "eu-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.51.29.32/27", "region": "eu-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.51.71.152/29", "region": "eu-north-1", "service": "EBS", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.51.71.160/30", "region": "eu-north-1", "service": "EBS", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.51.71.176/28", "region": "eu-north-1", "service": "S3", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.51.71.192/28", "region": "eu-north-1", "service": "S3", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.51.95.0/24", "region": "eu-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.51.96.0/24", "region": "eu-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.51.97.0/24", "region": "eu-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.53.180.0/23", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.53.63.128/27", "region": "eu-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.53.63.160/27", "region": "eu-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-north-1" }, { "ip_prefix": "13.53.63.192/27", "region": "eu-north-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-north-1" }, { "ip_prefix": "16.16.2.0/23", "region": "eu-north-1", "service": "API_GATEWAY", "network_border_group": "eu-north-1" }, { "ip_prefix": "16.170.199.0/26", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ip_prefix": "16.171.48.0/22", "region": "eu-north-1", "service": "API_GATEWAY", "network_border_group": "eu-north-1" }, { "ip_prefix": "15.160.55.112/29", "region": "eu-south-1", "service": "CODEBUILD", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.160.90.64/26", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.161.135.0/26", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.161.135.164/30", "region": "eu-south-1", "service": "EC2_INSTANCE_CONNECT", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.161.135.64/27", "region": "eu-south-1", "service": "CLOUD9", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.161.135.96/27", "region": "eu-south-1", "service": "CLOUD9", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.161.136.0/24", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.161.140.0/23", "region": "eu-south-1", "service": "API_GATEWAY", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.161.164.128/26", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.161.192.0/26", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.161.192.240/28", "region": "eu-south-1", "service": "CODEBUILD", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.161.192.64/26", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.161.247.128/27", "region": "eu-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.161.247.64/27", "region": "eu-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.161.247.96/27", "region": "eu-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.161.66.0/26", "region": "eu-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.161.66.128/26", "region": "eu-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.161.66.64/26", "region": "eu-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.161.68.128/26", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "15.161.68.192/26", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ip_prefix": "18.102.2.0/23", "region": "eu-south-1", "service": "API_GATEWAY", "network_border_group": "eu-south-1" }, { "ip_prefix": "35.152.74.128/29", "region": "eu-south-1", "service": "EBS", "network_border_group": "eu-south-1" }, { "ip_prefix": "35.152.74.136/30", "region": "eu-south-1", "service": "EBS", "network_border_group": "eu-south-1" }, { "ip_prefix": "35.152.74.144/28", "region": "eu-south-1", "service": "S3", "network_border_group": "eu-south-1" }, { "ip_prefix": "35.152.74.160/28", "region": "eu-south-1", "service": "S3", "network_border_group": "eu-south-1" }, { "ip_prefix": "35.152.86.0/24", "region": "eu-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-south-1" }, { "ip_prefix": "35.152.87.0/24", "region": "eu-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-south-1" }, { "ip_prefix": "35.152.88.0/24", "region": "eu-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-south-1" }, { "ip_prefix": "18.100.74.0/23", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ip_prefix": "108.128.160.0/23", "region": "eu-west-1", "service": "API_GATEWAY", "network_border_group": "eu-west-1" }, { "ip_prefix": "108.128.162.0/24", "region": "eu-west-1", "service": "API_GATEWAY", "network_border_group": "eu-west-1" }, { "ip_prefix": "176.34.159.192/26", "region": "eu-west-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "eu-west-1" }, { "ip_prefix": "18.200.212.0/23", "region": "eu-west-1", "service": "CLOUDFRONT", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.248.176.0/22", "region": "eu-west-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.248.180.128/25", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.248.180.40/29", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.248.180.64/26", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.248.186.0/27", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.248.186.128/25", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.248.186.32/27", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.248.186.64/29", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.248.186.92/30", "region": "eu-west-1", "service": "AMAZON_APPFLOW", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.248.216.32/27", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.248.244.0/26", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.248.244.240/30", "region": "eu-west-1", "service": "AMAZON_APPFLOW", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.248.245.0/24", "region": "eu-west-1", "service": "API_GATEWAY", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.248.246.0/23", "region": "eu-west-1", "service": "API_GATEWAY", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.249.28.0/23", "region": "eu-west-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.250.209.192/26", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.250.210.0/23", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.250.243.64/26", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.250.244.0/26", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.251.104.0/26", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.251.104.128/25", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.251.105.0/25", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.251.105.128/25", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.251.106.128/25", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.251.109.92/30", "region": "eu-west-1", "service": "EBS", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.251.110.208/28", "region": "eu-west-1", "service": "S3", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.251.110.224/28", "region": "eu-west-1", "service": "S3", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.251.144.0/29", "region": "eu-west-1", "service": "EBS", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.251.148.120/29", "region": "eu-west-1", "service": "CODEBUILD", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.251.152.44/30", "region": "eu-west-1", "service": "AMAZON_APPFLOW", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.251.215.192/26", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.251.216.0/23", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.251.56.0/24", "region": "eu-west-1", "service": "API_GATEWAY", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.251.62.128/25", "region": "eu-west-1", "service": "API_GATEWAY", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.251.94.0/24", "region": "eu-west-1", "service": "API_GATEWAY", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.251.95.128/27", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "3.251.95.96/27", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "34.242.153.128/26", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "34.242.153.224/28", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "34.242.153.240/28", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "34.245.205.0/27", "region": "eu-west-1", "service": "CLOUD9", "network_border_group": "eu-west-1" }, { "ip_prefix": "34.245.205.128/28", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "34.245.205.160/27", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "34.245.205.64/27", "region": "eu-west-1", "service": "CLOUD9", "network_border_group": "eu-west-1" }, { "ip_prefix": "34.245.205.96/27", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "34.245.82.0/28", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "34.245.82.16/28", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "34.245.82.32/28", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "34.245.82.48/28", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "34.250.63.248/29", "region": "eu-west-1", "service": "CODEBUILD", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.19.124.0/23", "region": "eu-west-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.212.248.0/26", "region": "eu-west-1", "service": "CLOUDFRONT", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.215.218.112/28", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "52.215.218.64/28", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "54.228.16.0/26", "region": "eu-west-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "eu-west-1" }, { "ip_prefix": "63.34.60.0/22", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.80.34.128/25", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.80.34.48/28", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.80.34.64/26", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.80.88.0/26", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "99.80.88.64/26", "region": "eu-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-1" }, { "ip_prefix": "13.40.1.192/26", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "13.40.202.0/23", "region": "eu-west-2", "service": "API_GATEWAY", "network_border_group": "eu-west-2" }, { "ip_prefix": "13.40.204.0/22", "region": "eu-west-2", "service": "API_GATEWAY", "network_border_group": "eu-west-2" }, { "ip_prefix": "13.41.1.160/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.130.91.144/30", "region": "eu-west-2", "service": "AMAZON_APPFLOW", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.130.91.148/30", "region": "eu-west-2", "service": "AMAZON_APPFLOW", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.132.146.192/26", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.132.21.0/24", "region": "eu-west-2", "service": "WORKSPACES_GATEWAYS", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.132.22.0/23", "region": "eu-west-2", "service": "WORKSPACES_GATEWAYS", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.133.45.0/26", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.133.45.64/26", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.134.255.160/27", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.134.255.192/27", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.134.255.224/27", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.134.68.0/22", "region": "eu-west-2", "service": "WORKSPACES_GATEWAYS", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.135.226.192/26", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.168.133.0/24", "region": "eu-west-2", "service": "API_GATEWAY", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.168.33.0/24", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.168.34.0/23", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.168.36.0/24", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.168.37.0/27", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.168.37.136/29", "region": "eu-west-2", "service": "EBS", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.168.37.144/30", "region": "eu-west-2", "service": "EBS", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.168.37.160/28", "region": "eu-west-2", "service": "S3", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.168.37.176/28", "region": "eu-west-2", "service": "S3", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.168.37.32/28", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.168.37.48/30", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.168.37.64/26", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.169.230.136/30", "region": "eu-west-2", "service": "AMAZON_APPFLOW", "network_border_group": "eu-west-2" }, { "ip_prefix": "18.169.230.200/29", "region": "eu-west-2", "service": "CODEBUILD", "network_border_group": "eu-west-2" }, { "ip_prefix": "3.10.127.32/27", "region": "eu-west-2", "service": "CLOUD9", "network_border_group": "eu-west-2" }, { "ip_prefix": "3.10.17.0/25", "region": "eu-west-2", "service": "API_GATEWAY", "network_border_group": "eu-west-2" }, { "ip_prefix": "3.10.17.128/25", "region": "eu-west-2", "service": "CLOUDFRONT", "network_border_group": "eu-west-2" }, { "ip_prefix": "3.10.201.128/27", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "3.10.201.192/26", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "3.10.201.64/27", "region": "eu-west-2", "service": "CLOUD9", "network_border_group": "eu-west-2" }, { "ip_prefix": "3.11.53.0/24", "region": "eu-west-2", "service": "CLOUDFRONT", "network_border_group": "eu-west-2" }, { "ip_prefix": "3.8.168.0/23", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ip_prefix": "3.8.37.96/27", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "3.9.159.64/30", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "3.9.159.68/30", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "3.9.159.72/30", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "3.9.41.0/27", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "3.9.41.32/27", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "3.9.41.64/27", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "3.9.94.0/24", "region": "eu-west-2", "service": "API_GATEWAY", "network_border_group": "eu-west-2" }, { "ip_prefix": "35.176.32.0/24", "region": "eu-west-2", "service": "WORKSPACES_GATEWAYS", "network_border_group": "eu-west-2" }, { "ip_prefix": "35.176.92.32/29", "region": "eu-west-2", "service": "CODEBUILD", "network_border_group": "eu-west-2" }, { "ip_prefix": "35.177.154.128/28", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "35.177.154.144/28", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "35.177.154.160/28", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "35.177.154.176/29", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "35.177.154.184/29", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "35.177.154.192/29", "region": "eu-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-2" }, { "ip_prefix": "35.179.42.0/23", "region": "eu-west-2", "service": "API_GATEWAY", "network_border_group": "eu-west-2" }, { "ip_prefix": "52.56.127.0/25", "region": "eu-west-2", "service": "CLOUDFRONT", "network_border_group": "eu-west-2" }, { "ip_prefix": "13.36.155.0/24", "region": "eu-west-3", "service": "API_GATEWAY", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.36.18.0/28", "region": "eu-west-3", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.36.18.32/27", "region": "eu-west-3", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.36.18.64/27", "region": "eu-west-3", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.36.76.0/24", "region": "eu-west-3", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.36.77.0/24", "region": "eu-west-3", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.36.78.0/24", "region": "eu-west-3", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.36.84.112/29", "region": "eu-west-3", "service": "CODEBUILD", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.36.84.24/29", "region": "eu-west-3", "service": "EBS", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.36.84.32/30", "region": "eu-west-3", "service": "EBS", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.36.84.44/30", "region": "eu-west-3", "service": "AMAZON_APPFLOW", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.36.84.48/28", "region": "eu-west-3", "service": "S3", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.36.84.64/28", "region": "eu-west-3", "service": "S3", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.37.1.64/26", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.38.132.0/22", "region": "eu-west-3", "service": "API_GATEWAY", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.38.140.0/23", "region": "eu-west-3", "service": "API_GATEWAY", "network_border_group": "eu-west-3" }, { "ip_prefix": "13.38.202.64/26", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.188.102.0/27", "region": "eu-west-3", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.188.184.0/24", "region": "eu-west-3", "service": "CLOUDFRONT", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.188.210.0/27", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.188.210.128/26", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.188.210.196/30", "region": "eu-west-3", "service": "AMAZON_APPFLOW", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.188.210.200/30", "region": "eu-west-3", "service": "AMAZON_APPFLOW", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.188.210.32/27", "region": "eu-west-3", "service": "CLOUD9", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.188.210.64/27", "region": "eu-west-3", "service": "CLOUD9", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.236.155.192/26", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.236.231.0/26", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.236.231.64/26", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "15.236.80.0/23", "region": "eu-west-3", "service": "API_GATEWAY", "network_border_group": "eu-west-3" }, { "ip_prefix": "35.180.1.16/29", "region": "eu-west-3", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-3" }, { "ip_prefix": "35.180.1.24/29", "region": "eu-west-3", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-3" }, { "ip_prefix": "35.180.1.32/29", "region": "eu-west-3", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-3" }, { "ip_prefix": "35.180.1.40/29", "region": "eu-west-3", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-3" }, { "ip_prefix": "35.180.1.48/29", "region": "eu-west-3", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-3" }, { "ip_prefix": "35.180.1.56/29", "region": "eu-west-3", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-3" }, { "ip_prefix": "35.180.1.8/29", "region": "eu-west-3", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-3" }, { "ip_prefix": "35.180.112.128/27", "region": "eu-west-3", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-3" }, { "ip_prefix": "35.180.112.160/27", "region": "eu-west-3", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-3" }, { "ip_prefix": "35.180.244.0/23", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ip_prefix": "35.181.128.0/24", "region": "eu-west-3", "service": "API_GATEWAY", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.47.139.0/24", "region": "eu-west-3", "service": "CLOUDFRONT", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.47.73.160/27", "region": "eu-west-3", "service": "ROUTE53_RESOLVER", "network_border_group": "eu-west-3" }, { "ip_prefix": "52.47.73.72/29", "region": "eu-west-3", "service": "CODEBUILD", "network_border_group": "eu-west-3" }, { "ip_prefix": "3.28.70.112/28", "region": "me-central-1", "service": "S3", "network_border_group": "me-central-1" }, { "ip_prefix": "3.28.70.48/28", "region": "me-central-1", "service": "S3", "network_border_group": "me-central-1" }, { "ip_prefix": "3.28.70.96/28", "region": "me-central-1", "service": "S3", "network_border_group": "me-central-1" }, { "ip_prefix": "3.28.72.0/23", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ip_prefix": "15.184.1.128/26", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "15.184.1.64/26", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "15.184.125.0/26", "region": "me-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "me-south-1" }, { "ip_prefix": "15.184.125.128/26", "region": "me-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "me-south-1" }, { "ip_prefix": "15.184.125.224/29", "region": "me-south-1", "service": "EBS", "network_border_group": "me-south-1" }, { "ip_prefix": "15.184.125.232/30", "region": "me-south-1", "service": "EBS", "network_border_group": "me-south-1" }, { "ip_prefix": "15.184.125.240/28", "region": "me-south-1", "service": "S3", "network_border_group": "me-south-1" }, { "ip_prefix": "15.184.125.64/26", "region": "me-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "me-south-1" }, { "ip_prefix": "15.184.153.0/28", "region": "me-south-1", "service": "S3", "network_border_group": "me-south-1" }, { "ip_prefix": "15.184.184.96/29", "region": "me-south-1", "service": "CODEBUILD", "network_border_group": "me-south-1" }, { "ip_prefix": "15.184.70.200/29", "region": "me-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "me-south-1" }, { "ip_prefix": "15.184.70.224/29", "region": "me-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "me-south-1" }, { "ip_prefix": "15.185.141.160/27", "region": "me-south-1", "service": "CLOUD9", "network_border_group": "me-south-1" }, { "ip_prefix": "15.185.141.192/26", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "15.185.144.0/23", "region": "me-south-1", "service": "API_GATEWAY", "network_border_group": "me-south-1" }, { "ip_prefix": "15.185.245.0/26", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "15.185.251.0/26", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "15.185.33.192/26", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "15.185.33.32/27", "region": "me-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "me-south-1" }, { "ip_prefix": "15.185.33.64/27", "region": "me-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "me-south-1" }, { "ip_prefix": "15.185.33.96/27", "region": "me-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "me-south-1" }, { "ip_prefix": "15.185.86.0/23", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ip_prefix": "15.185.91.32/27", "region": "me-south-1", "service": "CLOUD9", "network_border_group": "me-south-1" }, { "ip_prefix": "157.175.102.128/27", "region": "me-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "me-south-1" }, { "ip_prefix": "157.175.102.160/27", "region": "me-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "me-south-1" }, { "ip_prefix": "157.175.102.96/27", "region": "me-south-1", "service": "ROUTE53_RESOLVER", "network_border_group": "me-south-1" }, { "ip_prefix": "157.175.140.0/23", "region": "me-south-1", "service": "API_GATEWAY", "network_border_group": "me-south-1" }, { "ip_prefix": "157.175.255.0/24", "region": "me-south-1", "service": "API_GATEWAY", "network_border_group": "me-south-1" }, { "ip_prefix": "157.241.2.0/23", "region": "me-south-1", "service": "API_GATEWAY", "network_border_group": "me-south-1" }, { "ip_prefix": "157.241.25.0/24", "region": "me-south-1", "service": "API_GATEWAY", "network_border_group": "me-south-1" }, { "ip_prefix": "15.228.1.128/26", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.228.1.192/26", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.228.1.64/26", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.228.103.240/29", "region": "sa-east-1", "service": "EBS", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.228.104.0/24", "region": "sa-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.228.105.0/24", "region": "sa-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.228.106.0/24", "region": "sa-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.228.107.0/28", "region": "sa-east-1", "service": "S3", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.228.107.16/28", "region": "sa-east-1", "service": "S3", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.228.126.200/29", "region": "sa-east-1", "service": "CODEBUILD", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.228.126.48/30", "region": "sa-east-1", "service": "EBS", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.228.126.72/30", "region": "sa-east-1", "service": "AMAZON_APPFLOW", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.228.129.0/24", "region": "sa-east-1", "service": "API_GATEWAY", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.228.144.0/24", "region": "sa-east-1", "service": "API_GATEWAY", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.228.150.128/26", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.228.151.0/24", "region": "sa-east-1", "service": "API_GATEWAY", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.228.64.0/22", "region": "sa-east-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.228.72.64/26", "region": "sa-east-1", "service": "API_GATEWAY", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.228.92.192/28", "region": "sa-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.228.92.208/28", "region": "sa-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.228.92.224/27", "region": "sa-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.228.97.0/24", "region": "sa-east-1", "service": "API_GATEWAY", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.229.36.0/23", "region": "sa-east-1", "service": "API_GATEWAY", "network_border_group": "sa-east-1" }, { "ip_prefix": "15.229.40.0/23", "region": "sa-east-1", "service": "API_GATEWAY", "network_border_group": "sa-east-1" }, { "ip_prefix": "177.71.207.128/26", "region": "sa-east-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.228.1.0/29", "region": "sa-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.228.1.16/29", "region": "sa-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.228.1.8/29", "region": "sa-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.228.246.0/23", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.229.100.0/26", "region": "sa-east-1", "service": "API_GATEWAY", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.229.100.112/30", "region": "sa-east-1", "service": "AMAZON_APPFLOW", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.229.100.116/30", "region": "sa-east-1", "service": "AMAZON_APPFLOW", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.229.100.128/27", "region": "sa-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.229.100.160/27", "region": "sa-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.229.100.192/26", "region": "sa-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.229.220.128/26", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.229.220.192/26", "region": "sa-east-1", "service": "CLOUDFRONT", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.229.37.0/27", "region": "sa-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.229.37.32/27", "region": "sa-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.229.70.96/27", "region": "sa-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.229.99.0/24", "region": "sa-east-1", "service": "API_GATEWAY", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.230.103.0/24", "region": "sa-east-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.230.104.0/23", "region": "sa-east-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.230.46.0/27", "region": "sa-east-1", "service": "CLOUD9", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.230.46.128/26", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.230.46.32/27", "region": "sa-east-1", "service": "CLOUD9", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.230.54.0/23", "region": "sa-east-1", "service": "API_GATEWAY", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.231.105.0/28", "region": "sa-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.231.105.128/27", "region": "sa-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.231.105.160/29", "region": "sa-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.231.105.168/29", "region": "sa-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.231.105.176/29", "region": "sa-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.231.105.184/29", "region": "sa-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "sa-east-1" }, { "ip_prefix": "18.231.194.8/29", "region": "sa-east-1", "service": "CODEBUILD", "network_border_group": "sa-east-1" }, { "ip_prefix": "54.232.40.64/26", "region": "sa-east-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "sa-east-1" }, { "ip_prefix": "54.233.204.0/24", "region": "sa-east-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "sa-east-1" }, { "ip_prefix": "54.233.255.128/26", "region": "sa-east-1", "service": "CLOUDFRONT", "network_border_group": "sa-east-1" }, { "ip_prefix": "107.23.255.0/26", "region": "us-east-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "us-east-1" }, { "ip_prefix": "18.206.107.160/29", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "18.209.113.240/28", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "18.209.113.64/27", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "18.213.156.96/28", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "18.232.1.128/26", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "18.232.1.192/26", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "18.232.1.32/30", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "18.232.1.36/30", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "18.232.1.40/30", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "18.232.1.44/30", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "18.232.1.48/28", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "18.232.1.64/26", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.208.72.176/28", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.209.202.48/28", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.209.83.0/27", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.209.83.144/28", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.209.83.160/27", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.209.83.192/26", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.209.83.32/27", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.209.83.64/27", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.209.83.96/27", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.209.84.0/25", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.209.84.128/25", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.209.85.0/25", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.209.85.128/27", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.209.85.160/27", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.209.85.192/27", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.209.87.0/25", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.209.87.128/25", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.216.135.0/24", "region": "us-east-1", "service": "API_GATEWAY", "network_border_group": "us-east-1" }, { "ip_prefix": "3.216.136.0/21", "region": "us-east-1", "service": "API_GATEWAY", "network_border_group": "us-east-1" }, { "ip_prefix": "3.216.144.0/23", "region": "us-east-1", "service": "API_GATEWAY", "network_border_group": "us-east-1" }, { "ip_prefix": "3.216.148.0/22", "region": "us-east-1", "service": "API_GATEWAY", "network_border_group": "us-east-1" }, { "ip_prefix": "3.216.99.160/27", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.217.228.0/22", "region": "us-east-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "us-east-1" }, { "ip_prefix": "3.218.180.0/25", "region": "us-east-1", "service": "DYNAMODB", "network_border_group": "us-east-1" }, { "ip_prefix": "3.218.180.128/25", "region": "us-east-1", "service": "DYNAMODB", "network_border_group": "us-east-1" }, { "ip_prefix": "3.218.181.0/25", "region": "us-east-1", "service": "DYNAMODB", "network_border_group": "us-east-1" }, { "ip_prefix": "3.218.181.128/25", "region": "us-east-1", "service": "DYNAMODB", "network_border_group": "us-east-1" }, { "ip_prefix": "3.218.182.0/25", "region": "us-east-1", "service": "DYNAMODB", "network_border_group": "us-east-1" }, { "ip_prefix": "3.218.182.128/25", "region": "us-east-1", "service": "DYNAMODB", "network_border_group": "us-east-1" }, { "ip_prefix": "3.218.183.0/25", "region": "us-east-1", "service": "DYNAMODB", "network_border_group": "us-east-1" }, { "ip_prefix": "3.218.183.128/25", "region": "us-east-1", "service": "DYNAMODB", "network_border_group": "us-east-1" }, { "ip_prefix": "3.227.250.128/25", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.227.4.0/22", "region": "us-east-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "us-east-1" }, { "ip_prefix": "3.228.170.0/26", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.228.170.128/25", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.228.170.64/26", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.228.171.0/25", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.228.171.128/25", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.228.172.0/25", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.228.172.128/25", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.228.173.0/25", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.228.173.128/26", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.228.173.192/26", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.228.181.0/24", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.228.182.0/31", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.228.182.10/32", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.228.182.100/32", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.228.182.46/31", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.228.182.48/28", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.228.182.5/32", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.228.182.6/31", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.228.182.64/27", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.228.182.8/31", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.228.182.96/30", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.231.2.0/25", "region": "us-east-1", "service": "CLOUDFRONT", "network_border_group": "us-east-1" }, { "ip_prefix": "3.234.232.224/27", "region": "us-east-1", "service": "CLOUDFRONT", "network_border_group": "us-east-1" }, { "ip_prefix": "3.234.248.192/26", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.235.112.0/21", "region": "us-east-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "us-east-1" }, { "ip_prefix": "3.235.189.100/30", "region": "us-east-1", "service": "AMAZON_APPFLOW", "network_border_group": "us-east-1" }, { "ip_prefix": "3.235.189.96/30", "region": "us-east-1", "service": "AMAZON_APPFLOW", "network_border_group": "us-east-1" }, { "ip_prefix": "3.235.202.128/26", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.235.26.0/23", "region": "us-east-1", "service": "API_GATEWAY", "network_border_group": "us-east-1" }, { "ip_prefix": "3.235.32.0/21", "region": "us-east-1", "service": "API_GATEWAY", "network_border_group": "us-east-1" }, { "ip_prefix": "3.236.169.0/25", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.236.169.192/26", "region": "us-east-1", "service": "CLOUDFRONT", "network_border_group": "us-east-1" }, { "ip_prefix": "3.236.32.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.236.48.0/23", "region": "us-east-1", "service": "CLOUDFRONT", "network_border_group": "us-east-1" }, { "ip_prefix": "3.236.94.128/25", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.237.107.0/25", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.166.0/24", "region": "us-east-1", "service": "API_GATEWAY", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.167.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.178.100/30", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.178.104/29", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.178.112/29", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.178.120/31", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.178.128/27", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.178.160/29", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.178.168/30", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.178.197/32", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.178.198/31", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.178.200/29", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.178.208/28", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.178.224/27", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.207.0/26", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.207.128/25", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.208.0/25", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.208.128/25", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.209.0/25", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.209.128/25", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.210.0/25", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.212.0/22", "region": "us-east-1", "service": "API_GATEWAY", "network_border_group": "us-east-1" }, { "ip_prefix": "3.238.216.128/25", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.152.0/31", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.152.12/31", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.152.128/29", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.152.136/31", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.152.46/31", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.152.48/28", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.152.5/32", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.152.6/31", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.152.64/26", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.152.8/30", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.153.0/24", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.154.0/24", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.155.0/24", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.156.0/31", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.156.10/31", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.156.100/30", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.156.104/29", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.156.112/29", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.157.188/30", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.157.19/32", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.157.192/26", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.157.2/31", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.157.20/30", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.157.24/29", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.157.32/27", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.157.4/30", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.157.64/27", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.157.8/31", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.157.96/30", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "3.239.232.0/24", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.83.168.0/22", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "3.91.171.128/25", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "34.195.252.0/24", "region": "us-east-1", "service": "CLOUDFRONT", "network_border_group": "us-east-1" }, { "ip_prefix": "34.226.106.180/32", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "34.226.14.0/24", "region": "us-east-1", "service": "CLOUDFRONT", "network_border_group": "us-east-1" }, { "ip_prefix": "34.228.4.208/28", "region": "us-east-1", "service": "CODEBUILD", "network_border_group": "us-east-1" }, { "ip_prefix": "34.231.114.205/32", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "34.231.213.21/32", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "34.236.241.44/30", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "34.238.188.0/29", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "35.168.231.216/29", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "35.170.83.0/25", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "35.170.83.144/28", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "35.170.83.160/28", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "35.170.83.176/28", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "35.170.83.192/26", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "35.171.100.0/28", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "35.171.100.128/26", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "35.171.100.208/28", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "35.171.100.224/27", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "35.171.100.64/26", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "35.172.155.192/27", "region": "us-east-1", "service": "CLOUD9", "network_border_group": "us-east-1" }, { "ip_prefix": "35.172.155.96/27", "region": "us-east-1", "service": "CLOUD9", "network_border_group": "us-east-1" }, { "ip_prefix": "44.192.134.240/28", "region": "us-east-1", "service": "S3", "network_border_group": "us-east-1" }, { "ip_prefix": "44.192.135.0/25", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "44.192.135.128/25", "region": "us-east-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-1" }, { "ip_prefix": "44.192.140.112/28", "region": "us-east-1", "service": "EBS", "network_border_group": "us-east-1" }, { "ip_prefix": "44.192.140.128/29", "region": "us-east-1", "service": "EBS", "network_border_group": "us-east-1" }, { "ip_prefix": "44.192.140.64/28", "region": "us-east-1", "service": "S3", "network_border_group": "us-east-1" }, { "ip_prefix": "44.192.245.160/28", "region": "us-east-1", "service": "CODEBUILD", "network_border_group": "us-east-1" }, { "ip_prefix": "44.192.255.128/28", "region": "us-east-1", "service": "CODEBUILD", "network_border_group": "us-east-1" }, { "ip_prefix": "44.194.111.224/30", "region": "us-east-1", "service": "AMAZON_APPFLOW", "network_border_group": "us-east-1" }, { "ip_prefix": "44.199.180.0/23", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "44.199.222.128/26", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "44.202.79.128/25", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ip_prefix": "44.206.4.0/22", "region": "us-east-1", "service": "API_GATEWAY", "network_border_group": "us-east-1" }, { "ip_prefix": "44.209.84.0/22", "region": "us-east-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "us-east-1" }, { "ip_prefix": "44.210.64.0/22", "region": "us-east-1", "service": "API_GATEWAY", "network_border_group": "us-east-1" }, { "ip_prefix": "52.23.61.0/24", "region": "us-east-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "us-east-1" }, { "ip_prefix": "52.23.62.0/24", "region": "us-east-1", "service": "WORKSPACES_GATEWAYS", "network_border_group": "us-east-1" }, { "ip_prefix": "52.55.191.224/27", "region": "us-east-1", "service": "AMAZON_CONNECT", "network_border_group": "us-east-1" }, { "ip_prefix": "54.243.31.192/26", "region": "us-east-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "us-east-1" }, { "ip_prefix": "13.59.250.0/26", "region": "us-east-2", "service": "CLOUDFRONT", "network_border_group": "us-east-2" }, { "ip_prefix": "18.117.239.68/30", "region": "us-east-2", "service": "AMAZON_APPFLOW", "network_border_group": "us-east-2" }, { "ip_prefix": "18.188.9.0/27", "region": "us-east-2", "service": "CLOUD9", "network_border_group": "us-east-2" }, { "ip_prefix": "18.188.9.32/27", "region": "us-east-2", "service": "CLOUD9", "network_border_group": "us-east-2" }, { "ip_prefix": "18.188.9.64/29", "region": "us-east-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-2" }, { "ip_prefix": "18.188.9.80/29", "region": "us-east-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-2" }, { "ip_prefix": "18.188.9.88/29", "region": "us-east-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-2" }, { "ip_prefix": "18.216.170.128/25", "region": "us-east-2", "service": "CLOUDFRONT", "network_border_group": "us-east-2" }, { "ip_prefix": "18.217.41.192/29", "region": "us-east-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-2" }, { "ip_prefix": "18.217.41.200/29", "region": "us-east-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-2" }, { "ip_prefix": "18.217.41.208/29", "region": "us-east-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-2" }, { "ip_prefix": "18.217.41.216/29", "region": "us-east-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-2" }, { "ip_prefix": "18.217.41.64/26", "region": "us-east-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-2" }, { "ip_prefix": "3.12.216.0/22", "region": "us-east-2", "service": "API_GATEWAY", "network_border_group": "us-east-2" }, { "ip_prefix": "3.12.23.128/26", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "3.12.23.88/30", "region": "us-east-2", "service": "AMAZON_APPFLOW", "network_border_group": "us-east-2" }, { "ip_prefix": "3.12.23.92/30", "region": "us-east-2", "service": "AMAZON_APPFLOW", "network_border_group": "us-east-2" }, { "ip_prefix": "3.128.56.128/26", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "3.128.56.192/26", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "3.128.56.64/26", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "3.128.93.0/24", "region": "us-east-2", "service": "CLOUDFRONT", "network_border_group": "us-east-2" }, { "ip_prefix": "3.134.215.0/24", "region": "us-east-2", "service": "CLOUDFRONT", "network_border_group": "us-east-2" }, { "ip_prefix": "3.139.136.128/27", "region": "us-east-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-2" }, { "ip_prefix": "3.139.136.184/30", "region": "us-east-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-2" }, { "ip_prefix": "3.139.136.192/26", "region": "us-east-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-2" }, { "ip_prefix": "3.140.136.128/27", "region": "us-east-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-2" }, { "ip_prefix": "3.141.102.184/29", "region": "us-east-2", "service": "EBS", "network_border_group": "us-east-2" }, { "ip_prefix": "3.141.102.192/30", "region": "us-east-2", "service": "EBS", "network_border_group": "us-east-2" }, { "ip_prefix": "3.141.102.208/28", "region": "us-east-2", "service": "S3", "network_border_group": "us-east-2" }, { "ip_prefix": "3.141.102.224/28", "region": "us-east-2", "service": "S3", "network_border_group": "us-east-2" }, { "ip_prefix": "3.143.206.104/29", "region": "us-east-2", "service": "CODEBUILD", "network_border_group": "us-east-2" }, { "ip_prefix": "3.144.141.192/26", "region": "us-east-2", "service": "API_GATEWAY", "network_border_group": "us-east-2" }, { "ip_prefix": "3.145.220.0/22", "region": "us-east-2", "service": "API_GATEWAY", "network_border_group": "us-east-2" }, { "ip_prefix": "3.145.230.0/24", "region": "us-east-2", "service": "API_GATEWAY", "network_border_group": "us-east-2" }, { "ip_prefix": "3.145.232.192/26", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "3.145.31.0/26", "region": "us-east-2", "service": "API_GATEWAY", "network_border_group": "us-east-2" }, { "ip_prefix": "3.145.31.128/26", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "3.15.35.0/24", "region": "us-east-2", "service": "API_GATEWAY", "network_border_group": "us-east-2" }, { "ip_prefix": "3.15.36.0/26", "region": "us-east-2", "service": "API_GATEWAY", "network_border_group": "us-east-2" }, { "ip_prefix": "3.15.36.64/26", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "3.17.136.0/23", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ip_prefix": "3.18.132.0/26", "region": "us-east-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-2" }, { "ip_prefix": "3.18.132.64/26", "region": "us-east-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-2" }, { "ip_prefix": "3.19.147.0/25", "region": "us-east-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-2" }, { "ip_prefix": "3.19.147.128/25", "region": "us-east-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-east-2" }, { "ip_prefix": "3.21.86.0/23", "region": "us-east-2", "service": "API_GATEWAY", "network_border_group": "us-east-2" }, { "ip_prefix": "52.15.127.128/26", "region": "us-east-2", "service": "CLOUDFRONT", "network_border_group": "us-east-2" }, { "ip_prefix": "52.15.247.208/29", "region": "us-east-2", "service": "CODEBUILD", "network_border_group": "us-east-2" }, { "ip_prefix": "13.52.1.0/28", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "13.52.1.16/28", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "13.52.1.32/29", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "13.52.110.192/26", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "13.52.118.0/23", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.52.146.128/28", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "13.52.146.192/26", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "13.52.200.160/27", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "13.52.201.0/24", "region": "us-west-1", "service": "API_GATEWAY", "network_border_group": "us-west-1" }, { "ip_prefix": "13.52.202.0/24", "region": "us-west-1", "service": "API_GATEWAY", "network_border_group": "us-west-1" }, { "ip_prefix": "13.52.232.224/27", "region": "us-west-1", "service": "CLOUD9", "network_border_group": "us-west-1" }, { "ip_prefix": "13.52.32.96/27", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "13.56.112.168/29", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "13.56.32.200/29", "region": "us-west-1", "service": "CODEBUILD", "network_border_group": "us-west-1" }, { "ip_prefix": "13.57.180.176/29", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "13.57.180.184/29", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "13.57.180.208/29", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "13.57.180.216/29", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "13.57.180.64/26", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "18.144.158.0/27", "region": "us-west-1", "service": "CLOUD9", "network_border_group": "us-west-1" }, { "ip_prefix": "18.144.158.64/26", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "18.144.184.0/23", "region": "us-west-1", "service": "API_GATEWAY", "network_border_group": "us-west-1" }, { "ip_prefix": "18.144.76.128/25", "region": "us-west-1", "service": "API_GATEWAY", "network_border_group": "us-west-1" }, { "ip_prefix": "18.144.76.32/29", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.100.128/25", "region": "us-west-1", "service": "API_GATEWAY", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.114.0/26", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.114.64/26", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.145.192/27", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.145.224/27", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.156.0/26", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.157.128/25", "region": "us-west-1", "service": "API_GATEWAY", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.158.0/23", "region": "us-west-1", "service": "CLOUDFRONT", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.160.240/29", "region": "us-west-1", "service": "EBS", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.160.44/30", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.160.48/28", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.161.0/25", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.161.128/25", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.162.0/24", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.163.0/26", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.163.64/28", "region": "us-west-1", "service": "S3", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.163.80/28", "region": "us-west-1", "service": "S3", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.163.96/28", "region": "us-west-1", "service": "S3", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.164.0/24", "region": "us-west-1", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.176.0/24", "region": "us-west-1", "service": "API_GATEWAY", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.177.20/30", "region": "us-west-1", "service": "AMAZON_APPFLOW", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.177.48/29", "region": "us-west-1", "service": "CODEBUILD", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.194.128/26", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.200.0/24", "region": "us-west-1", "service": "API_GATEWAY", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.201.128/25", "region": "us-west-1", "service": "API_GATEWAY", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.202.0/23", "region": "us-west-1", "service": "API_GATEWAY", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.208.0/24", "region": "us-west-1", "service": "API_GATEWAY", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.209.0/26", "region": "us-west-1", "service": "API_GATEWAY", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.52.208/30", "region": "us-west-1", "service": "AMAZON_APPFLOW", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.52.212/30", "region": "us-west-1", "service": "AMAZON_APPFLOW", "network_border_group": "us-west-1" }, { "ip_prefix": "3.101.87.0/26", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ip_prefix": "52.52.191.128/26", "region": "us-west-1", "service": "CLOUDFRONT", "network_border_group": "us-west-1" }, { "ip_prefix": "54.183.255.128/26", "region": "us-west-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "us-west-1" }, { "ip_prefix": "54.241.32.64/26", "region": "us-west-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "us-west-1" }, { "ip_prefix": "18.236.61.0/25", "region": "us-west-2", "service": "AMAZON_CONNECT", "network_border_group": "us-west-2" }, { "ip_prefix": "34.216.226.136/29", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.216.226.144/28", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.216.226.192/28", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.216.226.208/28", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.216.226.224/29", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.216.226.232/29", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.216.226.240/28", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.216.51.0/25", "region": "us-west-2", "service": "CLOUDFRONT", "network_border_group": "us-west-2" }, { "ip_prefix": "34.217.141.0/28", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.217.141.16/28", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.217.141.224/27", "region": "us-west-2", "service": "CLOUD9", "network_border_group": "us-west-2" }, { "ip_prefix": "34.217.141.32/28", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.218.119.112/28", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.218.119.128/28", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.218.119.144/28", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.218.119.32/27", "region": "us-west-2", "service": "CLOUD9", "network_border_group": "us-west-2" }, { "ip_prefix": "34.218.119.80/28", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.218.119.96/28", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.218.216.160/28", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.218.216.176/28", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.218.216.208/28", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.218.216.240/28", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.221.183.224/27", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.221.183.32/27", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.222.66.64/27", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.112.0/26", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.112.128/25", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.112.64/27", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.12.224/27", "region": "us-west-2", "service": "CLOUDFRONT", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.21.192/26", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.22.176/29", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.24.0/22", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.37.224/27", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.45.0/25", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.45.128/25", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.46.0/25", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.46.128/25", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.47.0/27", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.47.128/25", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.49.128/25", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.51.0/26", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.64.224/27", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.68.0/22", "region": "us-west-2", "service": "API_GATEWAY", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.72.0/23", "region": "us-west-2", "service": "API_GATEWAY", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.74.0/25", "region": "us-west-2", "service": "API_GATEWAY", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.80.192/26", "region": "us-west-2", "service": "CLOUDFRONT", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.92.0/25", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.95.176/28", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "34.223.96.0/22", "region": "us-west-2", "service": "WORKSPACES_GATEWAYS", "network_border_group": "us-west-2" }, { "ip_prefix": "35.162.63.192/26", "region": "us-west-2", "service": "CLOUDFRONT", "network_border_group": "us-west-2" }, { "ip_prefix": "35.167.191.128/26", "region": "us-west-2", "service": "CLOUDFRONT", "network_border_group": "us-west-2" }, { "ip_prefix": "35.80.35.0/24", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "35.80.36.192/28", "region": "us-west-2", "service": "EBS", "network_border_group": "us-west-2" }, { "ip_prefix": "35.80.36.208/28", "region": "us-west-2", "service": "S3", "network_border_group": "us-west-2" }, { "ip_prefix": "35.80.36.224/28", "region": "us-west-2", "service": "S3", "network_border_group": "us-west-2" }, { "ip_prefix": "35.80.88.0/22", "region": "us-west-2", "service": "WORKSPACES_GATEWAYS", "network_border_group": "us-west-2" }, { "ip_prefix": "35.80.92.0/22", "region": "us-west-2", "service": "WORKSPACES_GATEWAYS", "network_border_group": "us-west-2" }, { "ip_prefix": "35.82.136.192/29", "region": "us-west-2", "service": "CODEBUILD", "network_border_group": "us-west-2" }, { "ip_prefix": "35.83.248.40/29", "region": "us-west-2", "service": "CODEBUILD", "network_border_group": "us-west-2" }, { "ip_prefix": "35.84.36.0/30", "region": "us-west-2", "service": "AMAZON_APPFLOW", "network_border_group": "us-west-2" }, { "ip_prefix": "35.86.187.128/26", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "35.86.66.0/23", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "35.89.72.0/25", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "35.90.103.192/26", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "35.90.132.0/23", "region": "us-west-2", "service": "API_GATEWAY", "network_border_group": "us-west-2" }, { "ip_prefix": "35.92.124.192/26", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "35.92.26.0/24", "region": "us-west-2", "service": "API_GATEWAY", "network_border_group": "us-west-2" }, { "ip_prefix": "44.227.178.0/24", "region": "us-west-2", "service": "CLOUDFRONT", "network_border_group": "us-west-2" }, { "ip_prefix": "44.233.54.0/23", "region": "us-west-2", "service": "API_GATEWAY", "network_border_group": "us-west-2" }, { "ip_prefix": "44.234.106.0/23", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "44.234.108.128/25", "region": "us-west-2", "service": "CLOUDFRONT", "network_border_group": "us-west-2" }, { "ip_prefix": "44.234.113.64/26", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "44.234.123.128/26", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "44.234.123.64/26", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "44.234.22.128/26", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "44.234.28.0/22", "region": "us-west-2", "service": "API_GATEWAY", "network_border_group": "us-west-2" }, { "ip_prefix": "44.234.54.0/23", "region": "us-west-2", "service": "WORKSPACES_GATEWAYS", "network_border_group": "us-west-2" }, { "ip_prefix": "44.234.73.116/30", "region": "us-west-2", "service": "AMAZON_APPFLOW", "network_border_group": "us-west-2" }, { "ip_prefix": "44.234.73.120/30", "region": "us-west-2", "service": "AMAZON_APPFLOW", "network_border_group": "us-west-2" }, { "ip_prefix": "44.234.90.252/30", "region": "us-west-2", "service": "CLOUDFRONT", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.143.180/31", "region": "us-west-2", "service": "KINESIS_VIDEO_STREAMS", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.143.224/30", "region": "us-west-2", "service": "KINESIS_VIDEO_STREAMS", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.143.242/31", "region": "us-west-2", "service": "KINESIS_VIDEO_STREAMS", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.143.244/30", "region": "us-west-2", "service": "KINESIS_VIDEO_STREAMS", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.143.248/31", "region": "us-west-2", "service": "KINESIS_VIDEO_STREAMS", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.143.250/31", "region": "us-west-2", "service": "KINESIS_VIDEO_STREAMS", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.143.252/30", "region": "us-west-2", "service": "KINESIS_VIDEO_STREAMS", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.161.0/30", "region": "us-west-2", "service": "KINESIS_VIDEO_STREAMS", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.161.10/31", "region": "us-west-2", "service": "KINESIS_VIDEO_STREAMS", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.161.12/30", "region": "us-west-2", "service": "KINESIS_VIDEO_STREAMS", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.161.16/31", "region": "us-west-2", "service": "KINESIS_VIDEO_STREAMS", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.161.20/30", "region": "us-west-2", "service": "KINESIS_VIDEO_STREAMS", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.161.4/31", "region": "us-west-2", "service": "KINESIS_VIDEO_STREAMS", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.161.6/31", "region": "us-west-2", "service": "KINESIS_VIDEO_STREAMS", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.161.8/31", "region": "us-west-2", "service": "KINESIS_VIDEO_STREAMS", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.176.192/26", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.177.0/26", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.177.128/27", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.177.64/26", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.178.0/24", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.179.0/24", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.180.0/24", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.181.0/27", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.181.32/28", "region": "us-west-2", "service": "ROUTE53_RESOLVER", "network_border_group": "us-west-2" }, { "ip_prefix": "44.242.184.128/25", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ip_prefix": "52.43.76.88/29", "region": "us-west-2", "service": "CODEBUILD", "network_border_group": "us-west-2" }, { "ip_prefix": "54.190.198.32/28", "region": "us-west-2", "service": "AMAZON_CONNECT", "network_border_group": "us-west-2" }, { "ip_prefix": "54.244.46.0/23", "region": "us-west-2", "service": "WORKSPACES_GATEWAYS", "network_border_group": "us-west-2" }, { "ip_prefix": "54.244.52.192/26", "region": "us-west-2", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "us-west-2" }, { "ip_prefix": "54.245.168.0/26", "region": "us-west-2", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "us-west-2" } ], "ipv6_prefixes": [ { "ipv6_prefix": "2600:1ff2:4000::/40", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2a05:d07a:a000::/40", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2600:1f68:1000::/40", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2a05:d070:e000::/40", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ipv6_prefix": "240f:80ff:4000::/40", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2600:1f01:4822::/56", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d034:5000::/40", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2406:da1b::/36", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "240f:80f8:4000::/40", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2600:9000:3000::/36", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:f600::/39", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2400:6500:0:9::2/128", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2600:1f01:4874::/47", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1f19:8000::/36", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-pilot-3" }, { "ipv6_prefix": "2600:1fff:2000::/40", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2a05:d07a:c000::/40", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2600:1f11:8000::/36", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-pilot-4" }, { "ipv6_prefix": "2a05:d034:1000::/40", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2a05:d07c:a000::/40", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2406:da60:6000::/40", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2600:1fa0:4000::/40", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1f1d:8000::/36", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-pilot-2" }, { "ipv6_prefix": "2620:107:4000:a940::/58", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2406:da61:4000::/40", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2406:daf1:a000::/40", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2600:1f15::/36", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2600:1ffd:80a7::/48", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2600:1ff9:e000::/40", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2406:da70:6000::/40", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2406:daa0:6000::/40", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2406:daa0:7000::/40", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2406:daf8:e000::/40", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2600:1f60:1000::/40", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2a05:d070:4000::/40", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2a05:d03a:4000::/40", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2406:da15::/36", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2-wl1-cjj-wlz-1" }, { "ipv6_prefix": "240f:80f9:4000::/40", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2406:da70:8000::/40", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2406:daf9:a000::/40", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2620:107:4000:a080::/58", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1fa0:2000::/40", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2600:9000:f540::/42", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d000:a000::/40", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2a05:d078:e000::/40", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2406:da70:4000::/40", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2600:1f60:2000::/40", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2406:da61:7000::/40", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2600:1ffd:80c8::/48", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2620:107:4000:2::92/128", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:1f68:4000::/40", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1ff0:e000::/40", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2a05:d050:2000::/40", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2404:c2c0::/40", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2600:9000:f000::/38", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:f500::/43", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d030:1000::/40", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2a05:d030:5000::/40", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2406:daf0:2000::/40", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2600:1f01:4802::/47", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2620:108:7000::/44", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2406:daf0:9000::/40", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2600:1f01:4860::/47", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2600:1ff1:8000::/39", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:9000:a800::/40", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d01e::/36", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2406:da00:8000::/40", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2600:1f00:c000::/40", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2620:107:4000:7100::/56", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2404:c2c0:2e80::/48", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2600:1ff8:c000::/40", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:9000:ddd::/48", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2620:107:4000:2::96/128", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2a05:d034:2000::/40", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2406:da70:f000::/40", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2406:dafe:e000::/40", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2600:1fff:1000::/40", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2620:107:4002::/48", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2406:daf8:4000::/40", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2406:dafe:c000::/40", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2600:1f18::/33", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1ff1:4000::/40", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2406:da1c::/36", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2400:6500:0:7600::/56", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2406:da1a::/36", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2406:daf8:c000::/40", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2406:daf9:6000::/40", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2600:9000:a700::/40", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d07a:e000::/40", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2406:daf0:f000::/40", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2406:daf2:2000::/40", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2600:1f01:4880::/47", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2400:6500:0:7900::/56", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2404:c2c0:2f00::/40", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2a05:d031:8000::/40", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2400:6500:ff00::/64", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2a01:578:0:7000::/56", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d071:6000::/40", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2a05:d07e:a000::/40", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2406:daf2:6000::/40", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2406:dafc:4000::/40", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2a05:d070:a000::/40", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2406:da61:b000::/40", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2600:1f70:6000::/40", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2a05:d07a:2000::/40", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2a05:d07a:6000::/40", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2406:dafc:c000::/40", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2600:1f70:4000::/40", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1ff1:c000::/40", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:9000:ae00::/40", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d000:9000::/40", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2a05:d07e:4000::/40", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2406:dafa:a000::/40", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2620:107:4000:7000::/56", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2a05:d030:c000::/40", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2a05:d079:c000::/40", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2a05:d050:6000::/40", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2406:da61:f000::/40", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2406:dafc:e000::/40", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2a01:578:0:7100::/56", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2406:dafc:8000::/40", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2600:1ff9:6000::/40", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1ffd:807f::/48", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1f01:4810::/47", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2a05:d07f:5000::/40", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2406:da60:f000::/40", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2600:1ffd:82be::/48", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2600:9000:a500::/40", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2404:c2c0:4000::/40", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2406:da61:e000::/40", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2406:daf8:a000::/40", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2600:1ff1:e000::/40", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1ffd:80e1::/48", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2620:107:4000:40::/64", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2406:daf2:a000::/40", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2400:7fc0:2600::/40", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2406:da61:1000::/40", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2600:9000:f800::/37", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2400:6500:0:9::3/128", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2400:6500:0:9::1/128", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2404:c2c0:200::/40", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2406:da00:f000::/40", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2406:dafe:1000::/40", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2a05:d078:c000::/40", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2406:da60:c000::/40", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2406:dafc:7000::/40", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2600:1f00:5000::/40", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2400:6500:0:7a00::/56", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2600:1ffc:5000::/40", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2400:6500:0:9::4/128", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2600:1ff9:1000::/40", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2a05:d079:5000::/40", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2406:da68:9000::/40", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2406:dafe:4000::/40", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2600:1f70:1000::/40", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2406:da68:2000::/40", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2600:1ffd:8492::/48", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2a05:d034:8000::/40", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2406:da70:9000::/40", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2600:1f1a:8000::/36", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-wl1-mia-wlz-1" }, { "ipv6_prefix": "2a05:d078:5000::/40", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2406:da19::/36", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2620:108:d000::/44", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2404:c2c0:2a00::/40", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2600:1ffa:4000::/40", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:9000:f400::/40", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d071:9000::/40", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2a05:d078:8000::/40", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2406:daf9:8000::/40", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2600:1f70:c000::/40", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:1ffc:1000::/40", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2a05:d030:a000::/40", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2406:daf2:9000::/40", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2600:1f60:5000::/40", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2600:1f61:8000::/39", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:9000:ac00::/40", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:f0f0:4000::/44", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2406:daf9:7000::/40", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2620:107:4000:7400::/56", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2a05:d072:e000::/40", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2600:1fff:4000::/40", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2620:107:4000:a880::/58", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2406:da00:2000::/40", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2600:1ff8:5000::/36", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2600:9000:af00::/40", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2606:f40:6800::/48", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2406:daf8:f000::/40", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2600:1ffd:8149::/48", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2620:107:4008::/45", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2400:6500:0:7200::/56", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2406:da61:6000::/40", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2600:1ff9:c000::/40", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:1ffb:8080::/48", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1ffe:e000::/40", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:9000:aa00::/40", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2620:107:3001::/48", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2406:daa0:8000::/40", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2a05:d000:4000::/40", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2404:c2c0:2200::/40", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2400:7fc0:2f00::/40", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "240f:80fa:8000::/40", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2a05:d072:4000::/40", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2600:1ffe:c000::/40", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:9000:f538::/45", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:f00f::/40", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2606:f40:3001::/48", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1f12::/36", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2a05:d011::/36", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "240f:80fe:8000::/40", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2400:7fc0:2100::/40", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2406:da70:e000::/40", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2600:1f12:4000::/36", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1f1c::/36", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:f0f0:1000::/44", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2620:107:4000:2::90/128", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2406:da1e::/32", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2406:daf8:b000::/40", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2a05:d030:4000::/40", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2400:7fc0:2800::/40", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2406:da60:7000::/40", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2600:1ff0:2000::/40", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2600:1ffd:807b::/48", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2406:daff:2000::/40", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "240f:8014::/36", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "240f:80a0:4000::/40", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2600:1ffb:8021::/48", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2406:da18::/36", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2406:dafa:2000::/40", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2a05:d031:e000::/40", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2404:c2c0:8000::/36", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2600:1ff0:6000::/40", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1ffb:60c0::/48", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2400:6500:0:7800::/56", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2a05:d07c:4000::/40", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2600:1f01:48e2::/47", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2600:1f60:4000::/40", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2a05:d016::/36", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2406:daf1:7000::/40", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2406:dafc:ffa0::/46", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2600:9000:5380::/41", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d079:9000::/40", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2406:da17::/36", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2406:daf0:b000::/40", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2406:daff:7000::/40", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2600:1ffc:4000::/40", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2406:da60:1000::/40", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2620:107:4000:a900::/58", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2a05:d07f:9000::/40", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2406:da60:2000::/40", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2a05:d031:9000::/40", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2a05:d031:c000::/40", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2606:f40::/48", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2406:daf9:f000::/40", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2600:1ffe:8000::/40", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2a05:d07e:9000::/40", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2400:6500:0:7400::/56", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2400:7fc0:2a00::/40", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2600:1f14::/34", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:9000:1000::/36", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:f530::/46", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d07f:8000::/40", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2600:1f60:6000::/40", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2a05:d071:8000::/40", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2406:daff:1000::/40", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2600:1ffd:812f::/48", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2a05:d000:2000::/40", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2a05:d031:6000::/40", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2a05:d071:1000::/40", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2406:daff:9000::/40", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2600:1f61:e000::/40", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1ffd:8285::/48", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2a05:d014::/35", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2600:1ff0:8000::/39", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1ffd:8422::/48", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2a05:d030:2000::/40", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2406:da60:b000::/40", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2600:1ff2:6000::/40", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2a05:d079:a000::/40", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2600:1ffe:6000::/40", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2406:da61:9000::/40", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2406:daf8:9000::/40", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2406:da68:6000::/40", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2a05:d050:5000::/40", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ipv6_prefix": "240f:80fa:4000::/40", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2a01:578:3::/64", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2600:1f14:8000::/36", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-wl1-den-wlz-1" }, { "ipv6_prefix": "2a05:d070:5000::/40", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2a05:d072:c000::/40", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2400:7fc0:4000::/40", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2406:daf1:9000::/40", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2600:1ff2:1000::/40", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:1ffd:80f0::/48", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2400:6500:0:7700::/56", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2600:1f00:2000::/40", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2600:1ffd:84af::/48", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2600:9000:2000::/36", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d000:5000::/40", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2406:da61:a000::/40", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2406:daf1:f000::/40", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2600:1ffd:85e8::/48", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2606:f40:1::/48", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2400:7fc0:2e80::/48", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2406:da1f::/36", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2600:9000:a300::/40", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a01:578:0:7400::/56", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2a05:d050:a000::/40", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2a05:d078:9000::/40", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2406:da60:8000::/40", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2406:da68:7000::/40", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2600:f00c::/39", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2a05:d031:2000::/40", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2a05:d07c:2000::/40", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2406:daf9:e000::/40", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2600:1f60:e000::/40", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1ff1:1000::/40", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2400:7fc0:500::/40", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d079:4000::/40", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2406:daf0:6000::/40", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2600:1ffd:8188::/48", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:1f10:4000::/36", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2406:da60:a000::/40", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2406:dafc:1000::/40", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2600:1f70:8000::/40", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1fa0:6000::/40", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1fff:c000::/40", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2406:daf1:c000::/40", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2600:9000:4000::/36", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d012::/36", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2406:daf1:6000::/40", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2600:1f00:4000::/40", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2404:c2c0:2800::/40", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2406:daf0:1000::/40", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2406:dafa:6000::/40", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2620:107:4000:2::93/128", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:1ffd:838e::/48", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2600:1ff8:2000::/40", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2600:1f01:4850::/47", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1f01:48a0::/47", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:1f1f:8000::/36", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-wl1-atl-wlz-1" }, { "ipv6_prefix": "2600:9000:fff::/48", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d03a:6000::/40", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2406:da00:e000::/40", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2600:9000:a400::/40", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d079:2000::/40", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2600:1f1e::/36", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2406:daff:6000::/40", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2600:1f61:5000::/40", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2400:7fc0:200::/40", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2406:daf1:e000::/40", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "240f:80a0:8000::/40", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2600:1fff:e000::/40", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2a05:d072:a000::/40", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2a01:578:0:7700::/56", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2600:1f61:1000::/40", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2400:6700:ff00::/64", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2403:b300:ff00::/64", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2406:daa0:2000::/40", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2406:daf2:8000::/40", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2600:1f16::/36", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2406:daf1:8000::/40", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2600:1ffc:8000::/40", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2620:107:300f::/64", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2a05:d07c:8000::/40", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2406:daf8:6000::/40", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2600:1ffd:80d0::/48", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2a05:d01a::/36", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2406:da1d::/36", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1-wl1-kix-wlz-1" }, { "ipv6_prefix": "2620:107:4000:a8c0::/58", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2a05:d034:4000::/40", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2404:c2c0:500::/40", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2406:daf8:8000::/40", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2600:1f68:c000::/40", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:1ffd:816c::/48", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2600:1ffe:1000::/40", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "240f:80ff:8000::/40", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2600:1f01:48c0::/47", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:9000:5308::/45", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:f534::/46", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d01c::/36", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2a05:d034:9000::/40", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2600:1ff8:4000::/40", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1ffd:83ad::/48", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d07f:6000::/40", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2406:da68:b000::/40", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2406:daff:8000::/40", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2600:1f13::/36", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2406:daff:b000::/40", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2600:1ff9:2000::/40", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2600:9000:a900::/40", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d07a:4000::/40", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2600:1f01:4890::/47", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1f68:8000::/39", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2a05:d030:8000::/40", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2404:c2c0:2c00::/40", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "240f:80f8:8000::/40", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2600:1ffd:83d2::/48", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:9000:a200::/40", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2620:107:4000:7800::/56", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2a01:578:0:7200::/56", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2406:daf1:b000::/40", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2406:da00:b000::/40", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2406:da61:8000::/40", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2406:daf2:f000::/40", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2600:1f13:8000::/36", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-pilot-1" }, { "ipv6_prefix": "2406:da11::/36", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ipv6_prefix": "240f:8000:8000::/40", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2600:1f1c:8000::/36", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-wl1-dfw-wlz-1" }, { "ipv6_prefix": "2600:9000:ad00::/40", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:f00c:8000::/39", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2a05:d018::/36", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2406:dafc:f000::/40", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2600:1ff0:4000::/40", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1ff9:5000::/40", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2600:1ffd:85c0::/48", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2600:f000::/39", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2406:da68:c000::/40", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2600:1ffb:80a1::/48", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2406:daf8:1000::/40", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2406:dafe:8000::/40", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2600:1f01:4820::/47", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d034:e000::/40", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2a05:d07e:8000::/40", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "240f:80f9:8000::/40", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2620:107:4000:2::94/128", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2406:da61:c000::/40", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2600:1f01:48d2::/47", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2600:1ffd:818f::/48", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:1ffd:81c2::/48", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2a05:d050:e000::/40", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2406:da61:2000::/40", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2600:1f14:4000::/36", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-dfw-2" }, { "ipv6_prefix": "2600:1ffd:84bd::/48", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2600:1f01:4800::/47", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2a05:d078:1000::/40", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2a05:d078:4000::/40", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2a05:d07a:8000::/40", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d07e:c000::/40", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2406:dafc:b000::/40", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2a05:d050:9000::/40", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2a05:d07f:c000::/40", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2600:1f12:8000::/36", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-wl1-las-wlz-1" }, { "ipv6_prefix": "2600:1ffd:803f::/48", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2a05:d07e:1000::/40", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2406:daf0:8000::/40", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2406:dafc:6000::/40", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2406:dafe:f000::/40", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2600:1f01:48e0::/47", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2620:107:4000:2::95/128", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2a05:d030:9000::/40", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2a05:d03a:a000::/40", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2600:1f68:5000::/40", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2600:1ff8:1000::/40", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:9000:5300::/45", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d031:a000::/40", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2a05:d050:c000::/40", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2406:daa0:4000::/40", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2406:daf9:2000::/40", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2804:800:ff00::/64", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2a05:d070:2000::/40", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2a05:d079:6000::/40", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2406:da00:1000::/40", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2406:daa0:b000::/40", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2406:daf0:c000::/40", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2a05:d071:2000::/40", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2400:7fc0:2400::/40", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2406:daf1:1000::/40", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2600:1ffa:c000::/40", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2a05:d031:1000::/40", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2a05:d072:6000::/40", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2a05:d07c:1000::/40", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2a05:d07f:2000::/40", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2406:dafe:2000::/40", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2600:1f15:8000::/36", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-pilot-5" }, { "ipv6_prefix": "2a05:d015::/36", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2600:1ff8:8000::/40", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2406:daf9:c000::/40", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2600:1f1f::/36", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-lax-1" }, { "ipv6_prefix": "2600:1ffd:8165::/48", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2a05:d078:2000::/40", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "240f:8000:4000::/40", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2a05:d07e:6000::/40", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2400:7fc0:8000::/36", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2600:1ff2:e000::/40", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1ffd:819f::/48", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2400:6500:0:7500::/56", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2600:1f01:48b0::/47", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2600:1ff1:2000::/40", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2600:1ff1:6000::/40", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2a05:d07e:e000::/40", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2406:da60:e000::/40", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2406:da68:4000::/40", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2406:da70:c000::/40", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2600:1ff1:5000::/40", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2620:107:4000:2::97/128", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2406:da68:8000::/40", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2600:1f17:8000::/36", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-wl1-nyc-wlz-1" }, { "ipv6_prefix": "2600:1ffa:1000::/40", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2a05:d070:6000::/40", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2406:da00:4000::/40", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2620:107:4000:7a00::/56", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2404:c2c0:2600::/40", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2600:1f00:6000::/40", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1f1e:8000::/36", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-wl1-sea-wlz-1" }, { "ipv6_prefix": "2a05:d071:4000::/40", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2406:dafc:a000::/40", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2406:dafe:6000::/40", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2406:daff:c000::/40", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2406:daff:f000::/40", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2600:9000:f520::/44", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d030:6000::/40", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2406:da14::/36", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2600:1ff9:8000::/40", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1ff0:1000::/40", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:1fff:8000::/40", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:9000:a100::/40", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d078:a000::/40", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2620:107:4000:2::91/128", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2a05:d000:8000::/40", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2600:1f01:4804::/47", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2a05:d050:4000::/40", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2404:c2c0:2100::/40", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2804:800:0:7000::/56", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2406:daf0:4000::/40", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2600:1f10:8000::/36", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-wl1-bos-wlz-1" }, { "ipv6_prefix": "2600:f000:8000::/39", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2a05:d072:9000::/40", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2406:dafc:9000::/40", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2600:1fa0:5000::/40", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2406:daa0:e000::/40", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2600:1f01:4840::/47", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1f68:2000::/40", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2606:f40:4000::/48", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d072:5000::/40", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2406:daf9:b000::/40", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2a05:d07c:5000::/40", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2406:da70:7000::/40", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2406:da00:ff00::/64", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2406:da60:9000::/40", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2406:daf2:4000::/40", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2600:1f01:4830::/47", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2600:1fa0:e000::/40", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1ffc:2000::/40", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2a05:d079:8000::/40", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2406:dafa:c000::/40", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2600:1f61:4000::/40", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1ffd:8508::/48", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2406:da00:c000::/40", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2600:1f1c:4000::/36", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-phx-2" }, { "ipv6_prefix": "2a05:d018:1000::/36", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2400:6500:0:7b00::/56", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "240f:80fc:4000::/40", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2600:1f11::/36", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:1f61:c000::/40", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2620:107:4000:a840::/58", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2400:7fc0:2c00::/40", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2406:da70:b000::/40", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2600:1f60:8000::/39", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2606:f40:1801::/48", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2a05:d070:8000::/40", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2406:da00:7000::/40", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2600:1ffd:833b::/48", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1fff:3000::/40", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-lax-1" }, { "ipv6_prefix": "2620:107:4004::/48", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2a05:d070:1000::/40", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2a05:d07e:2000::/40", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2406:da70:1000::/40", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2406:daff:e000::/40", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2a05:d000:c000::/40", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2a05:d071:c000::/40", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2a05:d07f:e000::/40", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2406:daa0:f000::/40", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2406:daf2:1000::/40", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2600:1f00:1000::/40", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:1ffd:8066::/48", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2400:6500:0:7000::/56", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2406:daa0:9000::/40", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2406:dafa:8000::/40", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2600:1ff2:c000::/40", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2a05:d071:e000::/40", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2400:6500:100:7200::/56", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2406:dafa:4000::/40", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2404:c2c0:2400::/40", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2406:daf1:2000::/40", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2600:1ffa:e000::/40", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1ffc:6000::/40", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2406:daf0:e000::/40", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2406:dafc:ff80::/46", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2600:1ff2:2000::/40", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2600:1ffa:8000::/40", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1ffb:60c1::/48", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1f00:8000::/40", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2400:7fc0::/40", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2406:daff:a000::/40", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2a01:578:0:7900::/56", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2a05:d07f:a000::/40", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2a05:d03a:e000::/40", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2406:da13::/36", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1-wl1-nrt-wlz-1" }, { "ipv6_prefix": "2a05:d031:4000::/40", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2406:daf9:1000::/40", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2600:1ffd:85b2::/48", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2600:9000:5320::/43", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d03a:2000::/40", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2a05:d03a:1000::/40", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2600:1f18:8000::/36", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1-wl1-was-wlz-1" }, { "ipv6_prefix": "2620:107:4000:7700::/56", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "240f:80fc:8000::/40", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2600:1f01:48d0::/47", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2406:daf2:e000::/40", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2600:1ffe:5000::/40", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2a05:d034:6000::/40", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2600:1f70:e000::/40", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:9000:5310::/44", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d019::/36", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2a05:d070:9000::/40", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2406:daf2:7000::/40", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2406:dafe:9000::/40", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2600:9000:f580::/41", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2406:da70:2000::/40", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2600:1f70:2000::/40", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2600:1ffd:8190::/48", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2406:daa0:1000::/40", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2600:1f00:e000::/40", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1ffd:81a7::/48", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2406:dafa:e000::/40", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2600:1f68:6000::/40", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1ff2:8000::/39", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2a05:d072:1000::/40", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2a05:d07f:1000::/40", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2600:1ffb:40c0::/46", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1fff:6000::/40", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2a05:d000:e000::/40", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2406:da00:a000::/40", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2600:1fa0:1000::/40", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:1ffc:c000::/40", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2406:daf8:7000::/40", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2406:daf9:9000::/40", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2600:1ff2:5000::/40", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2a05:d070:c000::/40", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2600:1f01:4870::/47", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2a01:578:0:7800::/56", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2a05:d079:e000::/40", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2600:1fa0:8000::/39", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2406:dafe:b000::/40", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2406:daf1:4000::/40", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2600:1f01:4844::/47", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1fa0:c000::/40", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2a05:d03a:9000::/40", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2406:daf9:4000::/40", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2600:1f68:e000::/40", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1ff9:4000::/40", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1ffc:e000::/40", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2a05:d050:8000::/40", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d079:1000::/40", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2600:1ffe:4000::/40", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1ff0:c000::/40", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2620:107:4007::/64", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2a05:d07c:6000::/40", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2406:da12::/36", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2406:dafc:ff60::/46", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2406:da00:9000::/40", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2a05:d071:a000::/40", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2600:9000:5340::/42", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2606:f40:1001::/48", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2406:daff:4000::/40", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2600:1ffd:831b::/48", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2a05:d034:c000::/40", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2a05:d07f:4000::/40", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2406:da16::/36", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2406:daa0:c000::/40", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2600:1ffb:80a0::/48", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2620:107:4000:7200::/56", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2406:da68:e000::/40", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2406:daf2:c000::/40", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2600:1ff0:5000::/40", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2600:1ffa:2000::/40", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2600:1ffa:6000::/40", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2400:7fc0:2200::/40", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2406:daf0:7000::/40", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2600:1f70:5000::/40", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2620:107:4000:5::/64", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2600:9000:eee::/48", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d034:a000::/40", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2406:da68:f000::/40", "region": "ap-southeast-4", "service": "AMAZON", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2406:dafe:7000::/40", "region": "me-central-1", "service": "AMAZON", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2600:1ffd:80cb::/48", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2a05:d07c:c000::/40", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2620:107:4005::/48", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2a05:d000:6000::/40", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2406:da00:6000::/40", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2406:da68:1000::/40", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2600:1f01:4814::/47", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2600:1f01:481a::/47", "region": "ap-southeast-3", "service": "AMAZON", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2406:da60:4000::/40", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2600:9000:a600::/40", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2620:107:4003::/48", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2a05:d07c:e000::/40", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2600:1f16:8000::/36", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2-pilot-1" }, { "ipv6_prefix": "2600:1ffd:8143::/48", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2a05:d07c:9000::/40", "region": "eu-central-2", "service": "AMAZON", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2a05:d07e:5000::/40", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2406:daf8:2000::/40", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2406:dafc:2000::/40", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2600:1ff8:6000::/40", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2a05:d050:1000::/40", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "240f:80fe:4000::/40", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2a05:d03a:c000::/40", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2600:9000:ab00::/40", "region": "GLOBAL", "service": "AMAZON", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "240f:8018::/36", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2600:1ffa:5000::/40", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2a01:578:13::/64", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2406:daa0:a000::/40", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2406:dafe:a000::/40", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2600:1f60:c000::/40", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:1f61:2000::/40", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2600:1f61:6000::/40", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1fff:5000::/40", "region": "us-gov-east-1", "service": "AMAZON", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2406:daf0:a000::/40", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2600:1f01:48f0::/47", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1f1b:8000::/36", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2-wl1-sfo-wlz-1" }, { "ipv6_prefix": "2a05:d000:1000::/40", "region": "eu-south-2", "service": "AMAZON", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2a05:d030:e000::/40", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2406:da68:a000::/40", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2600:1ffe:2000::/40", "region": "us-gov-west-1", "service": "AMAZON", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2400:6500:0:7100::/56", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2406:daf2:b000::/40", "region": "ap-south-2", "service": "AMAZON", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2406:da70:a000::/40", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2a05:d078:6000::/40", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2a05:d031:5000::/40", "region": "il-central-1", "service": "AMAZON", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2a05:d03a:8000::/40", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d072:2000::/40", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2400:6500:0:7300::/56", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2600:1ff8:e000::/40", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2a05:d072:8000::/40", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d07a:a000::/40", "region": "eu-south-1", "service": "S3", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2600:1f68:1000::/40", "region": "ca-central-1", "service": "S3", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2a05:d070:e000::/40", "region": "me-south-1", "service": "S3", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2a05:d034:5000::/40", "region": "il-central-1", "service": "S3", "network_border_group": "il-central-1" }, { "ipv6_prefix": "240f:80f8:4000::/40", "region": "cn-northwest-1", "service": "S3", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2600:9000:a310::/48", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d07a:c000::/40", "region": "eu-west-2", "service": "S3", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2a05:d034:1000::/40", "region": "eu-south-2", "service": "S3", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2600:1fa0:4000::/40", "region": "us-west-2", "service": "S3", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1ff9:e000::/40", "region": "sa-east-1", "service": "S3", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2406:daa0:6000::/40", "region": "ap-northeast-3", "service": "S3", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2406:daa0:7000::/40", "region": "me-central-1", "service": "S3", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2406:daf8:e000::/40", "region": "ap-east-1", "service": "S3", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2a05:d070:4000::/40", "region": "eu-central-1", "service": "S3", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "240f:80f9:4000::/40", "region": "cn-northwest-1", "service": "S3", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2406:daf9:a000::/40", "region": "ap-south-1", "service": "S3", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2600:1fa0:2000::/40", "region": "us-gov-west-1", "service": "S3", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2a05:d078:e000::/40", "region": "me-south-1", "service": "S3", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2600:1f68:4000::/40", "region": "us-west-2", "service": "S3", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1ff0:e000::/40", "region": "sa-east-1", "service": "S3", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2a05:d050:2000::/40", "region": "eu-west-3", "service": "S3", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2600:9000:a211::/48", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2406:daf0:2000::/40", "region": "ap-northeast-2", "service": "S3", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2406:daf0:9000::/40", "region": "ap-southeast-3", "service": "S3", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2600:1ff8:c000::/40", "region": "us-west-1", "service": "S3", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2a05:d034:2000::/40", "region": "eu-west-3", "service": "S3", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2406:daf8:4000::/40", "region": "ap-northeast-1", "service": "S3", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2406:daf8:c000::/40", "region": "ap-southeast-2", "service": "S3", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2406:daf9:6000::/40", "region": "ap-northeast-3", "service": "S3", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2a05:d07a:e000::/40", "region": "me-south-1", "service": "S3", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2406:daf0:f000::/40", "region": "ap-southeast-4", "service": "S3", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2a05:d070:a000::/40", "region": "eu-south-1", "service": "S3", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2a05:d07a:2000::/40", "region": "eu-west-3", "service": "S3", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2a05:d07a:6000::/40", "region": "eu-north-1", "service": "S3", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2406:dafa:a000::/40", "region": "ap-south-1", "service": "S3", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2a05:d079:c000::/40", "region": "eu-west-2", "service": "S3", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2a05:d050:6000::/40", "region": "eu-north-1", "service": "S3", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2600:1ff9:6000::/40", "region": "us-east-2", "service": "S3", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2406:daf8:a000::/40", "region": "ap-south-1", "service": "S3", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2404:c2c0:200::/40", "region": "cn-northwest-1", "service": "S3", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2a05:d078:c000::/40", "region": "eu-west-2", "service": "S3", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2600:1ff9:1000::/40", "region": "ca-central-1", "service": "S3", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2a05:d079:5000::/40", "region": "il-central-1", "service": "S3", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2406:da68:9000::/40", "region": "ap-southeast-3", "service": "S3", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2406:da68:2000::/40", "region": "ap-northeast-2", "service": "S3", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2a05:d034:8000::/40", "region": "eu-west-1", "service": "S3", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d078:5000::/40", "region": "il-central-1", "service": "S3", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2600:1ffa:4000::/40", "region": "us-west-2", "service": "S3", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2a05:d078:8000::/40", "region": "eu-west-1", "service": "S3", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2406:daf9:8000::/40", "region": "ap-southeast-1", "service": "S3", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2406:daf9:7000::/40", "region": "me-central-1", "service": "S3", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2600:1ff8:5000::/36", "region": "us-gov-east-1", "service": "S3", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2406:daf8:f000::/40", "region": "ap-southeast-4", "service": "S3", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2600:1ff9:c000::/40", "region": "us-west-1", "service": "S3", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2406:daa0:8000::/40", "region": "ap-southeast-1", "service": "S3", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "240f:80fa:8000::/40", "region": "cn-north-1", "service": "S3", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2406:daf8:b000::/40", "region": "ap-south-2", "service": "S3", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2400:7fc0:2800::/40", "region": "cn-north-1", "service": "S3", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2600:1ff0:2000::/40", "region": "us-gov-west-1", "service": "S3", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "240f:80a0:4000::/40", "region": "cn-northwest-1", "service": "S3", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2406:dafa:2000::/40", "region": "ap-northeast-2", "service": "S3", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2600:9000:a104::/48", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:1ff0:6000::/40", "region": "us-east-2", "service": "S3", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:9000:a311::/48", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d079:9000::/40", "region": "eu-central-2", "service": "S3", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2406:daf0:b000::/40", "region": "ap-south-2", "service": "S3", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2406:daf9:f000::/40", "region": "ap-southeast-4", "service": "S3", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2600:1f60:6000::/40", "region": "us-east-2", "service": "S3", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1ff0:8000::/39", "region": "us-east-1", "service": "S3", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2a05:d079:a000::/40", "region": "eu-south-1", "service": "S3", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2406:daf8:9000::/40", "region": "ap-southeast-3", "service": "S3", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2406:da68:6000::/40", "region": "ap-northeast-3", "service": "S3", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2a05:d050:5000::/40", "region": "il-central-1", "service": "S3", "network_border_group": "il-central-1" }, { "ipv6_prefix": "240f:80fa:4000::/40", "region": "cn-northwest-1", "service": "S3", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2a05:d070:5000::/40", "region": "il-central-1", "service": "S3", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2a05:d050:a000::/40", "region": "eu-south-1", "service": "S3", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2a05:d078:9000::/40", "region": "eu-central-2", "service": "S3", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2406:da68:7000::/40", "region": "me-central-1", "service": "S3", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2406:daf9:e000::/40", "region": "ap-east-1", "service": "S3", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2a05:d079:4000::/40", "region": "eu-central-1", "service": "S3", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2406:daf0:6000::/40", "region": "ap-northeast-3", "service": "S3", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2600:1fa0:6000::/40", "region": "us-east-2", "service": "S3", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2404:c2c0:2800::/40", "region": "cn-northwest-1", "service": "S3", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2406:daf0:1000::/40", "region": "af-south-1", "service": "S3", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2406:dafa:6000::/40", "region": "ap-northeast-3", "service": "S3", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2600:1ff8:2000::/40", "region": "us-gov-west-1", "service": "S3", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2a05:d079:2000::/40", "region": "eu-west-3", "service": "S3", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2400:7fc0:200::/40", "region": "cn-north-1", "service": "S3", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "240f:80a0:8000::/40", "region": "cn-north-1", "service": "S3", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2406:daa0:2000::/40", "region": "ap-northeast-2", "service": "S3", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2406:daf8:6000::/40", "region": "ap-northeast-3", "service": "S3", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2a05:d034:4000::/40", "region": "eu-central-1", "service": "S3", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2406:daf8:8000::/40", "region": "ap-southeast-1", "service": "S3", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2600:1f68:c000::/40", "region": "us-west-1", "service": "S3", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2a05:d034:9000::/40", "region": "eu-central-2", "service": "S3", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2600:1ff8:4000::/40", "region": "us-west-2", "service": "S3", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2406:da68:b000::/40", "region": "ap-south-2", "service": "S3", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2600:1ff9:2000::/40", "region": "us-gov-west-1", "service": "S3", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2a05:d07a:4000::/40", "region": "eu-central-1", "service": "S3", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2600:1f68:8000::/39", "region": "us-east-1", "service": "S3", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2404:c2c0:2c00::/40", "region": "cn-northwest-1", "service": "S3", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "240f:80f8:8000::/40", "region": "cn-north-1", "service": "S3", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2600:1ff0:4000::/40", "region": "us-west-2", "service": "S3", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1ff9:5000::/40", "region": "us-gov-east-1", "service": "S3", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2406:da68:c000::/40", "region": "ap-southeast-2", "service": "S3", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2406:daf8:1000::/40", "region": "af-south-1", "service": "S3", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2a05:d034:e000::/40", "region": "me-south-1", "service": "S3", "network_border_group": "me-south-1" }, { "ipv6_prefix": "240f:80f9:8000::/40", "region": "cn-north-1", "service": "S3", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2a05:d050:e000::/40", "region": "me-south-1", "service": "S3", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2a05:d078:1000::/40", "region": "eu-south-2", "service": "S3", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2a05:d078:4000::/40", "region": "eu-central-1", "service": "S3", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2a05:d07a:8000::/40", "region": "eu-west-1", "service": "S3", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d050:9000::/40", "region": "eu-central-2", "service": "S3", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2406:daf0:8000::/40", "region": "ap-southeast-1", "service": "S3", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2600:1f68:5000::/40", "region": "us-gov-east-1", "service": "S3", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2600:1ff8:1000::/40", "region": "ca-central-1", "service": "S3", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2a05:d050:c000::/40", "region": "eu-west-2", "service": "S3", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2406:daa0:4000::/40", "region": "ap-northeast-1", "service": "S3", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2406:daf9:2000::/40", "region": "ap-northeast-2", "service": "S3", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2a05:d070:2000::/40", "region": "eu-west-3", "service": "S3", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2a05:d079:6000::/40", "region": "eu-north-1", "service": "S3", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2406:daa0:b000::/40", "region": "ap-south-2", "service": "S3", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2406:daf0:c000::/40", "region": "ap-southeast-2", "service": "S3", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2400:7fc0:2400::/40", "region": "cn-north-1", "service": "S3", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2600:1ffa:c000::/40", "region": "us-west-1", "service": "S3", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:1ff8:8000::/40", "region": "us-east-1", "service": "S3", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2406:daf9:c000::/40", "region": "ap-southeast-2", "service": "S3", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2a05:d078:2000::/40", "region": "eu-west-3", "service": "S3", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2406:da68:4000::/40", "region": "ap-northeast-1", "service": "S3", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2406:da68:8000::/40", "region": "ap-southeast-1", "service": "S3", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2600:1ffa:1000::/40", "region": "ca-central-1", "service": "S3", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2a05:d070:6000::/40", "region": "eu-north-1", "service": "S3", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2600:1ff9:8000::/40", "region": "us-east-1", "service": "S3", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1ff0:1000::/40", "region": "ca-central-1", "service": "S3", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2a05:d078:a000::/40", "region": "eu-south-1", "service": "S3", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2a05:d050:4000::/40", "region": "eu-central-1", "service": "S3", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2406:daf0:4000::/40", "region": "ap-northeast-1", "service": "S3", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2600:1fa0:5000::/40", "region": "us-gov-east-1", "service": "S3", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2406:daa0:e000::/40", "region": "ap-east-1", "service": "S3", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2600:1f68:2000::/40", "region": "us-gov-west-1", "service": "S3", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2406:daf9:b000::/40", "region": "ap-south-2", "service": "S3", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2600:1fa0:e000::/40", "region": "sa-east-1", "service": "S3", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2a05:d079:8000::/40", "region": "eu-west-1", "service": "S3", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2406:dafa:c000::/40", "region": "ap-southeast-2", "service": "S3", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2400:7fc0:2c00::/40", "region": "cn-north-1", "service": "S3", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2a05:d070:8000::/40", "region": "eu-west-1", "service": "S3", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d070:1000::/40", "region": "eu-south-2", "service": "S3", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2406:daa0:f000::/40", "region": "ap-southeast-4", "service": "S3", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2600:9000:a210::/48", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2406:daa0:9000::/40", "region": "ap-southeast-3", "service": "S3", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2406:dafa:8000::/40", "region": "ap-southeast-1", "service": "S3", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2406:dafa:4000::/40", "region": "ap-northeast-1", "service": "S3", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2404:c2c0:2400::/40", "region": "cn-northwest-1", "service": "S3", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2600:1ffa:e000::/40", "region": "sa-east-1", "service": "S3", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2406:daf0:e000::/40", "region": "ap-east-1", "service": "S3", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2600:1ffa:8000::/40", "region": "us-east-1", "service": "S3", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2406:daf9:1000::/40", "region": "af-south-1", "service": "S3", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2a05:d034:6000::/40", "region": "eu-north-1", "service": "S3", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2a05:d070:9000::/40", "region": "eu-central-2", "service": "S3", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2406:daa0:1000::/40", "region": "af-south-1", "service": "S3", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2406:dafa:e000::/40", "region": "ap-east-1", "service": "S3", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2600:1f68:6000::/40", "region": "us-east-2", "service": "S3", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1fa0:1000::/40", "region": "ca-central-1", "service": "S3", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2406:daf8:7000::/40", "region": "me-central-1", "service": "S3", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2406:daf9:9000::/40", "region": "ap-southeast-3", "service": "S3", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2a05:d070:c000::/40", "region": "eu-west-2", "service": "S3", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2a05:d079:e000::/40", "region": "me-south-1", "service": "S3", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2600:1fa0:8000::/39", "region": "us-east-1", "service": "S3", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1fa0:c000::/40", "region": "us-west-1", "service": "S3", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2406:daf9:4000::/40", "region": "ap-northeast-1", "service": "S3", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2600:1f68:e000::/40", "region": "sa-east-1", "service": "S3", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1ff9:4000::/40", "region": "us-west-2", "service": "S3", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2a05:d050:8000::/40", "region": "eu-west-1", "service": "S3", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d079:1000::/40", "region": "eu-south-2", "service": "S3", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2600:1ff0:c000::/40", "region": "us-west-1", "service": "S3", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:9000:a105::/48", "region": "GLOBAL", "service": "S3", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2a05:d034:c000::/40", "region": "eu-west-2", "service": "S3", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2406:daa0:c000::/40", "region": "ap-southeast-2", "service": "S3", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2406:da68:e000::/40", "region": "ap-east-1", "service": "S3", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2600:1ff0:5000::/40", "region": "us-gov-east-1", "service": "S3", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2600:1ffa:2000::/40", "region": "us-gov-west-1", "service": "S3", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2600:1ffa:6000::/40", "region": "us-east-2", "service": "S3", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2406:daf0:7000::/40", "region": "me-central-1", "service": "S3", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2a05:d034:a000::/40", "region": "eu-south-1", "service": "S3", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2406:da68:f000::/40", "region": "ap-southeast-4", "service": "S3", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2406:da68:1000::/40", "region": "af-south-1", "service": "S3", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2406:daf8:2000::/40", "region": "ap-northeast-2", "service": "S3", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2600:1ff8:6000::/40", "region": "us-east-2", "service": "S3", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2a05:d050:1000::/40", "region": "eu-south-2", "service": "S3", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2600:1ffa:5000::/40", "region": "us-gov-east-1", "service": "S3", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2406:daa0:a000::/40", "region": "ap-south-1", "service": "S3", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2406:daf0:a000::/40", "region": "ap-south-1", "service": "S3", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2406:da68:a000::/40", "region": "ap-south-1", "service": "S3", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2a05:d078:6000::/40", "region": "eu-north-1", "service": "S3", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2600:1ff8:e000::/40", "region": "sa-east-1", "service": "S3", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1ff2:4000::/40", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2a05:d070:e000::/40", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ipv6_prefix": "240f:80ff:4000::/40", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2406:da1b::/36", "region": "ap-south-2", "service": "EC2", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2600:1f19:8000::/36", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-pilot-3" }, { "ipv6_prefix": "2600:1fff:2000::/40", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2600:1f11:8000::/36", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-pilot-4" }, { "ipv6_prefix": "2406:da60:6000::/40", "region": "ap-northeast-3", "service": "EC2", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2600:1f1d:8000::/36", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-pilot-2" }, { "ipv6_prefix": "2406:da61:4000::/40", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2406:daf1:a000::/40", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2600:1f15::/36", "region": "us-gov-east-1", "service": "EC2", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2600:1ffd:80a7::/48", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2406:da70:6000::/40", "region": "ap-northeast-3", "service": "EC2", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2600:1f60:1000::/40", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2a05:d070:4000::/40", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2a05:d03a:4000::/40", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2406:da15::/36", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2-wl1-cjj-wlz-1" }, { "ipv6_prefix": "2406:da70:8000::/40", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2a05:d000:a000::/40", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2406:da70:4000::/40", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2600:1f60:2000::/40", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2406:da61:7000::/40", "region": "me-central-1", "service": "EC2", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2600:1ffd:80c8::/48", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2600:1ff0:e000::/40", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2404:c2c0::/40", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2a05:d030:1000::/40", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2a05:d030:5000::/40", "region": "il-central-1", "service": "EC2", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2406:daf0:2000::/40", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2406:daf0:9000::/40", "region": "ap-southeast-3", "service": "EC2", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2600:1ff1:8000::/39", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2a05:d01e::/36", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2406:da00:8000::/40", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2600:1f00:c000::/40", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2406:da70:f000::/40", "region": "ap-southeast-4", "service": "EC2", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2600:1fff:1000::/40", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2620:107:4002::/48", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2600:1f18::/33", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1ff1:4000::/40", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2406:da1c::/36", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2406:da1a::/36", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2406:daf0:f000::/40", "region": "ap-southeast-4", "service": "EC2", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2406:daf2:2000::/40", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2404:c2c0:2f00::/40", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2a05:d031:8000::/40", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2400:6500:ff00::/64", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2a05:d071:6000::/40", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2406:daf2:6000::/40", "region": "ap-northeast-3", "service": "EC2", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2a05:d070:a000::/40", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2406:da61:b000::/40", "region": "ap-south-2", "service": "EC2", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2600:1f70:6000::/40", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1f70:4000::/40", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1ff1:c000::/40", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2a05:d000:9000::/40", "region": "eu-central-2", "service": "EC2", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2a05:d030:c000::/40", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2406:da61:f000::/40", "region": "ap-southeast-4", "service": "EC2", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2600:1ffd:807f::/48", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2a05:d07f:5000::/40", "region": "il-central-1", "service": "EC2", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2406:da60:f000::/40", "region": "ap-southeast-4", "service": "EC2", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2600:1ffd:82be::/48", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2404:c2c0:4000::/40", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2406:da61:e000::/40", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2600:1ff1:e000::/40", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1ffd:80e1::/48", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2406:daf2:a000::/40", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2406:da61:1000::/40", "region": "af-south-1", "service": "EC2", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2406:da00:f000::/40", "region": "ap-southeast-4", "service": "EC2", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2406:da60:c000::/40", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2600:1f00:5000::/40", "region": "us-gov-east-1", "service": "EC2", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2600:1f70:1000::/40", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:1ffd:8492::/48", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2406:da70:9000::/40", "region": "ap-southeast-3", "service": "EC2", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2600:1f1a:8000::/36", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-wl1-mia-wlz-1" }, { "ipv6_prefix": "2406:da19::/36", "region": "ap-southeast-3", "service": "EC2", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2a05:d071:9000::/40", "region": "eu-central-2", "service": "EC2", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2600:1f70:c000::/40", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2a05:d030:a000::/40", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2406:daf2:9000::/40", "region": "ap-southeast-3", "service": "EC2", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2600:1f60:5000::/40", "region": "us-gov-east-1", "service": "EC2", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2600:1f61:8000::/39", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:f0f0:4000::/44", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2620:108:700f::/64", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2a05:d072:e000::/40", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2600:1fff:4000::/40", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2406:da00:2000::/40", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2606:f40:6800::/48", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2600:1ffd:8149::/48", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2406:da61:6000::/40", "region": "ap-northeast-3", "service": "EC2", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2600:1ffb:8080::/48", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2a05:d000:4000::/40", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2404:c2c0:2200::/40", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2400:7fc0:2f00::/40", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2a05:d072:4000::/40", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2600:f00f::/40", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2606:f40:3001::/48", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1f12::/36", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2a05:d011::/36", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2400:7fc0:2100::/40", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2406:da70:e000::/40", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2600:1f12:4000::/36", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1f1c::/36", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:f0f0:1000::/44", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2406:da1e::/32", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2a05:d030:4000::/40", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2406:da60:7000::/40", "region": "me-central-1", "service": "EC2", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2600:1ff0:2000::/40", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2600:1ffd:807b::/48", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2406:daff:2000::/40", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "240f:8014::/36", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2600:1ffb:8021::/48", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2406:da18::/36", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2a05:d031:e000::/40", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2404:c2c0:8000::/36", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2600:1ff0:6000::/40", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1ffb:60c0::/48", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1f60:4000::/40", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2a05:d016::/36", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2406:daf1:7000::/40", "region": "me-central-1", "service": "EC2", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2406:da17::/36", "region": "me-central-1", "service": "EC2", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2406:daf0:b000::/40", "region": "ap-south-2", "service": "EC2", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2406:daff:7000::/40", "region": "me-central-1", "service": "EC2", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2406:da60:1000::/40", "region": "af-south-1", "service": "EC2", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2a05:d07f:9000::/40", "region": "eu-central-2", "service": "EC2", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2406:da60:2000::/40", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2a05:d031:9000::/40", "region": "eu-central-2", "service": "EC2", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2a05:d031:c000::/40", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2606:f40::/48", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1f14::/34", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2a05:d07f:8000::/40", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2600:1f60:6000::/40", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2a05:d071:8000::/40", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2406:daff:1000::/40", "region": "af-south-1", "service": "EC2", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2600:1ffd:812f::/48", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2a05:d000:2000::/40", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2a05:d031:6000::/40", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2a05:d071:1000::/40", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2406:daff:9000::/40", "region": "ap-southeast-3", "service": "EC2", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2600:1f61:e000::/40", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1ffd:8285::/48", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2a05:d014::/35", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2600:1ff0:8000::/39", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1ffd:8422::/48", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2a05:d030:2000::/40", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2406:da60:b000::/40", "region": "ap-south-2", "service": "EC2", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2600:1ff2:6000::/40", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2406:da61:9000::/40", "region": "ap-southeast-3", "service": "EC2", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2a01:578:3::/64", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2600:1f14:8000::/36", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-wl1-den-wlz-1" }, { "ipv6_prefix": "2a05:d070:5000::/40", "region": "il-central-1", "service": "EC2", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2a05:d072:c000::/40", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2400:7fc0:4000::/40", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2406:daf1:9000::/40", "region": "ap-southeast-3", "service": "EC2", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2600:1ff2:1000::/40", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:1ffd:80f0::/48", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2600:1f00:2000::/40", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2600:1ffd:84af::/48", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2a05:d000:5000::/40", "region": "il-central-1", "service": "EC2", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2406:da61:a000::/40", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2406:daf1:f000::/40", "region": "ap-southeast-4", "service": "EC2", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2600:1ffd:85e8::/48", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2606:f40:1::/48", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2406:da1f::/36", "region": "ap-southeast-4", "service": "EC2", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2406:da60:8000::/40", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2600:f00c::/39", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2a05:d031:2000::/40", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2600:1f60:e000::/40", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1ff1:1000::/40", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2406:daf0:6000::/40", "region": "ap-northeast-3", "service": "EC2", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2600:1ffd:8188::/48", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:1f10:4000::/36", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2406:da60:a000::/40", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2600:1f70:8000::/40", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1fff:c000::/40", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2406:daf1:c000::/40", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2a05:d012::/36", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2406:daf1:6000::/40", "region": "ap-northeast-3", "service": "EC2", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2600:1f00:4000::/40", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2406:daf0:1000::/40", "region": "af-south-1", "service": "EC2", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2600:1ffd:838e::/48", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2600:1f1f:8000::/36", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-wl1-atl-wlz-1" }, { "ipv6_prefix": "2a05:d03a:6000::/40", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2406:da00:e000::/40", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2600:1f1e::/36", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2406:daff:6000::/40", "region": "ap-northeast-3", "service": "EC2", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2600:1f61:5000::/40", "region": "us-gov-east-1", "service": "EC2", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2406:daf1:e000::/40", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2600:1fff:e000::/40", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2a05:d072:a000::/40", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2600:1f61:1000::/40", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2400:6700:ff00::/64", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2403:b300:ff00::/64", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2406:daf2:8000::/40", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2600:1f16::/36", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2406:daf1:8000::/40", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2620:107:300f::/64", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:1ffd:80d0::/48", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2a05:d01a::/36", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2406:da1d::/36", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1-wl1-kix-wlz-1" }, { "ipv6_prefix": "2600:1ffd:816c::/48", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "240f:80ff:8000::/40", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2a05:d01c::/36", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2600:1ffd:83ad::/48", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d07f:6000::/40", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2406:daff:8000::/40", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2600:1f13::/36", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2406:daff:b000::/40", "region": "ap-south-2", "service": "EC2", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2a05:d030:8000::/40", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2600:1ffd:83d2::/48", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2406:daf1:b000::/40", "region": "ap-south-2", "service": "EC2", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2406:da00:b000::/40", "region": "ap-south-2", "service": "EC2", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2406:da61:8000::/40", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2406:daf2:f000::/40", "region": "ap-southeast-4", "service": "EC2", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2600:1f13:8000::/36", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-pilot-1" }, { "ipv6_prefix": "2406:da11::/36", "region": "af-south-1", "service": "EC2", "network_border_group": "af-south-1" }, { "ipv6_prefix": "240f:8000:8000::/40", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2600:1f1c:8000::/36", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-wl1-dfw-wlz-1" }, { "ipv6_prefix": "2600:f00c:8000::/39", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2a05:d018::/36", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2600:1ff0:4000::/40", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1ffd:85c0::/48", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2600:f000::/39", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1ffb:80a1::/48", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2406:da61:c000::/40", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2600:1ffd:818f::/48", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:1ffd:81c2::/48", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2406:da61:2000::/40", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2600:1f14:4000::/36", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-dfw-2" }, { "ipv6_prefix": "2600:1ffd:84bd::/48", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2a05:d07f:c000::/40", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2600:1f12:8000::/36", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-wl1-las-wlz-1" }, { "ipv6_prefix": "2600:1ffd:803f::/48", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2406:daf0:8000::/40", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2a05:d030:9000::/40", "region": "eu-central-2", "service": "EC2", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2a05:d03a:a000::/40", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2a05:d031:a000::/40", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2804:800:ff00::/64", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2a05:d070:2000::/40", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2406:da00:1000::/40", "region": "af-south-1", "service": "EC2", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2406:daf0:c000::/40", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2620:108:d00f::/64", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2a05:d071:2000::/40", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2406:daf1:1000::/40", "region": "af-south-1", "service": "EC2", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2a05:d031:1000::/40", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2a05:d072:6000::/40", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2a05:d07f:2000::/40", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2600:1f15:8000::/36", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-pilot-5" }, { "ipv6_prefix": "2a05:d015::/36", "region": "il-central-1", "service": "EC2", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2600:1f1f::/36", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-lax-1" }, { "ipv6_prefix": "2600:1ffd:8165::/48", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "240f:8000:4000::/40", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2400:7fc0:8000::/36", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2600:1ff2:e000::/40", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1ffd:819f::/48", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:1ff1:2000::/40", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2600:1ff1:6000::/40", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2406:da60:e000::/40", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2406:da70:c000::/40", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2600:1ff1:5000::/40", "region": "us-gov-east-1", "service": "EC2", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2600:1f17:8000::/36", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-wl1-nyc-wlz-1" }, { "ipv6_prefix": "2a05:d070:6000::/40", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2406:da00:4000::/40", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2600:1f00:6000::/40", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1f1e:8000::/36", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-wl1-sea-wlz-1" }, { "ipv6_prefix": "2a05:d071:4000::/40", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2406:daff:c000::/40", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2406:daff:f000::/40", "region": "ap-southeast-4", "service": "EC2", "network_border_group": "ap-southeast-4" }, { "ipv6_prefix": "2a05:d030:6000::/40", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2406:da14::/36", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2600:1ff0:1000::/40", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:1fff:8000::/40", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2a05:d000:8000::/40", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2404:c2c0:2100::/40", "region": "cn-northwest-1", "service": "EC2", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2406:daf0:4000::/40", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2600:1f10:8000::/36", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-wl1-bos-wlz-1" }, { "ipv6_prefix": "2600:f000:8000::/39", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2a05:d072:9000::/40", "region": "eu-central-2", "service": "EC2", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2606:f40:4000::/48", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d072:5000::/40", "region": "il-central-1", "service": "EC2", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2406:da70:7000::/40", "region": "me-central-1", "service": "EC2", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2406:da00:ff00::/64", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2406:da60:9000::/40", "region": "ap-southeast-3", "service": "EC2", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2406:daf2:4000::/40", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2600:1f61:4000::/40", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1ffd:8508::/48", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2406:da00:c000::/40", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2600:1f1c:4000::/36", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-phx-2" }, { "ipv6_prefix": "2a05:d018:1000::/36", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2600:1f11::/36", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:1f61:c000::/40", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2406:da70:b000::/40", "region": "ap-south-2", "service": "EC2", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2600:1f60:8000::/39", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2606:f40:1801::/48", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2a05:d070:8000::/40", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2406:da00:7000::/40", "region": "me-central-1", "service": "EC2", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2600:1ffd:833b::/48", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1fff:3000::/40", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-lax-1" }, { "ipv6_prefix": "2620:107:4004::/48", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2a05:d070:1000::/40", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2406:da70:1000::/40", "region": "af-south-1", "service": "EC2", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2406:daff:e000::/40", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2a05:d000:c000::/40", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2a05:d071:c000::/40", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2a05:d07f:e000::/40", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2406:daf2:1000::/40", "region": "af-south-1", "service": "EC2", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2600:1f00:1000::/40", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:1ffd:8066::/48", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1ff2:c000::/40", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2a05:d071:e000::/40", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2406:daf1:2000::/40", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2406:daf0:e000::/40", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2600:1ff2:2000::/40", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2600:1ffb:60c1::/48", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1f00:8000::/40", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2400:7fc0::/40", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2406:daff:a000::/40", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2a05:d07f:a000::/40", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2a05:d03a:e000::/40", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2406:da13::/36", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1-wl1-nrt-wlz-1" }, { "ipv6_prefix": "2a05:d031:4000::/40", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2600:1ffd:85b2::/48", "region": "ap-southeast-1", "service": "EC2", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2a05:d03a:2000::/40", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2a05:d03a:1000::/40", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2600:1f18:8000::/36", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1-wl1-was-wlz-1" }, { "ipv6_prefix": "2406:daf2:e000::/40", "region": "ap-east-1", "service": "EC2", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2600:1f70:e000::/40", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2a05:d019::/36", "region": "eu-central-2", "service": "EC2", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2a05:d070:9000::/40", "region": "eu-central-2", "service": "EC2", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2406:daf2:7000::/40", "region": "me-central-1", "service": "EC2", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2406:da70:2000::/40", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2600:1f70:2000::/40", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2600:1ffd:8190::/48", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:1f00:e000::/40", "region": "sa-east-1", "service": "EC2", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1ffd:81a7::/48", "region": "ca-central-1", "service": "EC2", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:1ff2:8000::/39", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2a05:d072:1000::/40", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2a05:d07f:1000::/40", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2600:1ffb:40c0::/46", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1fff:6000::/40", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2a05:d000:e000::/40", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2406:da00:a000::/40", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2600:1ff2:5000::/40", "region": "us-gov-east-1", "service": "EC2", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2a05:d070:c000::/40", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2406:daf1:4000::/40", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2a05:d03a:9000::/40", "region": "eu-central-2", "service": "EC2", "network_border_group": "eu-central-2" }, { "ipv6_prefix": "2600:1ff0:c000::/40", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2620:107:4007::/64", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2406:da12::/36", "region": "ap-northeast-2", "service": "EC2", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2406:da00:9000::/40", "region": "ap-southeast-3", "service": "EC2", "network_border_group": "ap-southeast-3" }, { "ipv6_prefix": "2a05:d071:a000::/40", "region": "eu-south-1", "service": "EC2", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2606:f40:1001::/48", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2406:daff:4000::/40", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2600:1ffd:831b::/48", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2a05:d07f:4000::/40", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2406:da16::/36", "region": "ap-northeast-3", "service": "EC2", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2600:1ffb:80a0::/48", "region": "us-east-1", "service": "EC2", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2406:daf2:c000::/40", "region": "ap-southeast-2", "service": "EC2", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2600:1ff0:5000::/40", "region": "us-gov-east-1", "service": "EC2", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2400:7fc0:2200::/40", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2406:daf0:7000::/40", "region": "me-central-1", "service": "EC2", "network_border_group": "me-central-1" }, { "ipv6_prefix": "2600:1f70:5000::/40", "region": "us-gov-east-1", "service": "EC2", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2600:1ffd:80cb::/48", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2620:107:4005::/48", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2a05:d000:6000::/40", "region": "eu-north-1", "service": "EC2", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2406:da00:6000::/40", "region": "ap-northeast-3", "service": "EC2", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2406:da60:4000::/40", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2620:107:4003::/48", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2600:1f16:8000::/36", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2-pilot-1" }, { "ipv6_prefix": "2600:1ffd:8143::/48", "region": "ap-northeast-1", "service": "EC2", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2a05:d03a:c000::/40", "region": "eu-west-2", "service": "EC2", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "240f:8018::/36", "region": "cn-north-1", "service": "EC2", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2a01:578:13::/64", "region": "eu-central-1", "service": "EC2", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2600:1f60:c000::/40", "region": "us-west-1", "service": "EC2", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:1f61:2000::/40", "region": "us-gov-west-1", "service": "EC2", "network_border_group": "us-gov-west-1" }, { "ipv6_prefix": "2600:1f61:6000::/40", "region": "us-east-2", "service": "EC2", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1fff:5000::/40", "region": "us-gov-east-1", "service": "EC2", "network_border_group": "us-gov-east-1" }, { "ipv6_prefix": "2406:daf0:a000::/40", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2600:1f1b:8000::/36", "region": "us-west-2", "service": "EC2", "network_border_group": "us-west-2-wl1-sfo-wlz-1" }, { "ipv6_prefix": "2a05:d000:1000::/40", "region": "eu-south-2", "service": "EC2", "network_border_group": "eu-south-2" }, { "ipv6_prefix": "2a05:d030:e000::/40", "region": "me-south-1", "service": "EC2", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2406:daf2:b000::/40", "region": "ap-south-2", "service": "EC2", "network_border_group": "ap-south-2" }, { "ipv6_prefix": "2406:da70:a000::/40", "region": "ap-south-1", "service": "EC2", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2a05:d031:5000::/40", "region": "il-central-1", "service": "EC2", "network_border_group": "il-central-1" }, { "ipv6_prefix": "2a05:d03a:8000::/40", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d072:2000::/40", "region": "eu-west-3", "service": "EC2", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2a05:d072:8000::/40", "region": "eu-west-1", "service": "EC2", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2600:9000:3000::/36", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:f600::/39", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:f540::/42", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:f000::/38", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:f500::/43", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:ddd::/48", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:f800::/37", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:f400::/40", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:f538::/45", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:5380::/41", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:1000::/36", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:2000::/36", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2400:7fc0:500::/40", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:4000::/36", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:fff::/48", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2404:c2c0:500::/40", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:5308::/45", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:f534::/46", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:f520::/44", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:5320::/43", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:5310::/44", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:f580::/41", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:5340::/42", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:eee::/48", "region": "GLOBAL", "service": "CLOUDFRONT", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:1f01:4874::/47", "region": "us-west-2", "service": "GLOBALACCELERATOR", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1f01:4802::/47", "region": "eu-west-1", "service": "GLOBALACCELERATOR", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2600:1f01:4860::/47", "region": "ap-northeast-2", "service": "GLOBALACCELERATOR", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2600:9000:a800::/40", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:a700::/40", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:1f01:4880::/47", "region": "ap-northeast-1", "service": "GLOBALACCELERATOR", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2600:9000:ae00::/40", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:1f01:4810::/47", "region": "eu-west-3", "service": "GLOBALACCELERATOR", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2600:9000:a500::/40", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:ac00::/40", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:af00::/40", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:aa00::/40", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:a300::/40", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:1f01:4850::/47", "region": "us-east-1", "service": "GLOBALACCELERATOR", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1f01:48a0::/47", "region": "us-west-1", "service": "GLOBALACCELERATOR", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:9000:a400::/40", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:1f01:48c0::/47", "region": "ca-central-1", "service": "GLOBALACCELERATOR", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:9000:a900::/40", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:1f01:4890::/47", "region": "us-east-1", "service": "GLOBALACCELERATOR", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:9000:a200::/40", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:ad00::/40", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:1f01:4820::/47", "region": "eu-west-1", "service": "GLOBALACCELERATOR", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2600:1f01:48d2::/47", "region": "ap-southeast-2", "service": "GLOBALACCELERATOR", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2600:1f01:4800::/47", "region": "ap-south-1", "service": "GLOBALACCELERATOR", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2600:1f01:48e0::/47", "region": "me-south-1", "service": "GLOBALACCELERATOR", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2600:1f01:48b0::/47", "region": "ap-southeast-1", "service": "GLOBALACCELERATOR", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2600:9000:a100::/40", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:1f01:4804::/47", "region": "us-east-1", "service": "GLOBALACCELERATOR", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1f01:4840::/47", "region": "sa-east-1", "service": "GLOBALACCELERATOR", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1f01:4830::/47", "region": "eu-central-1", "service": "GLOBALACCELERATOR", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2600:1f01:48d0::/47", "region": "eu-north-1", "service": "GLOBALACCELERATOR", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2600:1f01:4870::/47", "region": "eu-west-2", "service": "GLOBALACCELERATOR", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2600:1f01:4844::/47", "region": "us-east-2", "service": "GLOBALACCELERATOR", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1f01:4814::/47", "region": "ap-east-1", "service": "GLOBALACCELERATOR", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2600:9000:a600::/40", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2600:9000:ab00::/40", "region": "GLOBAL", "service": "GLOBALACCELERATOR", "network_border_group": "GLOBAL" }, { "ipv6_prefix": "2400:7fc0:4000:100::/56", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2400:7fc0:4000:200::/56", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2400:7fc0:4000:300::/56", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2400:7fc0:4000:400::/56", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2400:7fc0:4000::/56", "region": "cn-north-1", "service": "AMAZON", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2400:7fc0:83cc:cc00::/56", "region": "cn-north-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2400:7fc0:83cc:cd00::/56", "region": "cn-north-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2400:7fc0:83cc:ce00::/56", "region": "cn-north-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "cn-north-1" }, { "ipv6_prefix": "2404:c2c0:4000:100::/56", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2404:c2c0:4000:200::/56", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2404:c2c0:4000:300::/56", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2404:c2c0:4000:400::/56", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2404:c2c0:4000::/56", "region": "cn-northwest-1", "service": "AMAZON", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2404:c2c0:83cc:cc00::/56", "region": "cn-northwest-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2404:c2c0:83cc:cd00::/56", "region": "cn-northwest-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2404:c2c0:83cc:ce00::/56", "region": "cn-northwest-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "cn-northwest-1" }, { "ipv6_prefix": "2406:da70:1000:100::/56", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2406:da70:1000:200::/56", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2406:da70:1000:400::/56", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2406:da70:1000::/56", "region": "af-south-1", "service": "AMAZON", "network_border_group": "af-south-1" }, { "ipv6_prefix": "2406:da70:e000:100::/56", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2406:da70:e000:200::/56", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2406:da70:e000:400::/56", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2406:da70:e000::/56", "region": "ap-east-1", "service": "AMAZON", "network_border_group": "ap-east-1" }, { "ipv6_prefix": "2406:da14:7ff:f800::/56", "region": "ap-northeast-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2406:da14:fff:f800::/56", "region": "ap-northeast-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2406:da70:4000:100::/56", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2406:da70:4000:200::/56", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2406:da70:4000:300::/56", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2406:da70:4000:400::/56", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2406:da70:4000::/56", "region": "ap-northeast-1", "service": "AMAZON", "network_border_group": "ap-northeast-1" }, { "ipv6_prefix": "2406:da70:2000:100::/56", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2406:da70:2000:200::/56", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2406:da70:2000:300::/56", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2406:da70:2000:400::/56", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2406:da70:2000::/56", "region": "ap-northeast-2", "service": "AMAZON", "network_border_group": "ap-northeast-2" }, { "ipv6_prefix": "2406:da70:6000::/56", "region": "ap-northeast-3", "service": "AMAZON", "network_border_group": "ap-northeast-3" }, { "ipv6_prefix": "2406:da70:a000:100::/56", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2406:da70:a000:200::/56", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2406:da70:a000:300::/56", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2406:da70:a000:400::/56", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2406:da70:a000::/56", "region": "ap-south-1", "service": "AMAZON", "network_border_group": "ap-south-1" }, { "ipv6_prefix": "2406:da18:7ff:f800::/56", "region": "ap-southeast-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2406:da18:fff:f800::/56", "region": "ap-southeast-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2406:da70:8000:100::/56", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2406:da70:8000:200::/56", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2406:da70:8000:300::/56", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2406:da70:8000:400::/56", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2406:da70:8000::/56", "region": "ap-southeast-1", "service": "AMAZON", "network_border_group": "ap-southeast-1" }, { "ipv6_prefix": "2406:da1c:7ff:f800::/56", "region": "ap-southeast-2", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2406:da1c:fff:f800::/56", "region": "ap-southeast-2", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2406:da70:c000:100::/56", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2406:da70:c000:200::/56", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2406:da70:c000:300::/56", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2406:da70:c000:400::/56", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2406:da70:c000::/56", "region": "ap-southeast-2", "service": "AMAZON", "network_border_group": "ap-southeast-2" }, { "ipv6_prefix": "2600:1f70:1000:100::/56", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:1f70:1000:200::/56", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:1f70:1000:300::/56", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:1f70:1000:400::/56", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2600:1f70:1000::/56", "region": "ca-central-1", "service": "AMAZON", "network_border_group": "ca-central-1" }, { "ipv6_prefix": "2a05:d03a:4000:100::/56", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2a05:d03a:4000:200::/56", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2a05:d03a:4000:300::/56", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2a05:d03a:4000:400::/56", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2a05:d03a:4000::/56", "region": "eu-central-1", "service": "AMAZON", "network_border_group": "eu-central-1" }, { "ipv6_prefix": "2a05:d03a:6000:100::/56", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2a05:d03a:6000:200::/56", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2a05:d03a:6000:400::/56", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2a05:d03a:6000::/56", "region": "eu-north-1", "service": "AMAZON", "network_border_group": "eu-north-1" }, { "ipv6_prefix": "2a05:d03a:a000:100::/56", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2a05:d03a:a000:200::/56", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2a05:d03a:a000:400::/56", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2a05:d03a:a000::/56", "region": "eu-south-1", "service": "AMAZON", "network_border_group": "eu-south-1" }, { "ipv6_prefix": "2a05:d018:7ff:f800::/56", "region": "eu-west-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d018:fff:f800::/56", "region": "eu-west-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d03a:8000:100::/56", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d03a:8000:200::/56", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d03a:8000:300::/56", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d03a:8000:400::/56", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d03a:8000::/56", "region": "eu-west-1", "service": "AMAZON", "network_border_group": "eu-west-1" }, { "ipv6_prefix": "2a05:d03a:c000:100::/56", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2a05:d03a:c000:200::/56", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2a05:d03a:c000:300::/56", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2a05:d03a:c000:400::/56", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2a05:d03a:c000::/56", "region": "eu-west-2", "service": "AMAZON", "network_border_group": "eu-west-2" }, { "ipv6_prefix": "2a05:d03a:2000:100::/56", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2a05:d03a:2000:200::/56", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2a05:d03a:2000:300::/56", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2a05:d03a:2000:400::/56", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2a05:d03a:2000::/56", "region": "eu-west-3", "service": "AMAZON", "network_border_group": "eu-west-3" }, { "ipv6_prefix": "2a05:d03a:e000:100::/56", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2a05:d03a:e000:200::/56", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2a05:d03a:e000:400::/56", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2a05:d03a:e000::/56", "region": "me-south-1", "service": "AMAZON", "network_border_group": "me-south-1" }, { "ipv6_prefix": "2600:1f1e:7ff:f800::/56", "region": "sa-east-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1f1e:fff:f800::/56", "region": "sa-east-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1f70:e000:100::/56", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1f70:e000:200::/56", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1f70:e000:400::/56", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1f70:e000::/56", "region": "sa-east-1", "service": "AMAZON", "network_border_group": "sa-east-1" }, { "ipv6_prefix": "2600:1f18:3fff:f800::/56", "region": "us-east-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1f18:7fff:f800::/56", "region": "us-east-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1f70:8000::/56", "region": "us-east-1", "service": "AMAZON", "network_border_group": "us-east-1" }, { "ipv6_prefix": "2600:1f70:6000:100::/56", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1f70:6000:200::/56", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1f70:6000:300::/56", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1f70:6000:400::/56", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1f70:6000::/56", "region": "us-east-2", "service": "AMAZON", "network_border_group": "us-east-2" }, { "ipv6_prefix": "2600:1f1c:7ff:f800::/56", "region": "us-west-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:1f1c:fff:f800::/56", "region": "us-west-1", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:1f70:c000:100::/56", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:1f70:c000:200::/56", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:1f70:c000:300::/56", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:1f70:c000:400::/56", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:1f70:c000::/56", "region": "us-west-1", "service": "AMAZON", "network_border_group": "us-west-1" }, { "ipv6_prefix": "2600:1f14:7ff:f800::/56", "region": "us-west-2", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1f14:fff:f800::/56", "region": "us-west-2", "service": "ROUTE53_HEALTHCHECKS", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1f70:4000:100::/56", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1f70:4000:200::/56", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1f70:4000:300::/56", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1f70:4000:400::/56", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" }, { "ipv6_prefix": "2600:1f70:4000::/56", "region": "us-west-2", "service": "AMAZON", "network_border_group": "us-west-2" } ] } ================================================ FILE: ScoutSuite/data/icmp_message_types.json ================================================ { "metadata": { "generated_on": "September 14, 2015", "source": "https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml" }, "icmp_message_types": { "-1": "ALL", "0": "Echo Reply", "1": "Unassigned", "2": "Unassigned", "3": "Destination Unreachable", "4": "Source Quench (Deprecated)", "5": "Redirect", "6": "Alternate Host Address (Deprecated)", "7": "Unassigned", "8": "Echo", "9": "Router Advertisement", "10": "Router Selection", "11": "Time Exceeded", "12": "Parameter Problem", "13": "Timestamp", "14": "Timestamp Reply", "15": "Information Request (Deprecated)", "16": "Information Reply (Deprecated)", "17": "Address Mask Request (Deprecated)", "18": "Address Mask Reply (Deprecated)", "19": "Reserved (for Security)", "20": "Reserved (for Robustness Experiment)", "21": "Reserved (for Robustness Experiment)", "22": "Reserved (for Robustness Experiment)", "23": "Reserved (for Robustness Experiment)", "24": "Reserved (for Robustness Experiment)", "25": "Reserved (for Robustness Experiment)", "26": "Reserved (for Robustness Experiment)", "27": "Reserved (for Robustness Experiment)", "28": "Reserved (for Robustness Experiment)", "29": "Reserved (for Robustness Experiment)", "30": "Traceroute (Deprecated)", "31": "Datagram Conversion Error (Deprecated)", "32": "Mobile Host Redirect (Deprecated)", "33": "IPv6 Where-Are-You (Deprecated)", "34": "IPv6 I-Am-Here (Deprecated)", "35": "Mobile Registration Request (Deprecated)", "36": "Mobile Registration Reply (Deprecated)", "37": "Domain Name Request (Deprecated)", "38": "Domain Name Reply (Deprecated)", "39": "SKIP (Deprecated)", "40": "Photuris", "41": "ICMP messages utilized by experimental mobility protocols such as Seamoby", "42": "Extended Echo Request", "43": "Extended Echo Reply", "44": "Unassigned", "45": "Unassigned", "46": "Unassigned", "47": "Unassigned", "48": "Unassigned", "49": "Unassigned", "50": "Unassigned", "51": "Unassigned", "52": "Unassigned", "53": "Unassigned", "54": "Unassigned", "55": "Unassigned", "56": "Unassigned", "57": "Unassigned", "58": "Unassigned", "59": "Unassigned", "60": "Unassigned", "61": "Unassigned", "62": "Unassigned", "63": "Unassigned", "64": "Unassigned", "65": "Unassigned", "66": "Unassigned", "67": "Unassigned", "68": "Unassigned", "69": "Unassigned", "70": "Unassigned", "71": "Unassigned", "72": "Unassigned", "73": "Unassigned", "74": "Unassigned", "75": "Unassigned", "76": "Unassigned", "77": "Unassigned", "78": "Unassigned", "79": "Unassigned", "80": "Unassigned", "81": "Unassigned", "82": "Unassigned", "83": "Unassigned", "84": "Unassigned", "85": "Unassigned", "86": "Unassigned", "87": "Unassigned", "88": "Unassigned", "89": "Unassigned", "90": "Unassigned", "91": "Unassigned", "92": "Unassigned", "93": "Unassigned", "94": "Unassigned", "95": "Unassigned", "96": "Unassigned", "97": "Unassigned", "98": "Unassigned", "99": "Unassigned", "100": "Unassigned", "101": "Unassigned", "102": "Unassigned", "103": "Unassigned", "104": "Unassigned", "105": "Unassigned", "106": "Unassigned", "107": "Unassigned", "108": "Unassigned", "109": "Unassigned", "110": "Unassigned", "111": "Unassigned", "112": "Unassigned", "113": "Unassigned", "114": "Unassigned", "115": "Unassigned", "116": "Unassigned", "117": "Unassigned", "118": "Unassigned", "119": "Unassigned", "120": "Unassigned", "121": "Unassigned", "122": "Unassigned", "123": "Unassigned", "124": "Unassigned", "125": "Unassigned", "126": "Unassigned", "127": "Unassigned", "128": "Unassigned", "129": "Unassigned", "130": "Unassigned", "131": "Unassigned", "132": "Unassigned", "133": "Unassigned", "134": "Unassigned", "135": "Unassigned", "136": "Unassigned", "137": "Unassigned", "138": "Unassigned", "139": "Unassigned", "140": "Unassigned", "141": "Unassigned", "142": "Unassigned", "143": "Unassigned", "144": "Unassigned", "145": "Unassigned", "146": "Unassigned", "147": "Unassigned", "148": "Unassigned", "149": "Unassigned", "150": "Unassigned", "151": "Unassigned", "152": "Unassigned", "153": "Unassigned", "154": "Unassigned", "155": "Unassigned", "156": "Unassigned", "157": "Unassigned", "158": "Unassigned", "159": "Unassigned", "160": "Unassigned", "161": "Unassigned", "162": "Unassigned", "163": "Unassigned", "164": "Unassigned", "165": "Unassigned", "166": "Unassigned", "167": "Unassigned", "168": "Unassigned", "169": "Unassigned", "170": "Unassigned", "171": "Unassigned", "172": "Unassigned", "173": "Unassigned", "174": "Unassigned", "175": "Unassigned", "176": "Unassigned", "177": "Unassigned", "178": "Unassigned", "179": "Unassigned", "180": "Unassigned", "181": "Unassigned", "182": "Unassigned", "183": "Unassigned", "184": "Unassigned", "185": "Unassigned", "186": "Unassigned", "187": "Unassigned", "188": "Unassigned", "189": "Unassigned", "190": "Unassigned", "191": "Unassigned", "192": "Unassigned", "193": "Unassigned", "194": "Unassigned", "195": "Unassigned", "196": "Unassigned", "197": "Unassigned", "198": "Unassigned", "199": "Unassigned", "200": "Unassigned", "201": "Unassigned", "202": "Unassigned", "203": "Unassigned", "204": "Unassigned", "205": "Unassigned", "206": "Unassigned", "207": "Unassigned", "208": "Unassigned", "209": "Unassigned", "210": "Unassigned", "211": "Unassigned", "212": "Unassigned", "213": "Unassigned", "214": "Unassigned", "215": "Unassigned", "216": "Unassigned", "217": "Unassigned", "218": "Unassigned", "219": "Unassigned", "220": "Unassigned", "221": "Unassigned", "222": "Unassigned", "223": "Unassigned", "224": "Unassigned", "225": "Unassigned", "226": "Unassigned", "227": "Unassigned", "228": "Unassigned", "229": "Unassigned", "230": "Unassigned", "231": "Unassigned", "232": "Unassigned", "233": "Unassigned", "234": "Unassigned", "235": "Unassigned", "236": "Unassigned", "237": "Unassigned", "238": "Unassigned", "239": "Unassigned", "240": "Unassigned", "241": "Unassigned", "242": "Unassigned", "243": "Unassigned", "244": "Unassigned", "245": "Unassigned", "246": "Unassigned", "247": "Unassigned", "248": "Unassigned", "249": "Unassigned", "250": "Unassigned", "251": "Unassigned", "252": "Unassigned", "253": "RFC3692-style Experiment 1", "254": "RFC3692-style Experiment 2" } } ================================================ FILE: ScoutSuite/data/protocols.json ================================================ { "metadata": { "generated_on": "February 12, 2014", "source": "http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml" }, "protocols": { "-1": "ALL", "0": "HOPOPT", "1": "ICMP", "2": "IGMP", "3": "GGP", "4": "IPv4", "5": "ST", "6": "TCP", "7": "CBT", "8": "EGP", "9": "IGP", "10": "BBN-RCC-MON", "11": "NVP-II", "12": "PUP", "13": "ARGUS", "14": "EMCON", "15": "XNET", "16": "CHAOS", "17": "UDP", "18": "MUX", "19": "DCN-MEAS", "20": "HMP", "21": "PRM", "22": "XNS-IDP", "23": "TRUNK-1", "24": "TRUNK-2", "25": "LEAF-1", "26": "LEAF-2", "27": "RDP", "28": "IRTP", "29": "ISO-TP4", "30": "NETBLT", "31": "MFE-NSP", "32": "MERIT-INP", "33": "DCCP", "34": "3PC", "35": "IDPR", "36": "XTP", "37": "DDP", "38": "IDPR-CMTP", "39": "TP++", "40": "IL", "41": "IPv6", "42": "SDRP", "43": "IPv6-Route", "44": "IPv6-Frag", "45": "IDRP", "46": "RSVP", "47": "GRE", "48": "DSR", "49": "BNA", "50": "ESP", "51": "AH", "52": "I-NLSP", "53": "SWIPE", "54": "NARP", "55": "MOBILE", "56": "TLSP", "57": "SKIP", "58": "IPv6-ICMP", "59": "IPv6-NoNxt", "60": "IPv6-Opts", "62": "CFTP", "64": "SAT-EXPAK", "65": "KRYPTOLAN", "66": "RVD", "67": "IPPC", "69": "SAT-MON", "70": "VISA", "71": "IPCV", "72": "CPNX", "73": "CPHB", "74": "WSN", "75": "PVP", "76": "BR-SAT-MON", "77": "SUN-ND", "78": "WB-MON", "79": "WB-EXPAK", "80": "ISO-IP", "81": "VMTP", "82": "SECURE-VMTP", "83": "VINES", "84": "TTP", "84": "IPTM", "85": "NSFNET-IGP", "86": "DGP", "87": "TCF", "88": "EIGRP", "89": "OSPFIGP", "90": "Sprite-RPC", "91": "LARP", "92": "MTP", "93": "AX.25", "94": "IPIP", "95": "MICP", "96": "SCC-SP", "97": "ETHERIP", "98": "ENCAP", "100": "GMTP", "101": "IFMP", "102": "PNNI", "103": "PIM", "104": "ARIS", "105": "SCPS", "106": "QNX", "107": "A/N", "108": "IPComp", "109": "SNP", "110": "Compaq-Peer", "111": "IPX-in-IP", "112": "VRRP", "113": "PGM", "115": "L2TP", "116": "DDX", "117": "IATP", "118": "STP", "119": "SRP", "120": "UTI", "121": "SMP", "122": "SM", "123": "PTP", "124": "ISIS over IPv4", "125": "FIRE", "126": "CRTP", "127": "CRUDP", "128": "SSCOPMCE", "129": "IPLT", "130": "SPS", "131": "PIPE", "132": "SCTP", "133": "FC", "134": "RSVP-E2E-IGNORE", "135": "Mobility Header", "136": "UDPLite", "137": "MPLS-in-IP", "138": "manet", "139": "HIP", "140": "Shim6", "141": "WESP", "142": "ROHC" } } ================================================ FILE: ScoutSuite/output/__init__.py ================================================ ================================================ FILE: ScoutSuite/output/data/html/conditionals/json_format.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/conditionals/sqlite_format.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/about_scoutsuite.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/accordion.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/accordion_policy.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aliyun/left_menu_for_aliyun_region.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aliyun/services.actiontrail.trails.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aliyun/services.ecs.regions.id.instances.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aliyun/services.kms.regions.id.keys.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aliyun/services.oss.buckets.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aliyun/services.ram.groups.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aliyun/services.ram.policies.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aliyun/services.ram.roles.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aliyun/services.ram.users.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aliyun/services.rds.regions.id.instances.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aliyun/services.vpc.regions.id.vpcs.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/left_menu_for_region.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/left_menu_for_vpc.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.acm.regions.id.certificates.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.awslambda.regions.id.functions.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.cloudformation.regions.id.stacks.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.cloudfront.distributions.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.cloudtrail.regions.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.cloudtrail.regions.id.trails.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.cloudwatch.regions.id.alarms.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.cloudwatch.regions.id.metric_filters.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.config.regions.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.config.regions.id.recorders.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.config.regions.id.rules.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.dynamodb.regions.id.tables.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.ec2.regions.id.regional_settings.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.ec2.regions.id.snapshots.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.ec2.regions.id.volumes.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.ec2.regions.id.vpcs.id.images.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.ec2.regions.id.vpcs.id.instances.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.ec2.regions.id.vpcs.id.security_groups.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.ec2.regions.vpcs.security_groups.resource_list.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.ec2.regions.vpcs.security_groups.rule_list.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.elasticache.regions.id.parameter_groups.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.elasticache.regions.id.security_groups.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.elasticache.regions.id.subnet_groups.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.elasticache.regions.id.vpcs.id.clusters.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.elb.regions.id.elb_policies.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.elb.regions.id.vpcs.id.elbs.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.elb.regions.id.vpcs.id.elbs.linked_resources.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.elb.regions.id.vpcs.id.elbs.listener.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.elb.regions.id.vpcsid.elbs.linked_policy.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.elbv2.regions.id.vpcs.id.elbs.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.emr.regions.id.vpcs.id.clusters.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.iam.credential_reports.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.iam.groups.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.iam.inline_policies.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.iam.managed_policies.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.iam.managed_policies_list.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.iam.roles.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.iam.users.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.kms.regions.id.keys.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.rds.regions.id.parameter_groups.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.rds.regions.id.security_groups.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.rds.regions.id.vpcs.id.instances.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.rds.regions.id.vpcs.id.snapshots.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.rds.regions.id.vpcs.id.subnet_groups.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.redshift.regions.id.parameter_groups.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.redshift.regions.id.vpcs.id.clusters.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.redshift.regions.id.vpcs.id.security_groups.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.redshift.regions.vpcs.cluster_nodes.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.route53.regions.id.domains.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.route53.regions.id.hosted_zones.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.s3.acls.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.s3.bucket_iam_policies.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.s3.buckets.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.s3.buckets.objects.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.s3.public_access_block_configuration.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.secretsmanager.regions.id.secrets.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.ses.regions.id.identities.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.sns.regions.id.topics.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.sqs.regions.id.queues.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.stackdriverlogging.sinks.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.vpc.regions.id.flow_logs.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.vpc.regions.id.peering_connections.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.vpc.regions.id.vpcs.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.vpc.regions.id.vpcs.id.network_acls.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.vpc.regions.id.vpcs.id.peering_connections.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/aws/services.vpc.regions.id.vpcs.id.subnets.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/details_for_subscription.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/left_menu_for_subscription.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.aad.applications.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.aad.groups.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.aad.policies.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.aad.service_principals.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.aad.users.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.appservice.subscriptions.id.web_apps.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.keyvault.subscriptions.id.vaults.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.loggingmonitoring.subscriptions.id.diagnostic_settings.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.loggingmonitoring.subscriptions.id.log_alerts.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.loggingmonitoring.subscriptions.id.log_profiles.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.loggingmonitoring.subscriptions.id.resources_logging.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.mysqldatabase.subscriptions.id.servers.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.network.subscriptions.id.application_security_groups.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.network.subscriptions.id.network_interfaces.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.network.subscriptions.id.security_groups.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.network.subscriptions.id.virtual_networks.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.network.subscriptions.id.virtual_networks.id.subnets.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.network.subscriptions.id.watchers.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.postgresqldatabase.subscriptions.id.servers.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.rbac.subscriptions.id.custom_roles_report.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.rbac.subscriptions.id.roles.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.securitycenter.subscriptions.id.auto_provisioning_settings.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.securitycenter.subscriptions.id.compliance_results.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.securitycenter.subscriptions.id.pricings.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.securitycenter.subscriptions.id.regulatory_compliance_results.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.securitycenter.subscriptions.id.security_contacts.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.securitycenter.subscriptions.id.settings.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.sqldatabase.subscriptions.id.servers.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.storageaccounts.subscriptions.id.storage_accounts.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.virtualmachines.subscriptions.id.disks.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.virtualmachines.subscriptions.id.images.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.virtualmachines.subscriptions.id.instances.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/azure/services.virtualmachines.subscriptions.id.snapshots.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/count_badge.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/dashboard.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/details.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/details_for_region.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/details_for_vpc.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/do/services.database.databases.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/do/services.droplet.droplets.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/do/services.kubernetes.cluster.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/do/services.networking.domains.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/do/services.networking.firewalls.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/do/services.networking.load_balancers.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/do/services.spaces.buckets.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/ec2_grants.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/filters.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/details_for_gcp_region.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/details_for_gcp_zone.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/details_for_project.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/left_menu_for_gcp_region.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/left_menu_for_gcp_zone.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/left_menu_for_project.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.bigquery.projects.id.datasets.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.cloudmemorystore.projects.id.redis_instances.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.cloudsql.projects.id.instances.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.cloudstorage.projects.id.buckets.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.computeengine.projects.id.firewalls.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.computeengine.projects.id.global_forwarding_rules.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.computeengine.projects.id.networks.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.computeengine.projects.id.regions.id.forwarding_rules.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.computeengine.projects.id.regions.id.subnetworks.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.computeengine.projects.id.snapshots.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.computeengine.projects.id.zones.id.instances.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.dns.projects.id.managed_zones.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.functions.projects.id.functions_v1.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.functions.projects.id.functions_v2.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.iam.projects.id.bindings.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.iam.projects.id.bindings_separation_duties.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.iam.projects.id.domains.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.iam.projects.id.groups.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.iam.projects.id.service_accounts.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.iam.projects.id.users.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.kms.projects.id.keyrings.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.kubernetesengine.clusters.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.stackdriverlogging.projects.id.logging_metrics.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.stackdriverlogging.projects.id.metrics.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.stackdriverlogging.projects.id.sinks.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.stackdrivermonitoring.projects.id.alert_policies.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.stackdrivermonitoring.projects.id.monitoring_alert_policies.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/gcp/services.stackdrivermonitoring.projects.id.uptime_checks.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/generic_object.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/ip_grants.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/details_for_kubernetes_resource.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/details_for_project.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/details_for_subscription.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/kubernetes_code.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/kubernetes_container_security_context.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/kubernetes_data.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/kubernetes_object.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/kubernetes_pod_security_context.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/kubernetes_resource_containers.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/kubernetes_resource_host.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/kubernetes_resource_limits.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/left_menu_for_kubernetes_resource.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/left_menu_for_project.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/left_menu_for_subscription.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/services.eks.encryption.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/services.eks.logging.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/services.kubernetesengine.clusters.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/services.loggingmonitoring.subscriptions.id.diagnostic_settings.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/services.loggingmonitoring.subscriptions.id.log_alerts.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/services.loggingmonitoring.subscriptions.id.log_profiles.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/services.loggingmonitoring.subscriptions.id.resources_logging.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/services.version.details.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/kubernetes/utils.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/last_run_details.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/left_menu.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/metadata.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/modal.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/network_interface.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/oci/services.identity.groups.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/oci/services.identity.policies.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/oci/services.identity.users.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/oci/services.kms.keyvaults.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/oci/services.objectstorage.buckets.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/policy.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/report_footer.html ================================================

Scout Suite is an open-source tool released by

================================================ FILE: ScoutSuite/output/data/html/partials/resource_link.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/resources_details.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/partials/singles.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/report.html ================================================ Scout Report

================================================ FILE: ScoutSuite/output/data/html/summaries/aliyun/services.ram.password_policy.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/summaries/aliyun/services.ram.security_policy.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/summaries/attack_surface.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/summaries/aws/services.ec2.external_attack_surface.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/summaries/aws/services.elb.external_attack_surface.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/summaries/aws/services.elbv2.external_attack_surface.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/summaries/aws/services.iam.password_policy.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/summaries/aws/services.iam.permissions.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/summaries/aws/services.rds.external_attack_surface.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/summaries/aws/services.redshift.external_attack_surface.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/summaries/azure/.keep ================================================ ================================================ FILE: ScoutSuite/output/data/html/summaries/do/.gitkeep ================================================ ================================================ FILE: ScoutSuite/output/data/html/summaries/gcp/.keep ================================================ ================================================ FILE: ScoutSuite/output/data/html/summaries/kubernetes/services.kubernetes_workload.images.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/summaries/kubernetes/services.rbac.dangerous_grants.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/summaries/kubernetes/services.rbac.dodgy_subjects.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/summaries/kubernetes/services.rbac.permissive_bindings.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/summaries/oci/services.identity.password_policy.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/summaries/service_groups.compute.summaries.external_attack_surface.html ================================================ ================================================ FILE: ScoutSuite/output/data/html/summaries/service_groups.database.summaries.external_attack_surface.html ================================================ ================================================ FILE: ScoutSuite/output/data/inc-scoutsuite/css/modal.css ================================================ .modal-dialog .list-group-item { border: none; } .modal-header { background-color: #2C3E50; border-radius: 3px 3px 0 0; color: white; } .modal .close, .modal .close:not(:disabled):not(.disabled):hover, .modal .close:not(:disabled):not(.disabled):focus { color: white; } .modal-header { height: 65px; background: #414042; } .modal-body { overflow-y: auto; } .modal-body .list-group-item { background: transparent !important; } .modal-content { max-height: 80vh; } ================================================ FILE: ScoutSuite/output/data/inc-scoutsuite/css/scoutsuite-dark.css ================================================ .dropdown-item { color: #fff; } .dropdown-item.disabled, .dropdown-item:disabled { color: #647273; } a.nav-link { color: rgb(235, 235, 235) ; } .dropdown-submenu a.nav-link { color: rgb(235, 235, 235) ; } .bg-primary .navbar-nav .active>.nav-link { color: #fff !important; font-weight: bolder; font-size: 15px; transition: font-size 0.4s ease; } .navbar-brand .active { color: #fff !important; font-weight: bolder; font-size: 18px; transition: font-size 0.4s ease; } #double-column-left .list-group { border: 1px solid #444; } .dropdown-header { background: #7672779c; color: #fff; } .dropdown-submenu:hover, .dropdown-item:hover { background: transparent; color: #fff; border-left: 10px solid #c41230 ; -webkit-transition: border 0.2s ease-in-out; /* Safari */ transition: border 0.2s ease-in-out; } ::-webkit-scrollbar { background: transparent; padding: 2px; } ::-webkit-scrollbar-corner { background: transparent; } ::-webkit-scrollbar-thumb { background-clip: padding-box; background-color: rgba(168, 168, 168, 0.733); -webkit-box-shadow: inset -1px -1px 0px rgba(0, 0, 0, 0.05), inset 1px 1px 0px rgba(0, 0, 0, 0.05); } ::-webkit-scrollbar-button { width: 0; height: 0; display: none; } .show { border-bottom: unset; } .card-header { background-color: #626164; color: #fff !important; font-size: 14px; } span.slider.round { background: #c41230 !important; } .btn-light { background-color: #626164; } .btn-light:hover { background-color: #86858a; } .dropdown-menu { background: #414042; } .plain-link a:link, .plain-link a:visited, .plain-link a:active { color: #fff; text-decoration: none; } .disabled-link a:link, .disabled-link a:active, .disabled-link a:visited, .disabled-link a:hover { color: rgb(173, 173, 173); pointer-events: none; cursor: default; } .plain-link a:hover { text-decoration: underline; } .card-body { color: #fff; } #account_id .fa-cloud { color: #fff; margin-right: 5px; } .disabled-link a .finding-title { color: rgb(173, 173, 173) !important; } ================================================ FILE: ScoutSuite/output/data/inc-scoutsuite/css/scoutsuite-light.css ================================================ a.nav-link { color: rgb(235, 235, 235) ; } a.nav-link:hover { font-weight: bold; transition: all 0.2s ease; } .dropdown-submenu a.nav-link { color: #7b8a8b; } .dropdown-submenu a.nav-link:hover { color: black; border-left: 10px solid #c41230 ; -webkit-transition: border 0.2s ease-in-out; /* Safari */ transition: border 0.2s ease-in-out; } .bg-primary .navbar-nav .active>.nav-link, .navbar-brand .active { color: #fff !important; font-weight: bolder; font-size: 15px; transition: font-size 0.4s ease; } .navbar-brand .active { color: #fff !important; font-weight: bolder; font-size: 18px; transition: font-size 0.4s ease; } .finding.btn::before { color: black !important; } ================================================ FILE: ScoutSuite/output/data/inc-scoutsuite/css/scoutsuite.css ================================================ @import url("./modal.css"); a { color: #4990e2; } a:hover { color: #67acfc; text-decoration: none !important; } body { font-family: 'Roboto', sans-serif; font-size: 14px; } /* Bootstrap overrides */ .btn-success, .btn-success:focus { color: #fff; background-color: #23af44; border-color: #23af44; } .btn-success:hover, .btn-success:active { color: #fff; background-color: #1f9b3c; border-color: #1f9b3c; } .btn-warning:focus { color: #fff; background-color: #F39C12; border-color: #F39C12; } .btn-danger:focus { color: #fff; background-color: #E74C3C; border-color: #E74C3C; } .btn-info.disabled, .btn-info:disabled { color: rgb(255, 255, 255); background-color: rgb(180, 180, 180); border-color: rgb(180, 180, 180); } /* Scout Suite */ .item-margin { margin-left: 25px; } .no-margin { margin-left: -25px !important; } .finding-title { font-size: 14px !important; } .finding-badge { margin-bottom: 1px; margin-right: 8px; display: inline-block; border-radius: 100%; } .finding-badge-good:before { content: '\f058'; color: #23af44; } .finding-badge-warning:before { content: '\f06a'; color: #fdbe00; } .finding-badge-danger:before { content: '\f06a'; color:#ee293d; } .finding-badge-unknown:before { content: '\f111'; color: rgb(225, 225, 225); } .finding-good { color: #23af44; } .finding-warning { color: #fdbe00; } .finding-danger { color:#ee293d; font-weight: bold;} ul.no-bullet { list-style-type: none; } .list-sub-element { border: 0 !important; padding-left: 25px; } .list-group-item > .list-group-item { background: transparent; } .active-dropdown { color: #428bca; } .overlay-bg { position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: black; z-index: 1337; opacity: 0.5; display: none; } .overlay { position: fixed; top: 40%; left: 40%; max-height: 80%; background-color: white; z-index: 7331; overflow: auto; margin-left: -200px; margin-top: -200px; display: none; border-radius: 5px; } .plain-link a:link, .plain-link a:visited, .plain-link a:active { color: black; text-decoration: none; } .plain-link a:hover { text-decoration: underline; } .disabled-link a:link, .disabled-link a:active, .disabled-link a:visited, .disabled-link a:hover { color: rgb(173, 173, 173); pointer-events: none; cursor: default; } .dropdown-submenu { position: relative; } .dropdown-submenu>.dropdown-menu { top: 0; left: 100%; margin-top: -6px; margin-left: -1px; -webkit-border-radius: 0 6px 6px 6px; -moz-border-radius: 0 6px 6px; border-radius: 0 6px 6px 6px; } .dropdown-submenu:hover>.dropdown-menu { display: block; } .dropdown-submenu>a:after { display: block; content: " "; float: right; width: 0; height: 0; border-color: transparent; border-style: solid; border-width: 5px 0 5px 5px; border-left-color: #ccc; margin-top: 5px; } .dropdown-submenu:hover>a:after { border-left-color: #fff; } .dropdown-submenu.pull-left { float: none; } .dropdown-submenu.pull-left>.dropdown-menu { left: -100%; margin-left: 10px; -webkit-border-radius: 6px 0 6px 6px; -moz-border-radius: 6px 0 6px 6px; border-radius: 6px 0 6px 6px; } .dropdown-item.disabled, .dropdown-item:disabled { color: #bbcdce; } .rationale-overlay { z-index: 2147483647; display: block; position: fixed; width: 20%; display: none; } .switch { position: relative; display: inline-block; width: 26px; height: 14px; line-height: 1em; } .switch input { opacity: 0; width: 0; height: 0; } .slider { position: absolute; cursor: pointer; top: 0; left: 0; right: 0; bottom: 0; background-color: #ccc; } .slider:before { position: absolute; content: ""; height: 11px; width: 11px; left: 2px; bottom: 2px; background-color: white; } input:checked + .slider { background-color: #428bca; } input:focus + .slider { box-shadow: 0 0 1px 1px #428bca; } input:checked + .slider:before { -ms-transform: translateX(11px); transform: translateX(11px); } .slider.round { border-radius: 14px; top: 2px; bottom: -2px; } .slider.round:before { border-radius: 50%; } .sub-navbar { position: inherit; float: bottom; margin-top: 3rem; width: 100%; left: 0rem; right: 0rem; top: 0rem; padding-top: 2rem; padding-left: 8rem; align-content: stretch; z-index: -1; } .pr-0 { padding-right: 0rem; } .text-overflow { word-wrap: break-word; } .std-size { font-size: 18px; } .finding { position: relative; } .finding:before { color: #FFF; content: "\f068"; /* Fontawesome '+' */ left:5px; position:absolute; top:0; } .collapsed.finding:before { color: #FFF; content: "\f067"; /* Fontawesome '-' */ left:5px; position:absolute; top:0; } #last_run { width: 100%; } .list-group { margin-bottom: 1em; } #double-column-left .list-group { margin: 3px 0; } #double-column-left .active a, #double-column-left .active .fa { color: #FFF !important; } #double-column-left .active .fa:hover { color: #c41230 !important; } .finding-learn-more i { font-size: 0.8em; } .finding_items { font-size: 18px; } .list-group-item { overflow: auto; background: rgba(0,0,0,.05); } .list-group-item.list-group-item { background: transparent; } .list-group-item.active { border: 0; background: #414042; } .bucket-name { white-space: nowrap; overflow: hidden; text-overflow: ellipsis; display: block; width: 150px; } .bucket-name:hover { cursor: pointer; } .table-padding > * { padding: 10px; } @media only screen and (max-width: 1200px) { #container-user { margin-top: 5rem !important; } } /* ------------------ Oliver CSS -------------------- */ #account_id { font-weight: bold; } #account_id .fa-cloud { color: black; margin-right: 5px; } #account_id .fa-chevron-right { margin-left: 5px; margin-right: 5px; } .navbar { background: #414042 !important; border-bottom: 10px solid #c41230; } .card-body { margin-bottom: -1px; padding: 0.75rem 1.25rem; margin-bottom: 0; color: inherit; font-size: 14px; } .card-body:nth-of-type(even) { background-color: #f7f7f7; } .card-header-dark { background-color: #414042 !important; color: #fff !important; font-size: 16px !important; } .card-body:first-child { border-radius: calc(0.25rem - 1px) calc(0.25rem - 1px) 0 0; } .dropdown-item { line-height: 2; font-size: 14px; height: 2.5rem; border-radius: unset !important; } .dropdown-item:hover { background: transparent; color: black; border-left: 10px solid #c41230 ; -webkit-transition: border 0.2s ease-in-out; /* Safari */ transition: border 0.2s ease-in-out; } .findings-filter { padding: 0; } #section_title-h2 { font-weight: bolder; } .show { border-bottom: 1px solid #d8d5d5; } .fa-download:before { padding-right: 6px !important; } .col-sm-9.w-100.pr-0 div .list-group .list-group-item { overflow: unset; } .col-sm-9.w-100.pr-0 div .list-group .list-group-item { overflow: auto; max-height: 40rem; } .table-striped tbody tr:first-of-type td { font-size: 16px; font-weight: bold; border-bottom: 1px solid #414042 ; } ::-webkit-scrollbar { background: transparent; padding: 2px; } ::-webkit-scrollbar-corner { background: transparent; } ::-webkit-scrollbar-thumb { background-clip: padding-box; background-color: rgba(0, 0, 0, 0.15); -webkit-box-shadow: inset -1px -1px 0px rgba(0, 0, 0, 0.05), inset 1px 1px 0px rgba(0, 0, 0, 0.05); } ::-webkit-scrollbar-button { width: 0; height: 0; display: none; } .dropdown-header { background: #f0f0f0b2; color: black; font-weight: bold; font-size: 15px; } .dropdown-menu li span { padding: 0.25rem 1.5rem; padding-right: 0; } .finding_items { color: black !important; } /* added scroll bar to filters as they were going off the page */ #filters\.list { overflow-x: auto; max-height: 90vh; } footer a { color: #c41230; } footer a:hover { color: #ee173a; } .code { font-size: 87.5%; color: #e83e8c; word-break: break-word; } ================================================ FILE: ScoutSuite/output/data/inc-scoutsuite/helpers.js ================================================ /********************** * Handlebars helpers * **********************/ Handlebars.registerHelper('displayPolicy', function (blob) { var policy = '{
' for (let attr in blob) { if (attr === 'Statement') { policy += '  "Statement": [
' for (let sid in blob['Statement']) { policy += '' + JSON.stringify(blob['Statement'][sid], null, 2) + ',\n' } policy += ' ]' } else { policy += ' "' + attr + '": ' + JSON.stringify(blob[attr], null, 2) } policy += ',\n' } policy += '}' return policy }) Handlebars.registerHelper('add_policy_path', function () { var policy = arguments[0] var path = arguments[1] for (var i = 2; i < arguments.length - 1; i++) { path = path + '\\.' + arguments[i] } policy['policy_path'] = path policy['policy_spath'] = path.replace(/\\/g, '') }) Handlebars.registerHelper('jsonToString', function (obj) { // TODO: find a better way to address Handlebars-specific indentation weirdness in 
    return JSON.stringify(obj, null, 2).replace(/\r\n/g, `\r`).replace(/\n/g, `\r`)
})

Handlebars.registerHelper('has_profiles?', function (logins) {
    if (typeof logins !== 'undefined' && logins !== '') {
        return 'Yes'
    } else {
        return 'No'
    }
})

// Required in addition to has_profiles to allow if conditions
Handlebars.registerHelper('ifHasProfiles', function (logins, options) {
    if (typeof logins !== 'undefined' && logins !== '') {
        return options.fn(this)
    } else {
        return options.inverse(this)
    }
})

Handlebars.registerHelper('has_access_keys?', function (accessKeys) {
    if (typeof accessKeys !== 'undefined' && accessKeys !== '') {
        return accessKeys.length
    } else {
        return 0
    }
})

Handlebars.registerHelper('has_mfa?', function (mfaDevices) {
    if (typeof mfaDevices !== 'undefined' && mfaDevices !== '' && mfaDevices.length > 0) {
        return 'Yes'
    } else {
        return 'No'
    }
})

Handlebars.registerHelper('list_permissions', function (permissions) {
    var r = ''
    if (typeof permissions !== 'undefined' && permissions !== '') {
        r += parse_entities('group', permissions.groups)
        r += parse_entities('role', permissions.roles)
        r += parse_entities('user', permissions.users)
    }
    return r
})

Handlebars.registerHelper('good_bad_icon', function (finding, bucketId, keyId, suffix) {
    var keyPath = 's3.buckets.' + bucketId + '.keys.' + keyId + '.' + suffix
    var index = runResults['services']['s3']['findings'][finding]['items'].indexOf(keyPath)
    var level = runResults['services']['s3']['findings'][finding]['level']
    if (index > -1) {
        return ''
    } else {
        var keyDetails = runResults['services']['s3']['buckets'][bucketId]['keys'][keyId]
        if ((finding === 's3-object-acls-mismatch-bucket') && ('grantees' in keyDetails)) {
            return ''
        } else if ((finding == 's3-object-unencrypted') && ('ServerSideEncryption' in keyDetails)) {
            return ''
        } else {
            return ''
        }
    }
})

Handlebars.registerHelper('has_logging?', function (logging) {
    return logging
})

Handlebars.registerHelper('finding_entity', function (prefix, entity) {
    return finding_entity(prefix, entity)
})

Handlebars.registerHelper('count_in', function (service, path) {
    var entities = path.split('.')
    if (service === 'ec2') {
        var input = runResults['services']['ec2']
    } else if (service == 'cloudtrail') {
        input = runResults['services']['cloudtrail']
    } else {
        return 0
    }
    return recursiveCount(input, entities)
})

Handlebars.registerHelper('count_in_new', function (path) {
    var entities = path.split('.')
    return recursiveCount(runResults, entities)
})

Handlebars.registerHelper('count_ec2_in_region', function (region, path) {
    if (typeof runResults['services']['ec2'] != 'undefined') {
        var count = 0
        var entities = path.split('.')
        for (let r in runResults['services']['ec2']['regions']) {
            if (r === region) {
                return recursiveCount(runResults['services']['ec2']['regions'][r], entities)
            }
        }
    } else {
        count = 'N/A'
    }
    return count
})

Handlebars.registerHelper('split_lines', function (text) {
    return text ? text.split('\n') : []
})

Handlebars.registerHelper('count_vpc_network_acls', function (vpcNetworkAcls) {
    var counter = 0
    for (let _ in vpcNetworkAcls) {
        counter = counter + 1
    }
    return counter
})

Handlebars.registerHelper('count_vpc_instances', function (vpcInstances) {
    var counter = 0
    for (let _ in vpcInstances) {
        counter = counter + 1
    }
    return counter
})

Handlebars.registerHelper('count_role_instances', function (instanceProfiles) {
    var counter = 0
    for (let ip in instanceProfiles) {
        for (let _ in instanceProfiles[ip]['instances']) {
            counter = counter + 1
        }
    }
    return counter
})

var recursiveCount = function (input, entities) {
    var counter = 0
    if (entities.length > 0) {
        var entity = entities.shift()
        for (let i in input[entity]) {
            counter = counter + recursiveCount(input[entity][i], eval(JSON.stringify(entities)))
        }
    } else {
        counter = counter + 1
    }
    return counter
}

Handlebars.registerHelper('find_ec2_object_attribute', function (path, id, attribute) {
    return findEC2ObjectAttribute(runResults['services']['ec2'], path, id, attribute)
})

Handlebars.registerHelper('format_date', function (time) {
    if (!time || time === '') {
        return 'No date available'
    }
    else if (typeof time === 'number') {
        return new Date(time * 1000).toString()
    } else if (typeof time === 'string') {
        return new Date(time)
    } else {
        return 'Invalid date format'
    }
})

Handlebars.registerHelper('makeTitle', function (title) {
    return makeTitle(title)
})

Handlebars.registerHelper('addMember', function (memberName, value) {
    this[memberName] = value
})

Handlebars.registerHelper('ifShow', function (v1, v2, options) {
    if (v1 !== v2) {
        return options.fn(this)
    }
})

Handlebars.registerHelper('ifType', function (v1, v2, options) {
    if (typeof v1 === v2) {
        return options.fn(v1)
    } else {
        return options.inverse(v1)
    }
})

Handlebars.registerHelper('fixBucketName', function (bucketName) {
    if (bucketName !== undefined) {
        return bucketName.replace(/\./g, '-')
    }
})

Handlebars.registerHelper('dashboard_color', function (level, checked, flagged) {
    if (checked === 0) {
        return 'unknown disabled-link'
    } else if (flagged === 0) {
        return 'good disabled-link'
    } else {
        return level
    }
})

Handlebars.registerHelper('ifEqual', function (v1, v2, options) {
    if (v1 === v2) {
        return options.fn(this)
    } else {
        return options.inverse(this)
    }
})

Handlebars.registerHelper('ifLooseEqual', function (v1, v2, options) {
    if (v1 == v2) {
        return options.fn(this)
    } else {
        return options.inverse(this)
    }
})

Handlebars.registerHelper('unlessEqual', function (v1, v2, options) {
    if (v1 !== v2) {
        return options.fn(this)
    } else {
        return options.inverse(this)
    }
})

Handlebars.registerHelper('ifPositive', function (v1, options) {
    if (!v1 || v1 === 'N/A' || v1 === 0) {
        return options.inverse(this)
    } else {
        return options.fn(this)
    }
})

Handlebars.registerHelper('greaterThan', function (v1, v2, options) {
    'use strict';
    if (v1 > v2) {
        return options.fn(this);
    }
    return options.inverse(this);
});

Handlebars.registerHelper('hasKeys', function (obj, options) {
    if (Object.keys(obj).length > 0) {
        return options.fn(this);
    } else {
        return options.inverse(this);
    }
});

Handlebars.registerHelper('has_condition', function (policyInfo) {
    if (('condition' in policyInfo) && (policyInfo['condition'] != null)) {
        return true
    } else {
        return false
    }
})

Handlebars.registerHelper('escape_special_chars', function (value) {
    return value.replace(/\./g, 'nccdot').replace(/,/g, 'ncccoma')
})

Handlebars.registerHelper('getValueAt', function () {
    var path = arguments[0]
    for (var i = 1; i < arguments.length - 1; i++) {
        path = path + '.' + arguments[i]
    }
    return getValueAt(path)
})

Handlebars.registerHelper('greaterLengthThan', function (v1, v2, options) {
    'use strict';
    if (v1.length>v2) {
        return options.fn(this);
    }
    return options.inverse(this);
});

Handlebars.registerHelper('concat', function () {
    var path = arguments[0]
    for (var i = 1; i < arguments.length - 1; i++) {
        path = path + '.' + arguments[i]
    }
    return path
})

Handlebars.registerHelper('append', function () {
    var path = arguments[0]
    for (var i = 1; i < arguments.length - 1; i++) {
        path = path + arguments[i]
    }
    return path
})

Handlebars.registerHelper('concatWith', function (str1, str2, sep) {
    return [str1, str2].join(sep);
})

Handlebars.registerHelper('jsonStringify', function () {
    let body = arguments[0]
    delete body['description']
    delete body['args']
    return JSON.stringify(body, null, 4)
})

Handlebars.registerHelper('get_key', function () {
    let rule = arguments[1]
    if (rule['key']) {
        var key = rule['key']
    } else {
        key = arguments[0]
    }
    return key.replace('.', '')
})

Handlebars.registerHelper('other_level', function () {
    if (arguments[0] === 'warning') {
        return 'danger'
    } else {
        return 'warning'
    }
})

// http://funkjedi.com/technology/412-every-nth-item-in-handlebars, slightly tweaked to work with a dictionary
Handlebars.registerHelper('grouped_each', function (every, context, options) {
    var out = ''
    var i
    var keys = Object.keys(context)
    var count = keys.length
    var subcontext = {}
    if (context && count > 0) {
        for (i = 0; i < count; i++) {
            if (i > 0 && i % every === 0) {
                out += options.fn(subcontext)
                subcontext = {}
            }
            subcontext[keys[i]] = context[keys[i]]
        }
        out += options.fn(subcontext)
    }
    return out
})

// Takes a dict and returns a sorted list
// The key for each element of the dict is added as an attribute of each list object
Handlebars.registerHelper('each_dict_as_sorted_list', function (context, options) {
    var ret = ''

    var sortedFindingsKeys = Object.keys(context).sort(function (a, b) {
        if (context[a].flagged_items === 0 && context[b].flagged_items === 0) {
            if (context[a].checked_items === 0 && context[b].checked_items !== 0) return 1
            if (context[a].checked_items !== 0 && context[b].checked_items === 0) return -1
            if (context[a].description.toLowerCase() < context[b].description.toLowerCase()) return -1
            if (context[a].description.toLowerCase() > context[b].description.toLowerCase()) return 1
        }
        if ((context[a].flagged_items == 0 && context[b].flagged_items > 0) ||
            (context[a].flagged_items > 0 && context[b].flagged_items === 0)) {
            if (context[a].flagged_items > context[b].flagged_items) return -1
            return 1
        }
        if (context[a].flagged_items > 0 && context[b].flagged_items > 0) {
            if (context[a].level === context[b].level) {
                if (context[a].description.toLowerCase() < context[b].description.toLowerCase()) return -1
                if (context[a].description.toLowerCase() > context[b].description.toLowerCase()) return 1
            } else {
                if (context[a].level.toLowerCase() === 'danger') return -1
                if (context[b].level.toLowerCase() === 'danger') return 1
                if (context[a].level.toLowerCase() === 'warning') return -1 // FIXME - these are duplicated for nothing?
                if (context[b].level.toLowerCase() === 'warning') return 1
                if (context[a].level.toLowerCase() === 'warning') return -1
                if (context[b].level.toLowerCase() === 'warning') return 1
            }
        }
        return 0
    })

    sortedFindingsKeys.forEach(function (key) {
        var obj = context[key]
        obj['key'] = key
        // sorted_findings.push(obj)
        ret += options.fn(obj)
    })

    return ret
})

// Sorts a dict by an arbitrary key
Handlebars.registerHelper('each_dict_sorted', function (dict, key, opts) {
    // convert dict to an array
    var array = [];
    for (var k in dict) {
        if (dict.hasOwnProperty(k)) {
            array.push(dict[k]);
        }
    }
    // sort array
    var output = '';
    var contextSorted = array.concat().sort( function(a,b) { return a[key] - b[key] } );
    for(var i=0, j=contextSorted.length; i= getLastPageIndex(pathArray, pageSize))
    if (pathArray[2] === 'regions') {
      for (let region in runResults['services'][pathArray[1]]['regions']) {
        getResourcePageSqliteRegions(pageIndex, pageSize, pathArray[1], region, pathArray[4])
      }
      loadConfig('services.' + pathArray[1] + '.regions.' + pathArray[3] + '.' + pathArray[4], 2, true)
    } else {
      getResourcePageSqlite(pageIndex, pageSize, pathArray[1], pathArray[2])
      loadConfig(pathArray[0] + '.' + pathArray[1] + '.' + pathArray[2], 2, true)
    }
  }
}

/**
 * Returns the current index of the page and it's size in number of resources
 * @param {array} pathArray         The path of where the data is stored
 * @returns {array}
 */
function getPageInfo (pathArray) {
  let pageSize, pageIndex
   if (pathArray.length === 3) {
    pageSize = runResults[pathArray[0]][pathArray[1]][pathArray[2] + '_page_size']
    pageIndex = runResults[pathArray[0]][pathArray[1]][pathArray[2] + '_page_index']
  } else if (pathArray.length === 5) {
    // Instead of following the pathArray save the data to id since that's the path of pages with regions
    if (runResults[pathArray[0]][pathArray[1]][pathArray[2]]['id'] !== undefined) {
      pageSize = runResults[pathArray[0]][pathArray[1]][pathArray[2]]['id'][pathArray[4] + '_page_size']
      pageIndex = runResults[pathArray[0]][pathArray[1]][pathArray[2]]['id'][pathArray[4] + '_page_index']
    }
  } 
  if (pageSize === undefined || pageSize === null) {
    pageSize = defaultPageSize
  }
  if (pageIndex === undefined || pageIndex === null) {
    pageIndex = 0
  }
  return [pageSize, pageIndex]
}

/**
 * Loads the first page for every resource or every resource of every region
 */
function loadFirstPageEverywhere () {
  for (let service in runResults['services']) {
    // Check if the service we are dealing with contains regions (most AWS services do)
    let regions = requestDb(createQuery('services', service, 'regions'))
    if (regions !== null && regions.keys) {
      regions = regions.keys
      // Create a 'regions' key for each service, if you know a way to not have to add in this, please fixme
      runResults['services'][service]['regions'] = {}
      for (let region in regions) {
        // Create an 'id' key for each region, this is were we will read the page index/size and load
        // the proper template
        runResults['services'][service]['regions'][regions[region]] = {id: null}
        let resources = requestDb(createQuery('services', service, 'regions', regions[region]))
        if (resources) {
          getRegionsResourcesFirstPage([regions[region]], service, resources.keys)          
        }
      }
    } else {
      for (let resource in runResults['services'][service]) {
        if (resource.match(reCount)) {
          let pathArray = ['services', service, resource.replace(reCount, '')]
          loadPage(pathArray, 0)
        }
      }
    }
  }  
}

/**
 * Loads the resources for the first page of each region in each service
 * @param {string} region           The current region we are fetching resources for 
 * @param {string} service          The current service we are fetching resources for
 * @param {object} resources        The resources we need to fetch
 */
function getRegionsResourcesFirstPage (region, service, resources) {
  for (let resource in resources) {
    // For everything that does not scale up with the ammount of resources fetch everything
    if (resources[resource] === 'id' || resources[resource] === 'region' || 
      resources[resource] === 'name' || resources[resource].match(reCount)) {
      runResults['services'][service]['regions'][region][resources[resource]] =
        requestDb(createQuery('services', service, 'regions', region, [resources[resource]]), null)
    // Else (if it scales) only fetch one page per region
    } else {
      let pathArray = ['services', service, 'regions', region, resources[resource]]
      loadPage(pathArray, 0)
    }
  }
}

/**
 * Returns the maximal index for page selection
 * @param {array} pathArray         The path of where the data is stored
 * @param {number} pageSize         The amount of resources per page
 * @returns {number}
 */
function getLastPageIndex (pathArray, pageSize) {
  let resourceCount;
  if (pathArray.length === 3) {
    resourceCount = runResults[pathArray[0]][pathArray[1]][pathArray[2] + '_count']
  } else {
    resourceCount = getHighestResourceCount(pathArray)
  }
  return Math.ceil(resourceCount / pageSize - 1)
}

/**
 * Returns the highest value of a resource count throughout regions in order to restrict pagination
 * to the proper indexes
 * @param {array} pathArray
 * @returns {number}
 */
function getHighestResourceCount (pathArray) {
  let max = 0
  for (let region in runResults[pathArray[0]][pathArray[1]][pathArray[2]]) {
    if (max < runResults[pathArray[0]][pathArray[1]][pathArray[2]][region][pathArray[4] + '_count']) {
      max = runResults[pathArray[0]][pathArray[1]][pathArray[2]][region][pathArray[4] + '_count']
    }
  }
  return max
}

/**
 * Turns off or on the pagination buttons depending on the resource page currently consulted
 */
function updateButtons () {
  let pathArray = getPathArray()
  if (pathArray.length > 1) {
    if (getFormat() === resultFormats.json) {
      hidePaginationButtons()
    } else {
      let pageInfo = getPageInfo(pathArray)
      document.getElementById('page_backward').disabled = (pageInfo[1] <= 0)
      document.getElementById('page_forward').disabled = (pageInfo[1] >= getLastPageIndex(pathArray, pageInfo[0]))
    }
  }
}

/**
 * Hides the pagination buttons
 */
function hidePaginationButtons () {
  document.getElementById('page_backward').hidden = true;
  document.getElementById('page_forward').hidden = true;
}

================================================
FILE: ScoutSuite/output/data/inc-scoutsuite/provider.js
================================================
/**
 * Get the whole config dictionary
 * @returns {{account_id, last_run, metadata, provider_code, provider_name, service_groups, service_list, services, sg_map, subnet_map}|*}
 */
function getScoutsuiteResultsJson() {
    return scoutsuite_results;
}


================================================
FILE: ScoutSuite/output/data/inc-scoutsuite/scoutsuite.js
================================================
// Globals
const resultFormats = {'invalid': 0, 'json': 1, 'sqlite': 2}
Object.freeze(resultFormats)
const $ = window.$
let loadedConfigArray = []
var runResults

/**
 * Event handlers
 */
$(document).ready(function () {
    onPageLoad()
})

/***
 * Generate a unique array
 * @param array
 * @returns {Array.|string}
 */
function arrayUnique(array) {
    var a = array.concat();
    for(var i=0; i ' + runResults['account_id']
    if (('organization' in runResults) && (value in runResults['organization'])) {
        value += ' (' + runResults['organization'][value]['Name'] + ')'
    }
    element.innerHTML = value
}

/**
 * Generic load JSON function
 * @param {string} scriptId
 * @param {number} cols
 * @param {boolean} force
 * @returns {number}
 */
function loadConfig(scriptId, cols, force) {
    if (!force && !scriptId.endsWith('.external_attack_surface')) {
        console.log('Script ID: ' + scriptId);
        // Abort if data was previously loaded
        if (loadedConfigArray.indexOf(scriptId) > -1 ) {
            // When the path does not contain .id.
            console.log('Data was already loaded');
            return 0
        }
        let pathArray = scriptId.split('.')
        for (let i = 3; i < pathArray.length; i = i + 2) {
            pathArray[i] = 'id'
        }
        let fixedPath = pathArray.join('.')
        if (loadedConfigArray.indexOf(fixedPath) > -1) {
            // When the loaded path contains id but browsed-to path contains a specific value
            console.log('Fixed path: ' + fixedPath);
            console.log('ID was already substituted');
            return 0
        }
        pathArray[1] = 'id'
        fixedPath = pathArray.join('.')
        if (loadedConfigArray.indexOf(fixedPath) > 0) {
            // Special case for services.id.findings
            return 0
        }
    }

    // Build the list based on the path, stopping at the first .id. value
    let list = runResults;
    let pathArray = scriptId.split('.id.')[0].split('.')
    for (let i in pathArray) {
        // Allows for creation of regions-filter etc...
        if (pathArray[i].endsWith('-filters')) {
            pathArray[i] = pathArray[i].replace('-filters', '')
        }
        list = list[pathArray[i]]
        // Filters
        if (pathArray[i] === 'items' && i > 3 && pathArray[i - 2] === 'filters') {
            return 1
        }
    }

    // Default # of columns is 2
    if ((cols === undefined) || (cols === null)) {
        cols = 2
    }

    // Update the DOM
    hideAll();
    if (cols === 0) {
        // Metadata
        scriptId = scriptId.replace('services.id.', '')
        processTemplate(scriptId + '.list.template', scriptId + '.list', list, force)
    } else if (cols === 1) {
        // Single-column display
        processTemplate(scriptId + '.details.template', 'single-column', list, force)
    } else if (cols === 2) {
        // Double-column display
        processTemplate(scriptId + '.list.template', 'double-column-left', list, force)
        processTemplate(scriptId + '.details.template', 'double-column-right', list, force)
    }

    // Update the list of loaded data
    if (loadedConfigArray.indexOf(scriptId) === -1) {
        loadedConfigArray.push(scriptId);
    }
    return 1
}

/**
 * Compile Handlebars templates and update the DOM
 * @param {string} id1
 * @param {string} containerId
 * @param {object} list
 * @param {boolean} replace
 */
function processTemplate(id1, containerId, list, replace) {
    id1 = id1.replace(/<|>/g, '')
    if (document.getElementById(id1)) {
        var templateToCompile = document.getElementById(id1).innerHTML
        var compiledTemplate = Handlebars.compile(templateToCompile)
        var innerHtml = compiledTemplate({items: list})
        if (replace) {
            document.getElementById(containerId).innerHTML = innerHtml
        } else {
            document.getElementById(containerId).innerHTML += innerHtml
        }
    }
}

/**
 * Hide all lists and details
 */
function hideAll() {
    $("[id$='.list']").not("[id='metadata.list']").not("[id='regions.list']").not("[id='filters.list']").hide()

    $("[id*='.details']").hide()
    var element = document.getElementById('scout_display_account_id_on_all_pages')
    if ((element !== undefined) && (element.checked === true)) {
        showRow('account_id')
    }
    currentResourcePath = ''
}

/**
 * Show list and details' container for a given path
 * @param path
 */
function showRow(path) {
    path = path.replace(/.id./g, '.[^.]+.')
    showList(path)
    showDetails(path)
}

/**
 * Shows the list
 * @param {string} path
 */
function showList(path) {
    $('div').filter(function () {
        return this.id.match(path + '.list')
    }).show()
}

/**
 * Shows the details
 * @param {string} path
 */
function showDetails(path) {
    $('div').filter(function () {
        return this.id.match(path + '.details')
    }).show()
}

/**
 *  Hides the list
 * @param {string} path
 */
function hideList(path) {
    $("[id='" + path + "']").hide()
    path = path.replace('.list', '')
    hideItems(path)
}

/**
 * Show links and views for a given path
 * @param path
 */
function showItems(path) {
    path = path.replace(/.id./g, '.[^.]+.') + '.[^.]+.'
    $('div').filter(function () {
        return this.id.match(path + 'link')
    }).show()
    $('div').filter(function () {
        return this.id.match(path + 'view')
    }).show()
}

/**
 * Hide resource views for a given path
 * @param resourcePath
 */
function hideItems(resourcePath) {
    let path = resourcePath.replace(/.id./g, '.[^.]+.') + '.[^.]+.view'
    $('div').filter(function () {
        return this.id.match(path)
    }).hide()
}

/**
 * Hide resource links for a given path
 * @param resourcePath
 */
function hideLinks(resourcePath) {
    // TODO: Handle Region and VPC hiding...
    let path = resourcePath.replace(/.id./g, '.[^.]+.') + '.[^.]+.link'
    $('div').filter(function () {
        return this.id.match(path)
    }).hide()
}

/**
 * Updates the hash with a given path
 * @param path
 */
function updateHash(path) {
    window.location.hash = path;
    showRowWithItems(path); // this handles the case where the hash is the same as that's being updated, e.g. when clicking "Show All"
}

/**
 * Show list, details' container, links, and view for a given path
 * @param path
 */
function showRowWithItems(path) {
    showRow(path)
    showItems(path)
}

/**
 * Shows filters
 * @param {string} resourcePath
 */
function showFilters(resourcePath) {
    hideFilters()
    // Show service filters
    $('[id="' + resourcePath + '.id.filters"]').show()
    // show region filters
    let service = resourcePath.split('.')[1]
    $('[id*="regionfilters.' + service + '.regions"]').show()
}

/**
 * Hides filters
 */
function hideFilters() {
    $('[id*=".id.filters"]').hide()
    $('[id*="regionfilters"]').hide()
    // Reset dashboard filters
    $('.dashboard-filter').val('')
    $('.finding_items').filter(function () {
        $(this).show()
    })
}

/**
 * Show findings
 * @param {string} path
 * @param {string} resourcePath
 */
function showFindings(path, resourcePath) {
    let items = getValueAt(path)
    let level = getValueAt(path.replace('items', 'level'))
    let resourcePathArray = resourcePath.split('.')
    let splitPath = path.split('.')
    let findingService = splitPath[1]
    let findingKey = splitPath[splitPath.length - 2]
    for (let item in items) {
        var idArray = items[item].split('.')
        var id = 'services.' + idArray.slice(0, resourcePathArray.length).join('.')
        showSingleItem(id)
        if ($('[id="' + items[item] + '"]').hasClass('badge')) {
            $('[id="' + items[item] + '"]').addClass('finding-title-' + level)
        } else {
            $('[id="' + items[item] + '"]').addClass('finding-' + level)
            $('[class="' + items[item] + '"]').addClass('finding-' + level)
        }
        $('[id="' + items[item] + '"]').removeClass('finding-hidden')
        $('[id="' + items[item] + '"]').attr('data-finding-service', findingService)
        $('[id="' + items[item] + '"]').attr('data-finding-key', findingKey)
        $('[id="' + items[item] + '"]').click(function (e) {
            let findingId = getId(e.target);
            if (!(findingService in exceptions)) {
                exceptions[findingService] = {}
            }
            if (!(findingKey in exceptions[findingService])) {
                exceptions[findingService][findingKey] = []
            }
            let isException = confirm('Mark this item as an exception ?')
            if (isException && (exceptions[findingService][findingKey].indexOf(findingId) == -1)) {
                exceptions[findingService][findingKey].push(findingId)
            }
        })
    }
}

/**
 * Returns the ID from an element - if none is found, returns the ID of the closest parent that does
 * @param element
 */
function getId(element) {
    return $(element).closest('[id]').attr('id');
}

/**
 * Show a single item
 * @param id
 */
function showSingleItem(id) {
    if (!id.endsWith('.view')) {
        id = id + '.view'
    }
    $("[id='" + id + "']").show()
    id = id.replace('.view', '.link')
    $("[id='" + id + "']").show()
}

/**
 * Toggles details
 * @param {string} keyword
 * @param {string} item
 */
function toggleDetails(keyword, item) {
    var id = '#' + keyword + '-' + item
    $(id).toggle()
}

/**
 * Update the navigation bar
 * @param service
 */
function updateNavbar(path) {
    const navbarIdSuffix = '_navbar'
    const subnavbarIdSuffix = '_subnavbar'

    let splitPath = path.split('.')

    $('[id*="navbar"]').removeClass('active')

    if (path === '') {
        $('#scoutsuite_navbar').addClass('active')
    } else if (splitPath[0] === 'services') {
        const service = splitPath[1]
        let element = $('#' + service + subnavbarIdSuffix)
        while (element.length > 0 && (!element.attr('id') || !element.attr('id').endsWith(navbarIdSuffix))) {
            element = element.parent()
        }

        if (element.length > 0) {
            element.addClass('active')
        }
    } else if (splitPath[0] === 'service_groups' && splitPath.length >= 2) {
        const group = splitPath[1]
        $('#' + group + navbarIdSuffix).addClass('active')
    }

    $('[id*="navbar"]').show()
}

/**
 * Tells if navbar has suff
 * @param {*} element
 */
function hasNavbarSuffix(element) {
    return element &&
        (!element.attr('id') || element.attr('id') && !element.attr('id').endsWith(navbarIdSuffix))
}

/**
 * Toggles visibility
 * @param {string} id
 */
function toggleVisibility(id) {
    let id1 = '#' + id
    $(id1).toggle()
    let id2 = '#bullet-' + id
    if ($(id1).is(':visible')) {
        $(id2).html('')
    } else {
        $(id2).html('')
    }
}

/**
 * Iterates through EC2 objects and calls
 * @param data
 * @param entities
 * @param callback
 * @param callbackArgs
 */
function iterateEC2ObjectsAndCall(data, entities, callback, callbackArgs) {
    if (entities.length > 0) {
        var entity = entities.shift()
        var recurse = entities.length
        for (let i in data[entity]) {
            if (recurse) {
                iterateEC2ObjectsAndCall(data[entity][i], eval(JSON.stringify(entities)), callback, callbackArgs)
            } else {
                callback(data[entity][i], callbackArgs)
            }
        }
    }
}

/**
 *
 * @param ec2Data
 * @param entities
 * @param id
 * @returns {*}
 */
function findEC2Object(ec2Data, entities, id) {
    if (entities.length > 0) {
        var entity = entities.shift()
        var recurse = entities.length
        for (let i in ec2Data[entity]) {
            if (recurse) {
                var object = findEC2Object(ec2Data[entity][i], eval(JSON.stringify(entities)), id)
                if (object) {
                    return object
                }
            } else if (i === id) {
                return ec2Data[entity][i]
            }
        }
    }
    return ''
}

/**
 * Finds EC2 object by attribute
 * @param ec2Data
 * @param entities
 * @param attributes
 * @returns {*}
 */
function findEC2ObjectByAttr(ec2Data, entities, attributes) {
    if (entities.length > 0) {
        var entity = entities.shift()
        var recurse = entities.length
        for (let i in ec2Data[entity]) {
            if (recurse) {
                var object = findEC2ObjectByAttr(ec2Data[entity][i], eval(JSON.stringify(entities)), attributes)
                if (object) {
                    return object
                }
            } else {
                var found = true
                for (let attr in attributes) {
                    // h4ck :: EC2 security groups in RDS are lowercased...
                    if (ec2Data[entity][i][attr].toLowerCase() != attributes[attr].toLowerCase()) {
                        found = false
                    }
                }
                if (found) {
                    return ec2Data[entity][i]
                }
            }
        }
    }
    return ''
}

/**
 * Finds EC2 object attribute
 * @param ec2Info
 * @param path
 * @param id
 * @param attribute
 * @returns {*}
 */
function findEC2ObjectAttribute(ec2Info, path, id, attribute) {
    var entities = path.split('.')
    var object = findEC2Object(ec2Info, entities, id)
    if (object[attribute]) {
        return object[attribute]
    }
    return ''
}

/**
 * Finds and shows EC2 object
 * @param path
 * @param id
 */
function findAndShowEC2Object(path, id) {
    let entities = path.split('.')
    if (getFormat() === resultFormats.json) {
        var object = findEC2Object(runResults['services']['ec2'], entities, id)
    } else if (getFormat() === resultFormats.sqlite) {
        console.log('TODO (SQlite) 1')
    }
    var etype = entities.pop()
    if (etype === 'instances') {
        showPopup(single_ec2_instance_template(object))
    } else if (etype === 'security_groups') {
        showPopup(single_ec2_security_group_template(object))
    } else if (etype === 'vpcs') {
        showPopup(single_vpc_template(object))
    } else if (etype === 'network_acls') {
        object['name'] = id
        showPopup(single_vpc_network_acl_template(object))
    }
}

/**
 * Finds and shows EC2 object by attribute
 * @param path
 * @param attributes
 */
function findAndShowEC2ObjectByAttr(path, attributes) {
    let entities = path.split('.')
    if (getFormat() === resultFormats.json) {
        var object = findEC2ObjectByAttr(runResults['services']['ec2'], entities, attributes)
    } else if (getFormat() === resultFormats.sqlite) {
        console.log('TODO (SQLite) 2')
    }
    var etype = entities.pop()
    if (etype === 'security_groups') {
        showPopup(single_ec2_security_group_template(object))
    }
}

/**
 * Shows EC2 instance
 * @param data
 */
function showEC2Instance2(data) {
    showPopup(single_ec2_instance_template(data))
}

/**
 * Shows EC2 instance
 * @param region
 * @param vpc
 * @param id
 */
function showEC2Instance(region, vpc, id) {
    if (getFormat() === resultFormats.json) {
        var data = runResults['services']['ec2']['regions'][region]['vpcs'][vpc]['instances'][id]
    } else if (getFormat() === resultFormats.sqlite) {
        console.log('TODO (SQLite) 3')
    }
    showPopup(single_ec2_instance_template(data))
}

/**
 * Shows EC2 security group
 * @param region
 * @param vpc
 * @param id
 */
function showEC2SecurityGroup(region, vpc, id) {
    if (getFormat() === resultFormats.json) {
        var data = runResults['services']['ec2']['regions'][region]['vpcs'][vpc]['security_groups'][id]
    } else if (getFormat() === resultFormats.sqlite) {
        console.log('TODO (SQLite) 4')
    }
    showPopup(single_ec2_security_group_template(data))
}

/**
 * Shows object
 * @param {string} path
 * @param {string} attrName
 * @param {string} attrValue
 */
function showObject(path, attrName, attrValue) {
    const pathArray = path.split('.')
    const pathLength = pathArray.length
    let data = getResource(path)

    // Adds the resource path values to the data context
    for (let i = 0; i < pathLength - 1; i += 2) {
        const attribute = makeResourceTypeSingular(pathArray[i])
        data[attribute] = pathArray[i + 1]
    }

    // Filter if ...
    let resourceType
    if (attrName && attrValue) {
        for (const resource in data) {
            if (data[resource][attrName] !== attrValue) continue
            data = data[resource]
            break
        }

        resourceType = pathArray[1] + '_' + pathArray[pathLength - 1]
    } else {
        resourceType = pathArray[1] + '_' + pathArray[pathLength - 2]
    }

    let resource = makeResourceTypeSingular(resourceType)
    let template = 'single_' + resource + '_template'
    showPopup(window[template](data))
}

/**
 * Gets a resource from the run results.
 * @param {string} path
 */
function getResource(path) {
    let data = runResults
    for (const attribute of path.split('.')) {
        data = data[attribute]
    }
    return data
}

/**
 * Makes the resource type singular.
 * @param {string} resourceType
 */
function makeResourceTypeSingular(resourceType) {
    return resourceType.substring(0, resourceType.length - 1).replace(/\.?ie$/, 'y')
}

/**
 * Displays IAM Managed Policy
 * @param policyId
 */
function showIAMManagedPolicy(policyId) {
    if (getFormat() === resultFormats.json) {
        var data = runResults['services']['iam']['policies'][policyId]
    } else if (getFormat() === resultFormats.sqlite) {
        console.log('TODO (SQLite) 6')
    }
    data['policy_id'] = policyId
    showIAMPolicy(data)
}

/**
 * Displays IAM Inline Policy
 * @param iamEntityType
 * @param iamEntityName
 * @param policyId
 */
function showIAMInlinePolicy(iamEntityType, iamEntityName, policyId) {
    if (getFormat() === resultFormats.json) {
        var data = runResults['services']['iam'][iamEntityType][iamEntityName]['inline_policies'][policyId]
    } else if (getFormat() === resultFormats.sqlite) {
        console.log('TODO (SQLite) 7')
    }
    data['policy_id'] = policyId
    showIAMPolicy(data)
}

/**
 * Displays IAM Policy
 * @param data
 */
function showIAMPolicy(data) {
    showPopup(single_iam_policy_template(data))
    var id = '#iam_policy_details-' + data['report_id']
    $(id).toggle()
}

/**
 * Display S3 bucket
 * @param bucketName
 */
function showS3Bucket(bucketName) {
    if (getFormat() === resultFormats.json) {
        var data = runResults['services']['s3']['buckets'][bucketName]
    } else if (getFormat() === resultFormats.sqlite) {
        console.log('TODO (SQLite) 8')
    }
    showPopup(single_s3_bucket_template(data))
}

/**
 * Displays S3 object
 * @param bucketId
 * @param keyId
 */
function showS3Object(bucketId, keyId) {
    if (getFormat() === resultFormats.json) {
        var data = runResults['services']['s3']['buckets'][bucketId]['keys'][keyId]
    } else if (getFormat() === resultFormats.sqlite) {
        console.log('TODO (SQLite) 9')
    }
    data['key_id'] = keyId
    data['bucket_id'] = bucketId
    showPopup(single_s3_object_template(data))
}

/**
 * Displays the popup
 * @param {*} content
 */
function showPopup(content) {
    $('#modal-container').html(content)
    $('#modal-container').modal()
}

/**
 * Get the format of the results that Scout Suite is reading from
 */
function getFormat() {
    if (document.getElementById('sqlite_format')) {
        return resultFormats.sqlite
    } else if (document.getElementById('json_format')) {
        return resultFormats.json
    }
    return resultFormats.invalid
}

/**
 * Set up dashboards and dropdown menus
 */
function loadMetadata() {
    if (getFormat() === resultFormats.json) {
        runResults = getScoutsuiteResultsJson()
    } else if (getFormat() === resultFormats.sqlite) {
        runResults = requestDb()
        loadFirstPageEverywhere()
    }

    loadAccountId()

    loadConfig('last_run', 1, false)
    loadConfig('metadata', 0, false)
    loadConfig('services.id.findings', 1, false)
    loadConfig('services.id.filters', 0, false) // service-specific filters
    loadConfig('services.id.regions', 0, false) // region filters

    for (let group in runResults['metadata']) {
        for (let service in runResults['metadata'][group]) {
            if (service === 'summaries') {
                continue
            }
            for (let section in runResults['metadata'][group][service]) {
                for (let resourceType in runResults['metadata'][group][service][section]) {
                    addTemplates(group, service, section, resourceType,
                        runResults['metadata'][group][service][section][resourceType]['path'],
                        runResults['metadata'][group][service][section][resourceType]['cols'])
                }
            }
        }
    }
    hidePleaseWait()
}

/**********************
 * Browsing functions *
 **********************/

/**
 * Summary
 */
function exportSummary() {
    var anchor = window.location.hash.substr(1)
    // Strip the # sign
    // Get resource path based on browsed-to path
    var item_indexes = getValueAt("");

    // create array with item values
        var items = [];
        var index = 0;
        items[index] = ["Service", "Description", "Affected resources", "Risk level"]
        Object.entries(item_indexes.services).forEach((service) =>{
            Object.entries(service[1].findings).forEach((finding) => {
                index++;
                items[index] = [finding[1].service, finding[1].description, finding[1].flagged_items, finding[1].level];
            })
        });

    downloadAsCsv('summary.csv', items)
}


/**
 * Show About Scout Suite modal
 */
function showAbout() {
    $('#modal-container').html(about_scoutsuite_template())
    $('#modal-container').modal()
}

/**
 * Hides Please Wait modal
 */
function hidePleaseWait () {
    $('#please-wait-modal').fadeOut(500, () => { })


    $('#please-wait-backdrop').fadeOut(500, () => { })
}

/**
 * Shows last run details modal
 */
function showLastRunDetails() {
    $('#modal-container').html(last_run_details_template(runResults))
    $('#modal-container').modal()
}

/**
 * Shows resources details modal
 */
function showResourcesDetails() {
    $('#modal-container').html(resources_details_template(runResults));
    $('#modal-container').modal()

    $('#resources_details_download_csv_button').click(function(){
            var anchor = window.location.hash.substr(1)
            var item_indexes = getValueAt("")
            var items = []
            var index = 0
            items[index] = ["Service", "Resource", "#"]
            var serviceName = ""
            Object.entries(item_indexes.services).forEach((service) => {
                serviceName = service[0]
                Object.entries(service[1]).forEach((attr) => {
                        if ((attr[0].split("_")[1] == "count" || attr[0].split("_")[2] == "count") && attr[1] != 0 && attr[0].split("_")[0] != "regions"){
                                index++;
                                items[index] = [serviceName, attr[0].split("_")[0], attr[1].toString()];
                            }
                })
            })
            downloadAsCsv('findings_summary.csv', items)
        }
    )
}


/**
 * Show main dashboard
 */
function showMainDashboard() {
    hideAll()
    // Hide filters
    hideFilters()
    $('#findings_download_button').hide()
    $('#paging_buttons').hide()
    showRowWithItems('account_id')
    showRowWithItems('last_run')
    $('#section_title-h2').text('')
    $('#section_paging-h2').text('')
    // Remove URL hash
    history.pushState('', document.title, window.location.pathname + window.location.search)
    updateNavbar('')
}

/**
 * Make title from resource path
 * @param {string} resourcePath
 * @returns {string}
 */
function makeTitleAcl(resourcePath) {
    resourcePath = resourcePath.replace('service_groups.', '')
    let service = getService(resourcePath)

    const parts = resourcePath.split('.').pop().split('_').map(part => `${part.charAt(0).toUpperCase()}${part.substring(1).toLowerCase()}`)
    let formatted = ''
    do {
        const part = parts.shift()
        formatted += part.length > 1 ? ` ${part} ` : part
    } while (parts.length > 0)

    formatted = formatted.replace(/Acl/g, 'ACL').replace('Findings', 'Dashboard').replace(//g, '').trim()

    return service + ' ' + formatted
}

/**
 * Returns the service
 * @param {string} resourcePath
 * @returns {string}
 */
function getService(resourcePath) {
    if (resourcePath.startsWith('services')) {
        var service = resourcePath.split('.')[1]
    } else {
        service = resourcePath.split('.')[0]
    }
    service = makeTitle(service)
    return service
}

/**
 * Update title div's contents
 * @param {string} title
 */
function updateTitle(title) {
    $('#section_title-h2').text(title)
}

/**
 * Updates the Document Object Model
 */
function showPageFromHash() {
    myhash = location.hash.replace(/[^a-zA-Z|0-9|.#-_]/gi,'')
    if (myhash) {
        updateDOM(myhash)
    } else {
        updateDOM('')
    }
}

window.onhashchange = showPageFromHash

/**
 * Get value at given path
 * @param {string} path
 * @returns {string}
 */
function getValueAt(path) {
    return getValueAtRecursive(path, runResults)
}

function getValueAtRecursive(path, source) {
    let value = source;
    let current_path = path;
    let key;
    // iterate over each path elements
    while (current_path) {
        // check if there are more elements to the path
        if(current_path.indexOf('.') != -1){
            key = current_path.substr(0, current_path.indexOf('.'));
        }
        // last element
        else {
            key = current_path;
        }

        try {
            // path containing an ".id"
            if(key == 'id')
            {
                let v = [];
                let w;
                for(let k in value){
                    // process recursively
                    w = getValueAtRecursive(k + current_path.substr(current_path.indexOf('.'), current_path.length), value);
                    v = v.concat(
                        Object.values(w) // get values from array, otherwise it will be an array of key/values
                    );
                }
                return v;
            }
            // simple path, just return element in value
            else {
                value = value[key];
            }
        } catch (err) {
            console.log('Error: ' + err)
        }

        // check if there are more elements to process
        if(current_path.indexOf('.') != -1){
            current_path = current_path.substr(current_path.indexOf('.')+1, current_path.length);
        }
        // otherwise we're done
        else {
            current_path = false;
        }
    }
    return value;
}

var currentResourcePath = ''

/**
 * Updates the Document Object Model
 * @param {string} anchor
 */
function updateDOM(anchor) {
    // Enable or disable the buttons depending on which page you are
    updateButtons()

    // Strip the # sign
    var path = decodeURIComponent(anchor.replace('#', ''))

    // Get resource path based on browsed-to path
    var resourcePath = getResourcePath(path)

    updateNavbar(path)

    const pathSuffixes = [
        'findings',
        'statistics',
        'password_policy',
        'security_policy',
        'permissions',
        '',
        'external_attack_surface',
        'output',
    ]

    let show = true
    for (const suffix of pathSuffixes) {
        if (!path.endsWith(`.${suffix}`)) continue
        show = false
        break
    }
    if (show) {
        $('#findings_download_button').show()
        $('#paging_buttons').show()
    } else {
        $('#findings_download_button').hide()
        $('#paging_buttons').hide()
    }

    // Update title
    if (path.endsWith('.items')) {
        let title = getValueAt(path.replace('items', 'description'))
        updateTitle(title)
    } else {
        let title = makeTitleAcl(resourcePath)
        updateTitle(title)
    }

    // Clear findings highlighting
    $('span').removeClass('finding-danger')
    $('span').removeClass('finding-warning')

    // DOM Update
    if (path === '') {
        showMainDashboard()
    } else if (path.endsWith('.items')) {
        // Switch view for findings
        lazyLoadingJson(resourcePath)
        hideAll()
        hideItems(resourcePath)
        hideLinks(resourcePath)
        showRow(resourcePath)
        showFindings(path, resourcePath)
        currentResourcePath = resourcePath
        showFilters(resourcePath)
    } else if (lazyLoadingJson(resourcePath) == 0) {
        console.log(resourcePath + ' has already been loaded');
        // 0 is returned when the data was already loaded, a DOM update is necessary then
        if (path.endsWith('.view')) {
            // Same details, one item
            hideItems(currentResourcePath)
            showSingleItem(path)
        } else if (currentResourcePath !== '' && resourcePath.match(currentResourcePath.replace(/.id./g, '.[^.]+.'))) {
            // Same details, multiple items
            hideItems(currentResourcePath)
            showItems(path)
        } else {
            // Switch view for resources
            console.log('Switching view to ' + resourcePath);
            hideAll()
            showRowWithItems(resourcePath)
            // showFilters(resourcePath)
            currentResourcePath = resourcePath
        }
    } else {
        // The DOM was updated by the lazy loading function, save the current resource path
        console.log('View was updated via lazyloading');
        showFilters(resourcePath)
        currentResourcePath = resourcePath
    }

    // Scroll to the top
    window.scrollTo(0, 0)
}

/**
 * Lazy loading
 * @param {string} path
 * @returns {number}
 */
function lazyLoadingJson(path) {
    var cols = 1
    var resourcePathArray = path.split('.')
    var service = resourcePathArray[1]
    var resourceType = resourcePathArray[resourcePathArray.length - 1]
    for (let group in runResults['metadata']) {
        if (service in runResults['metadata'][group]) {
            if (resourceType in runResults['metadata'][group][service]['resources']) {
                cols = runResults['metadata'][group][service]['resources'][resourceType]['cols']
            }
            break
        }
    }
    return loadConfig(path, cols, false);
}

/**
 * Get the resource path based on a given path
 * @param path
 * @returns {string}
 */
function getResourcePath(path) {
    if (path.endsWith('.items')) {
        var resourcePath = getValueAt(path.replace('items', 'display_path'))
        if (resourcePath === undefined) {
            resourcePath = getValueAt(path.replace('items', 'path'))
        }
        let resourcePathArray = resourcePath.split('.')
        resourcePathArray.pop()
        resourcePath = 'services.' + resourcePathArray.join('.')
    } else if (path.endsWith('.view')) {
        // Resource path is not changed (this may break when using `back' button in browser)
        resourcePath = currentResourcePath
    } else {
        resourcePath = path
    }
    return resourcePath
}

/**
 * Format title
 * @param title
 * @returns {string}
 */
function makeTitle(title) {
    if (typeof (title) !== 'string') {
        console.log('Error: received title ' + title + ' (string expected).')
        return title.toString()
    }

    const uppercaseTitles = [
        'acm', 'aks', 'ec2', 'ecr', 'ecs', 'efs', 'eks', 'gke', 'iam', 'kms', 'rbac',
        'rds', 'sns', 'ses', 'sqs', 'vpc', 'elb', 'elbv2', 'emr', 'dns', 'oss', 'ram',
    ]

    const formattedTitles = {
        'cloudtrail': 'CloudTrail',
        'cloudwatch': 'CloudWatch',
        'cloudformation': 'CloudFormation',
        'cloudfront': 'CloudFront',
        'awslambda': 'Lambda',
        'docdb': 'DocumentDB',
        'dynamodb': 'DynamoDB',
        'guardduty': 'GuardDuty',
        'secretsmanager': 'Secrets Manager',
        'ssm': 'Systems Manager',
        'elasticache': 'ElastiCache',
        'redshift': 'RedShift',
        'cloudstorage': 'Cloud Storage',
        'cloudsql': 'Cloud SQL',
        'stackdriverlogging': 'Stackdriver Logging',
        'stackdrivermonitoring': 'Stackdriver Monitoring',
        'computeengine': 'Compute Engine',
        'kubernetesengine': 'Kubernetes Engine',
        'cloudmemorystore': 'Cloud Memorystore',
        'aad': 'Azure Active Directory',
        'storageaccounts': 'Storage Accounts',
        'sqldatabase': 'SQL Database',
        'virtualmachines': 'Virtual Machines',
        'securitycenter': 'Security Center',
        'keyvault': 'Key Vault',
        'appgateway': 'Application Gateway',
        'rediscache': 'Redis Cache',
        'appservice': 'App Services',
        'loadbalancer': 'Load Balancer',
        'actiontrail': 'ActionTrail',
        'objectstorage': 'Object Storage',

        // Azure and Kubernetes
        'loggingmonitoring': 'Azure Monitor',

        // Kubernetes
        'kubernetesengine': 'GKE'
    }

    title = title.toLowerCase()
    if (uppercaseTitles.indexOf(title) !== -1) {
        return title.toUpperCase()
    } else if (formattedTitles[title.split('_')[0]]) {
        return formattedTitles[title]
    } else {
        const parts = title.split('_').map(part => `${part.charAt(0).toUpperCase()}${part.substring(1).toLowerCase()}`)
        let formatted = ''
        do {
            const part = parts.shift()
            formatted += part.length > 1 ? ` ${part} ` : part
        } while (parts.length > 0)
        return formatted.trim()
    }
}

/**
 * Toggles between truncated and full lenght bucket name
 * @param {string} name           Name of the bucket
 */
function toggleName(name) {
    if (name.style.display !== 'contents') {
        name.style.display = 'contents'
    } else {
        name.style.display = 'block'
    }
}

/**
 * Add one or multiple
 * @param group
 * @param service
 * @param section
 * @param resourceType
 * @param path
 * @param cols
 */
function addTemplates(group, service, section, resourceType, path, cols) {
    if (cols === undefined) {
        cols = 2
    }
    addTemplate(group, service, section, resourceType, path, 'details')
    if (cols > 1) {
        addTemplate(group, service, section, resourceType, path, 'list')
    }
}

/**
 * Add resource templates
 * @param group
 * @param service
 * @param section
 * @param resourceType
 * @param path
 * @param suffix
 */
function addTemplate(group, service, section, resourceType, path, suffix) {
    var template = document.createElement('script')
    var partialName = ''
    template.type = 'text/x-handlebars-template'
    template.id = path + '.' + suffix + '.template'
    if (section === 'resources') {
        if (suffix === 'list') {
            if (path.indexOf('.vpcs.id.') > 0) {
                partialName = 'left_menu_for_vpc'
            } else if (path.indexOf('.subscriptions.id.') > 0) {
                partialName = 'left_menu_for_subscription'
            } else if (path.indexOf('projects.id.zones.id.') > 0) {
                partialName = 'left_menu_for_gcp_zone';
            } else if (path.indexOf('projects.id.regions.id.') > 0) {
                partialName = 'left_menu_for_gcp_region';
            } else if (path.indexOf('.regions.id.') > 0) {
                partialName = 'left_menu_for_region'
            } else if (path.indexOf('.projects.id.') > 0) {
                partialName = 'left_menu_for_project'
            } else if (group === '_scout_suite_aggregation' || group.length === 1 && resourceType.startsWith('v')) {
                // no real way to categorize Kubernetes resources
                // hopefully in the future this huge JavaScript file will be decoupled
                partialName = 'left_menu_for_kubernetes_resource'
            } else {
                partialName = 'left_menu'
            }
        } else if (suffix === 'details') {
            if (path.indexOf('.vpcs.id.') > 0) {
                partialName = 'details_for_vpc'
            } else if (path.indexOf('.subscriptions.id.') > 0) {
                partialName = 'details_for_subscription'
            } else if (path.indexOf('projects.id.zones.id') > 0) {
                partialName = 'details_for_gcp_zone';
            } else if (path.indexOf('projects.id.regions.id') > 0) {
                partialName = 'details_for_gcp_region';
            } else if (path.indexOf('.regions.id.') > 0) {
                partialName = 'details_for_region'
            } else if (path.indexOf('.projects.id.') > 0) {
                partialName = 'details_for_project'
            } else if (group === '_scout_suite_aggregation' || group.length === 1 && resourceType.startsWith('v')) {
                // no real way to categorize Kubernetes resources
                // hopefully in the future this huge JavaScript file will be decoupled
                partialName = 'details_for_kubernetes_resource'
            } else {
                partialName = 'details'
            }
        } else {
            console.log('Invalid suffix (' + suffix + ') for resources template.')
        }
        template.innerHTML = '{{> ' + partialName + " service_group = '" + group + "' service_name = '" + service + "' resource_type = '" + resourceType + "' partial_name = '" + path + "'}}"
        $('body').append(template)
    }
}

/**
 * Rules generator
 * @param group
 * @param service
 */
function filterRules(group, service) {
    if (service === undefined) {
        $("[id*='rule-']").show()
    } else {
        $("[id*='rule-']").not("[id*='rule-" + service + "']").hide()
        $("[id*='rule-" + service + "']").show()
    }
    var id = 'groups.' + group + '.list'
    $("[id='" + id + "']").hide()
}

/**
 * Downloads the configuration
 * @param {object} configuration
 * @param {string} name
 * @param {string} prefix
 */
function downloadConfiguration(configuration, name, prefix) {
    var uriContent = 'data:text/json;charset=utf-8,' + encodeURIComponent(prefix + JSON.stringify(configuration, null, 4))
    var dlAnchorElem = document.getElementById('downloadAnchorElem')
    dlAnchorElem.setAttribute('href', uriContent)
    dlAnchorElem.setAttribute('download', name + '.json')
    dlAnchorElem.click()
}

/**
 * Downloads execptions
 */
function downloadExceptions() {
    var url = window.location.pathname
    var profileName = url.substring(url.lastIndexOf('/') + 1).replace('report-', '').replace('.html', '')
    console.log('Download exceptions: ' + exceptions)
    downloadConfiguration(exceptions, 'exceptions-' + profileName, 'exceptions = \n')
}

/**
 * Shows an element
 * @param {string} elementId
 */
var showElement = function (elementId) {
    $('#' + elementId).show()
}

/**
 * Hides an element
 * @param {string} elementId
 */
var hideElement = function (elementId) {
    $('#' + elementId).hide()
}

/**
 * Toggles an element
 * @param {string} elementId
 */
var toggleElement = function (elementId) {
    $('#' + elementId).toggle()
}

/**
 * Sets the url to filter a specific region
 * @param {string} region
 */
function setFilterUrl(region) {
    let tmp = location.hash.split('.')
    tmp[3] = region
    location.hash = tmp.join('.')
}

/**
 * Returns a csv file to download
 *   example input:
 *   exportToCsv('export.csv', [
 *   ['name','description'],
 *   ['david','123'],
 *   ['jona','""'],
 *   ['a','b'],
 *   ])
 * @param filename
 * @param rows
 */
function downloadAsCsv(filename, rows) {
    var processRow = function (row) {
        var finalVal = ''
        for (var j = 0; j < row.length; j++) {
            var innerValue = row[j] === null ? '' : row[j].toString()
            if (row[j] instanceof Date) {
                innerValue = row[j].toLocaleString()
            }

            var result = innerValue.replace(/"/g, '""')
            if (result.search(/("|,|\n)/g) >= 0) {
                result = '"' + result + '"'
            }
            if (j > 0) {
                finalVal += ','
            }
            finalVal += result
        }
        return finalVal + '\n'
    }

    var csvFile = ''
    for (var i = 0; i < rows.length; i++) {
        csvFile += processRow(rows[i])
    }

    var blob = new Blob([csvFile], {type: 'text/csv;charset=utf-8;'})
    if (navigator.msSaveBlob) { // IE 10+
        navigator.msSaveBlob(blob, filename)
    } else {
        var link = document.createElement('a')
        if (link.download !== undefined) { // feature detection
            // Browsers that support HTML5 download attribute
            var url = URL.createObjectURL(blob)
            link.setAttribute('href', url)
            link.setAttribute('download', filename)
            link.style.visibility = 'hidden'
            document.body.appendChild(link)
            link.click()
            document.body.removeChild(link)
        }
    }
}

/**
 * Downloads the dictionary as a .json file
 * @param {string} filename
 * @param {object} dict
 */
function downloadAsJson(filename, dict) {
    var jsonStr = JSON.stringify(dict)

    var blob = new Blob([jsonStr], {type: 'application/json;'})
    if (navigator.msSaveBlob) { // IE 10+
        navigator.msSaveBlob(blob, filename)
    } else {
        var link = document.createElement('a')
        if (link.download !== undefined) { // feature detection
            // Browsers that support HTML5 download attribute
            var url = URL.createObjectURL(blob)
            link.setAttribute('href', url)
            link.setAttribute('download', filename)
            link.style.visibility = 'hidden'
            document.body.appendChild(link)
            link.click()
            document.body.removeChild(link)
        }
    }
}


================================================
FILE: ScoutSuite/output/data/inc-scoutsuite/sqlite.js
================================================
// TODO: Change this for something less goofy
var querySeparator = '¤'
var reQuerySeparator = new RegExp('\\' + querySeparator + '+$')
var defaultPort = 8000

/**
 * Requests a list corresponding to the resource
 * @param {string} query            The suffix of the url
 * @param {number} pageSize         The amount of resources per page
 * @param {number} pageIndex        The index of the page [0, totalResources / pageSize - 1]
 * @returns {string}
 */
function requestDb (query, pageSize, pageIndex) {
  // TODO: Add the option of using a different port
  let url = 'http://127.0.0.1:' + defaultPort + '/api/'
  let response = ''

  if (arguments.length === 0) {
    url += 'summary'
  } else if (arguments.length === 1) {
    url += 'data?key=' + query
  } else if (arguments.length === 2) {
    url += 'full?key=' + query
  } else {
    url += 'page?pagesize=' + pageSize + '&page=' + pageIndex + '&key=' + query
  }

  $.ajax({
    type: 'GET',
    url: url,
    async: false,
    dataType: 'json',
    success: function (result) {
      response = result
    } })

  return response.data
}

/**
 * Inserts resource page info into runResults and wipes out the last resource page info from the memory
 * to make sure the memory never gets capped and crashes the browser, also updates page index of the resource
 * @param {number} pageSize         The amount of resources per page
 * @param {number} pageIndex        The index of the page [0, totalResources / pageSize - 1]
 * @param {string} service          The service targeted
 * @param {string} resource         The resource targeted
 */
function getResourcePageSqlite (pageIndex, pageSize, service, resource) {
  let resources = requestDb(createQuery('services', service, resource), pageSize, pageIndex)
  // Create an object where to save data and overwrite the current content
  runResults['services'][service][resource] = {}
  for (let item in resources) {
    runResults['services'][service][resource][item] =
      requestDb(createQuery('services', service, resource, item), null)
  }

  // Save the current page index to remember which page we have saved
  // Originally wanted to save that info under the precise resource, but the handlebar templates create slots for
  // each entry under resource, therefore there were 2 empty slots always added
  runResults['services'][service][resource + '_page_index'] = pageIndex
  runResults['services'][service][resource + '_page_size'] = pageSize
}

/**
 * Acts like getResourcePageSqlite but when we're using regions, made a separate function since the order of
 * the variables are different and it was getting confusing
 * @param {number} pageSize         The amount of resources per page
 * @param {number} pageIndex        The index of the page [0, totalResources / pageSize - 1]
 * @param {string} service          The service targeted
 * @param {string} region           The region targeted
 * @param {string} resource         The resource targeted
 */
function getResourcePageSqliteRegions (pageIndex, pageSize, service, region, resource) {
  let resources = requestDb(createQuery('services', service, 'regions', region, resource), pageSize, pageIndex)
  // Create a spot where to save data
  runResults['services'][service]['regions'][region][resource] = {}
  for (let item in resources) {
    Object.assign(runResults['services'][service]['regions'][region][resource], { [item]: 
      requestDb(createQuery('services', service, 'regions', region, resource, item), null) })
  }
  if (runResults['services'][service]['regions']['id'] === undefined) {
    runResults['services'][service]['regions']['id'] = {}
  }
  
  // Save the current page index to remember which page we have saved
  // Originally wanted to save that info under the precise resource, but the handlebar templates create slots for
  // each entry under resource, therefore there were 2 empty slots always added
  runResults['services'][service]['regions']['id'][resource + '_page_index'] = pageIndex
  runResults['services'][service]['regions']['id'][resource + '_page_size'] = pageSize
}

/**
 * Creates a query using the query separator to request information from the server
 * Scales with the number of params given
 * @returns {string}
 */
function createQuery () {
  let query = ''
  for (let i = 0; i < arguments.length; i++) {
    query += arguments[i] + querySeparator
  }
  query = query.replace(reQuerySeparator, '')
  return query
}


================================================
FILE: ScoutSuite/output/data/inc-scoutsuite/theme.js
================================================
const DARK_BOOTSTRAP_THEME = 'inc-bootstrap/css/bootstrap-dark.min.css';
const LIGHT_BOOTSTRAP_THEME = 'inc-bootstrap/css/bootstrap-light.min.css';

const DARK_SCOUT_THEME = 'inc-scoutsuite/css/scoutsuite-dark.css';
const LIGHT_SCOUT_THEME = 'inc-scoutsuite/css/scoutsuite-light.css';

$(document).ready(() => {
  if (isDarkThemeEnabled()) {
    document.getElementById('theme_checkbox').checked = true
  }
});

/**
 * Load the last theme used by looking into localstorage
 */
function loadLastTheme() {
  if (isDarkThemeEnabled()) {
    setBootstrapTheme(DARK_BOOTSTRAP_THEME)
    setScoutTheme(DARK_SCOUT_THEME)
  }
}

/**
 * Toggles between light and dark themes
 */
function toggleTheme() {
  localStorage.setItem('dark_theme_enabled', document.getElementById('theme_checkbox').checked)
  if (document.getElementById('theme_checkbox').checked) {
    this.setBootstrapTheme(DARK_BOOTSTRAP_THEME)
    this.setScoutTheme(DARK_SCOUT_THEME)
  }
  else {
    this.setBootstrapTheme(LIGHT_BOOTSTRAP_THEME)
    this.setScoutTheme(LIGHT_SCOUT_THEME)
  }
};

/**
 * Toggles between light and dark themes
 */
function toggleTheme() {
  const darkThemeEnabled = document.getElementById('theme_checkbox').checked
  saveIsDarkThemeEnabled(darkThemeEnabled)

  if (darkThemeEnabled) {
    this.setBootstrapTheme(DARK_BOOTSTRAP_THEME)
    this.setScoutTheme(DARK_SCOUT_THEME)
  }
  else {
    this.setBootstrapTheme(LIGHT_BOOTSTRAP_THEME)
    this.setScoutTheme(LIGHT_SCOUT_THEME)
  }
};

/**
 * Sets the css file location received as the bootstrap theme
 * @param {string} file
 */
function setBootstrapTheme(file) {
  document.getElementById('bootstrap-theme').href = file
}

/**
 * Sets the css file location received as the scout theme
 * @param {string} file
 */
function setScoutTheme(file) {
  document.getElementById('scout-theme').href = file
}

/**
 * Tells us if the dark theme is enabled or not
 * @returns {boolean}
 */
function isDarkThemeEnabled() {
  return localStorage.getItem('dark_theme_enabled') === 'true'
}

/**
 * Saves which theme is selected within the localstorage
 * @param {boolean} isDarkThemeEnabled 
 */
function saveIsDarkThemeEnabled(isDarkThemeEnabled) {
  localStorage.setItem('dark_theme_enabled', isDarkThemeEnabled)
}

================================================
FILE: ScoutSuite/output/data/listall-configs/ec2.regions.id.vpcs.id.security_groups.id.json
================================================
{
    "keys": [
        "ec2.regions.id",
        "ec2.regions.id.vpcs.id",
        "ec2.regions.id.vpcs.id.security_groups.id",
        "name"
    ]
}


================================================
FILE: ScoutSuite/output/html.py
================================================
import datetime
import os
import shutil
import zipfile

import dateutil.tz

from ScoutSuite import DEFAULT_INCLUDES_DIRECTORY
from ScoutSuite import DEFAULT_REPORT_DIRECTORY, DEFAULT_REPORT_RESULTS_DIRECTORY, DEFAULT_INCLUDES_DIRECTORY
from ScoutSuite import ERRORS_LIST
from ScoutSuite.core.console import print_info, print_exception
from ScoutSuite.output.result_encoder import JavaScriptEncoder, SqlLiteEncoder
from ScoutSuite.output.utils import get_filename, prompt_for_overwrite


class HTMLReport:
    """
    Base HTML report
    """

    def __init__(self, report_name=None, report_dir=None, timestamp=False, exceptions=None, result_format=None):

        self.report_name = report_name
        self.report_name = report_name.replace('/', '_').replace('\\', '_')  # Issue 111
        self.report_dir = report_dir if report_dir else DEFAULT_REPORT_DIRECTORY
        self.current_time = datetime.datetime.now(dateutil.tz.tzlocal())
        self.timestamp = self.current_time.strftime("%Y-%m-%d_%Hh%M%z") if not timestamp else timestamp

        # exceptions = {} if exceptions is None else exceptions
        self.exceptions = exceptions if exceptions else {}
        self.scout_report_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data')
        self.html_data_path = os.path.join(self.scout_report_data_path, 'html')
        self.exceptions_encoder = JavaScriptEncoder(self.report_name, report_dir, timestamp)

        if result_format == "sqlite":
            self.encoder = SqlLiteEncoder(self.report_name, report_dir, timestamp)
        else:
            self.encoder = JavaScriptEncoder(self.report_name, report_dir, timestamp)

    def get_content_from_folder(self, templates_type):
        contents = ''
        template_dir = os.path.join(self.html_data_path, templates_type)
        template_files = [os.path.join(template_dir, f) for f in os.listdir(template_dir) if
                          os.path.isfile(os.path.join(template_dir, f))]
        for filename in template_files:
            try:
                with open('%s' % filename) as f:
                    contents = contents + f.read()
            except Exception as e:
                print_exception(f'Error reading filename {filename}: {e}')
        return contents

    def get_content_from_file(self, filename):
        contents = ''
        template_dir = os.path.join(self.html_data_path, 'conditionals')
        filename = template_dir + filename
        try:
            with open('%s' % filename) as f:
                contents = contents + f.read()
        except Exception as e:
            print_exception(f'Error reading filename {filename}: {e}')
        return contents

    def prepare_html_report_dir(self):
        if not os.path.isdir(self.report_dir):
            os.makedirs(self.report_dir)
        run_results_dir = os.path.join(self.report_dir, DEFAULT_REPORT_RESULTS_DIRECTORY)
        if not os.path.isdir(run_results_dir):
            os.makedirs(run_results_dir)
        # Copy static 3rd-party files
        archive = os.path.join(self.scout_report_data_path, 'includes.zip')
        zip_ref = zipfile.ZipFile(archive)
        zip_ref.extractall(self.report_dir)
        zip_ref.close()
        # Copy static files
        inc_scout_dir = os.path.join(self.report_dir, DEFAULT_INCLUDES_DIRECTORY)
        src_inc_scout_dir = os.path.join(self.scout_report_data_path, DEFAULT_INCLUDES_DIRECTORY)
        if os.path.isdir(inc_scout_dir):
            shutil.rmtree(inc_scout_dir)
        shutil.copytree(src_inc_scout_dir, inc_scout_dir)


class ScoutReport(HTMLReport):
    """
    Scout HTML report
    """

    def __init__(self, provider, report_name=None, report_dir=None, timestamp=False, exceptions=None,
                 result_format='json'):
        exceptions = {} if exceptions is None else exceptions
        self.provider = provider
        self.result_format = result_format

        super().__init__(report_name, report_dir, timestamp, exceptions, result_format)

    def save(self, config, exceptions, force_write=False, debug=False):
        self.prepare_html_report_dir()
        self.encoder.save_to_file(config, 'RESULTS', force_write, debug)
        self.exceptions_encoder.save_to_file(exceptions, 'EXCEPTIONS', force_write, debug)
        if ERRORS_LIST:
            self.exceptions_encoder.save_to_file(ERRORS_LIST, 'ERRORS', force_write, debug=True)
        return self.create_html_report(force_write)

    def create_html_report(self, force_write):
        contents = ''
        # Use the script corresponding to the result format
        contents += self.get_content_from_file('/%s_format.html' % self.result_format)
        # Use all scripts under html/partials/
        contents += self.get_content_from_folder('partials')
        contents += self.get_content_from_folder('partials/%s' % self.provider)
        # Use all scripts under html/summaries/
        contents += self.get_content_from_folder('summaries')
        contents += self.get_content_from_folder('summaries/%s' % self.provider)
        new_file, first_line = get_filename('REPORT', self.report_name, self.report_dir)
        print_info('Creating %s' % new_file)
        if prompt_for_overwrite(new_file, force_write):
            if os.path.exists(new_file):
                os.remove(new_file)
            with open(os.path.join(self.html_data_path, 'report.html')) as f:
                with open(new_file, 'wt') as nf:
                    for line in f:
                        newline = line
                        newline = newline.replace('', contents)
                        newline = newline.replace('',
                                                  get_filename('RESULTS',
                                                               self.report_name,
                                                               self.report_dir,
                                                               relative_path=True)[0])
                        newline = newline.replace('',
                                                  get_filename('EXCEPTIONS',
                                                               self.report_name,
                                                               self.report_dir,
                                                               relative_path=True)[0])
                        newline = newline.replace('',
                                                  f'{DEFAULT_INCLUDES_DIRECTORY}/sqlite.js')
                        nf.write(newline)
        return new_file


================================================
FILE: ScoutSuite/output/result_encoder.py
================================================
import datetime
import json
import os

import dateutil
from sqlitedict import SqliteDict

from ScoutSuite import DEFAULT_REPORT_DIRECTORY
from ScoutSuite.core.console import print_exception, print_info
from ScoutSuite.output.utils import get_filename, prompt_for_overwrite


class ScoutJsonEncoder(json.JSONEncoder):
    """
    JSON encoder class
    """

    def default(self, o):
        try:
            if type(o) == datetime.datetime:
                return str(o)
            else:
                # remove unwanted attributes from the provider object during conversion to json
                if hasattr(o, 'profile'):
                    del o.profile
                if hasattr(o, 'credentials'):
                    del o.credentials
                if hasattr(o, 'metadata_path'):
                    del o.metadata_path
                if hasattr(o, 'services_config'):
                    del o.services_config
                return vars(o)
        except Exception as e:
            return str(o)


class ScoutResultEncoder:
    def __init__(self, report_name=None, report_dir=None, timestamp=None):
        self.report_name = report_name
        if self.report_name:
            self.report_name = report_name.replace('/', '_').replace('\\', '_')  # Issue 111
        self.report_dir = report_dir if report_dir else DEFAULT_REPORT_DIRECTORY
        self.current_time = datetime.datetime.now(dateutil.tz.tzlocal())
        self.timestamp = self.current_time.strftime("%Y-%m-%d_%Hh%M%z") if not timestamp else timestamp

    @staticmethod
    def to_dict(config):
        return json.loads(json.dumps(config, separators=(',', ': '), cls=ScoutJsonEncoder))


class SqlLiteEncoder(ScoutResultEncoder):
    def load_from_file(self, config_type, config_path=None):
        if not config_path:
            config_path, _ = get_filename(config_type, self.report_name, self.report_dir)
        return SqliteDict(config_path, autocommit=True).data

    def save_to_file(self, config, config_type, force_write, _debug):
        config_path, first_line = get_filename(config_type, self.report_name, self.report_dir, file_extension="db")
        print_info('Saving data to %s' % config_path)
        try:
            with self.__open_file(config_path, force_write) as database:
                result_dict = self.to_dict(config)
                for k, v in result_dict.items():
                    database[k] = v
                database.commit()
        except Exception as e:
            print_exception(e)

    @staticmethod
    def __open_file(config_filename, force_write):
        """

        :param config_filename:
        :param force_write:
        :param quiet:
        :return:
        """
        if prompt_for_overwrite(config_filename, force_write):
            try:
                config_dirname = os.path.dirname(config_filename)
                if not os.path.isdir(config_dirname):
                    os.makedirs(config_dirname)
                if os.path.exists(config_filename):
                    os.remove(config_filename)
                return SqliteDict(config_filename)
            except Exception as e:
                print_exception(e)
        else:
            return None


class JavaScriptEncoder(ScoutResultEncoder):
    """
    Reader/Writer for JS and JSON files
    """

    def load_from_file(self, file_type, file_path=None, first_line=None):
        if not file_path:
            file_path, first_line = get_filename(file_type, self.report_name, self.report_dir)
        with open(file_path) as f:
            json_payload = f.readlines()
            if first_line:
                json_payload.pop(0)
            json_payload = ''.join(json_payload)
        return json.loads(json_payload)

    def save_to_file(self, content, file_type, force_write, debug):
        config_path, first_line = get_filename(file_type, self.report_name, self.report_dir)
        print_info('Saving data to %s' % config_path)
        try:
            with self.__open_file(config_path, force_write) as f:
                if first_line:
                    print('%s' % first_line, file=f)
                print('%s' % json.dumps(content, indent=4 if debug else None, separators=(',', ': '), sort_keys=True,
                                        cls=ScoutJsonEncoder), file=f)
        except AttributeError as e:
            # __open_file returned None
            pass
        except Exception as e:
            print_exception(e)

    @staticmethod
    def __open_file(config_filename, force_write):
        """

        :param config_filename:
        :param force_write:
        :param quiet:
        :return:
        """
        if prompt_for_overwrite(config_filename, force_write):
            try:
                config_dirname = os.path.dirname(config_filename)
                if not os.path.isdir(config_dirname):
                    os.makedirs(config_dirname)
                return open(config_filename, 'wt')
            except Exception as e:
                print_exception(e)
        else:
            return None


================================================
FILE: ScoutSuite/output/utils.py
================================================
import os
import sys


from ScoutSuite import DEFAULT_REPORT_DIRECTORY, DEFAULT_REPORT_RESULTS_DIRECTORY
from ScoutSuite.core.console import print_error


def prompt_for_yes_no(question):
    """
    Ask a question and prompt for yes or no

    :param question:                    Question to ask; answer is yes/no
    :return:                            :boolean
    """

    while True:
        sys.stdout.write(question + ' (y/n)? ')
        choice = input().lower()
        if choice == 'yes' or choice == 'y':
            return True
        elif choice == 'no' or choice == 'n':
            return False
        else:
            print_error('\'%s\' is not a valid answer. Enter \'yes\'(y) or \'no\'(n).' % choice)


def prompt_for_overwrite(filename, force_write):
    """
    Confirm before overwriting existing files. Do not prompt if the file does not exist or force_write is set

    :param filename:                    Name of the file to be overwritten
    :param force_write:                 Do not ask for confirmation and automatically return True if set
    :return:                            :boolean
    """
    #
    if not os.path.exists(filename) or force_write:
        return True
    return prompt_for_yes_no(f'File \'{filename}\' already exists. Do you want to overwrite it')


def get_filename(file_type, file_name=None, file_dir=None, relative_path=False, file_extension=None):
    if file_type == 'REPORT':
        name = file_name if file_name else 'report'
        directory = file_dir if file_dir else DEFAULT_REPORT_DIRECTORY
        extension = 'html'
        first_line = None
    elif file_type == 'RESULTS':
        name = f'scoutsuite_results_{file_name}' if file_name else 'scoutsuite_results'
        if not relative_path:
            directory = os.path.join(file_dir if file_dir else DEFAULT_REPORT_DIRECTORY, DEFAULT_REPORT_RESULTS_DIRECTORY)
        else:
            directory = DEFAULT_REPORT_RESULTS_DIRECTORY
        extension = 'js'
        first_line = 'scoutsuite_results ='
    elif file_type == 'EXCEPTIONS':
        name = f'scoutsuite_exceptions_{file_name}' if file_name else 'scoutsuite_exceptions'
        if not relative_path:
            directory = os.path.join(file_dir if file_dir else DEFAULT_REPORT_DIRECTORY, DEFAULT_REPORT_RESULTS_DIRECTORY)
        else:
            directory = DEFAULT_REPORT_RESULTS_DIRECTORY
        extension = 'js'
        first_line = 'exceptions ='
    elif file_type == 'ERRORS':
        name = f'scoutsuite_errors_{file_name}' if file_name else 'scoutsuite_errors'
        if not relative_path:
            directory = os.path.join(file_dir if file_dir else DEFAULT_REPORT_DIRECTORY, DEFAULT_REPORT_RESULTS_DIRECTORY)
        else:
            directory = DEFAULT_REPORT_RESULTS_DIRECTORY
        extension = 'json'
        first_line = None
    else:
        raise Exception(f'Invalid file type provided: {file_type}')

    full_path = os.path.join(directory,
                             '{}.{}'.format(name,
                                            file_extension if file_extension else extension))

    return full_path, first_line


================================================
FILE: ScoutSuite/providers/__init__.py
================================================
providers_dict = {'aws': 'AWSProvider',
                  'gcp': 'GCPProvider',
                  'azure': 'AzureProvider',
                  'aliyun': 'AliyunProvider',
                  'oci': 'OracleProvider',
                  'kubernetes': 'KubernetesProvider',
                  'do': 'DigitalOceanProvider'}


def get_provider_object(provider):
    provider_class = providers_dict.get(provider)
    provider_module = __import__(f'ScoutSuite.providers.{provider}.provider', fromlist=[provider_class])
    provider_object = getattr(provider_module, provider_class)
    return provider_object


def get_provider(provider,
                 profile=None,
                 project_id=None, folder_id=None, organization_id=None,
                 report_dir=None, timestamp=None, services=None, skipped_services=None, **kwargs):
    """
    Returns an instance of the requested provider.

    :param profile:             The name of the profile desired
    :param project_id:          The identifier of the project
    :param folder_id:           The identifier of the folder
    :param organization_id:     The identifier of the organization
    :param report_dir:          Where to save the report
    :param timestamp:           Whether to print or not the timestamp on the report
    :param services:            Exclusive list of services on which to run Scout Suite
    :param skipped_services:    List of services not to run Scout Suite on
    :param provider:            A string indicating the provider
    :return:                    A child instance of the BaseProvider class or None if no object implemented
    """
    services = [] if services is None else services
    skipped_services = [] if skipped_services is None else skipped_services

    provider_object = get_provider_object(provider)
    provider_instance = provider_object(profile=profile,
                                        project_id=project_id,
                                        folder_id=folder_id,
                                        organization_id=organization_id,
                                        report_dir=report_dir,
                                        timestamp=timestamp,
                                        services=services,
                                        skipped_services=skipped_services,
                                        **kwargs)

    return provider_instance


================================================
FILE: ScoutSuite/providers/aliyun/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aliyun/authentication_strategy.py
================================================
import json
from getpass import getpass

from aliyunsdkcore.auth.credentials import AccessKeyCredential
from aliyunsdkcore.client import AcsClient
from aliyunsdksts.request.v20150401 import GetCallerIdentityRequest

from ScoutSuite.providers.base.authentication_strategy import AuthenticationStrategy, AuthenticationException


class AliyunCredentials:

    def __init__(self, credentials, caller_details):
        self.credentials = credentials
        self.caller_details = caller_details


class AliyunAuthenticationStrategy(AuthenticationStrategy):
    """
    Implements authentication for the AWS provider
    """

    def authenticate(self, access_key_id=None, access_key_secret=None, **kwargs):

        try:

            access_key_id = access_key_id if access_key_id else input('Access Key ID:')
            access_key_secret = access_key_secret if access_key_secret else getpass('Secret Access Key:')

            credentials = AccessKeyCredential(access_key_id=access_key_id, access_key_secret=access_key_secret)

            # get caller details
            client = AcsClient(credential=credentials)
            response = client.do_action_with_exception(
                GetCallerIdentityRequest.GetCallerIdentityRequest())
            response_decoded = json.loads(response)

            return AliyunCredentials(credentials, response_decoded)

        except Exception as e:
            raise AuthenticationException(e)


================================================
FILE: ScoutSuite/providers/aliyun/facade/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aliyun/facade/actiontrail.py
================================================
from ScoutSuite.providers.aliyun.authentication_strategy import AliyunCredentials
from ScoutSuite.providers.aliyun.facade.utils import get_response

from aliyunsdkactiontrail.request.v20171204 import DescribeTrailsRequest

from ScoutSuite.providers.aliyun.utils import get_client


class ActiontrailFacade:
    def __init__(self, credentials: AliyunCredentials):
        self._credentials = credentials
        self._client = get_client(credentials=self._credentials)

    async def get_trails(self):
        """
        Get all users

        :return: a list of all users
        """
        response = await get_response(client=self._client,
                                      request=DescribeTrailsRequest.DescribeTrailsRequest())
        if response:
            return response['TrailList']
        else:
            return []


================================================
FILE: ScoutSuite/providers/aliyun/facade/base.py
================================================
from collections import Counter

from aliyunsdkcore.endpoint.local_config_regional_endpoint_resolver import LocalConfigRegionalEndpointResolver

from ScoutSuite.providers.aliyun.authentication_strategy import AliyunCredentials
from ScoutSuite.providers.aliyun.facade.actiontrail import ActiontrailFacade
from ScoutSuite.providers.aliyun.facade.ecs import ECSFacade
from ScoutSuite.providers.aliyun.facade.kms import KMSFacade
from ScoutSuite.providers.aliyun.facade.ram import RAMFacade
from ScoutSuite.providers.aliyun.facade.rds import RDSFacade
from ScoutSuite.providers.aliyun.facade.vpc import VPCFacade
from ScoutSuite.providers.aliyun.facade.oss import OSSFacade
from ScoutSuite.providers.utils import run_concurrently


class AliyunFacade:
    def __init__(self, credentials: AliyunCredentials):
        self._credentials = credentials
        self._instantiate_facades()
        self._resolver = LocalConfigRegionalEndpointResolver()

    def _instantiate_facades(self):
        self.actiontrail = ActiontrailFacade(self._credentials)
        self.ram = RAMFacade(self._credentials)
        self.ecs = ECSFacade(self._credentials)
        self.rds = RDSFacade(self._credentials)
        self.vpc = VPCFacade(self._credentials)
        self.kms = KMSFacade(self._credentials)
        self.oss = OSSFacade(self._credentials)

    async def build_region_list(self, service: str, chosen_regions=None):

        # TODO could need this for service ids
        # service = 'ec2containerservice' if service == 'ecs' else service

        # TODO does a similar endpoint exist?
        # available_services = await run_concurrently(lambda: Session().get_available_services())
        # if service not in available_services:
        #     raise Exception('Service ' + service + ' is not available.')

        regions = await run_concurrently(
            lambda: self._resolver.get_valid_region_ids_by_product(product_code=service))

        if chosen_regions:
            return list((Counter(regions) & Counter(chosen_regions)).elements())
        else:
            return regions


================================================
FILE: ScoutSuite/providers/aliyun/facade/ecs.py
================================================
from aliyunsdkecs.request.v20140526 import DescribeInstancesRequest
from ScoutSuite.providers.aliyun.utils import get_client

from ScoutSuite.providers.aliyun.authentication_strategy import AliyunCredentials
from ScoutSuite.providers.aliyun.facade.utils import get_response


class ECSFacade:
    def __init__(self, credentials: AliyunCredentials):
        self._credentials = credentials

    async def get_instances(self, region):
        """
        Get all instances

        :return: a list of all instances
        """
        client = get_client(credentials=self._credentials, region=region)
        response = await get_response(client=client,
                                      request=DescribeInstancesRequest.DescribeInstancesRequest())
        if response:
            return response['Instances']['Instance']
        else:
            return []


================================================
FILE: ScoutSuite/providers/aliyun/facade/kms.py
================================================
from aliyunsdkkms.request.v20160120 import ListKeysRequest, DescribeKeyRequest

from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.aliyun.authentication_strategy import AliyunCredentials
from ScoutSuite.providers.aliyun.facade.utils import get_response
from ScoutSuite.providers.aliyun.utils import get_client


class KMSFacade:
    def __init__(self, credentials: AliyunCredentials):
        self._credentials = credentials

    async def get_keys(self, region):
        """
        Get all keys

        :return: a list of all keys
        """
        try:
            client = get_client(credentials=self._credentials, region=region)
            response = await get_response(client=client,
                                          request=ListKeysRequest.ListKeysRequest())
            if response:
                return response['Keys']['Key']
            else:
                return []
        except Exception as e:
            print_exception(f'Failed to get KMS keys: {e}')
            return []

    async def get_key_details(self, key_id, region):
        """
        Gets details for a key

        :return: a dictionary of details
        """
        try:
            client = get_client(credentials=self._credentials, region=region)
            request = DescribeKeyRequest.DescribeKeyRequest()
            request.set_KeyId(key_id)
            response = await get_response(client=client,
                                          request=request)
            if response:
                return response['KeyMetadata']
            else:
                return []
        except Exception as e:
            print_exception(f'Failed to get KMS key details: {e}')
            return []


================================================
FILE: ScoutSuite/providers/aliyun/facade/oss.py
================================================
from ScoutSuite.providers.aliyun.authentication_strategy import AliyunCredentials

from ScoutSuite.providers.aliyun.utils import get_oss_client


class OSSFacade:
    def __init__(self, credentials: AliyunCredentials):
        self._credentials = credentials

    async def get_buckets(self):
        """
        Get all instances

        :return: a list of all instances
        """
        client = get_oss_client(credentials=self._credentials)
        response = client.list_buckets()  # TODO this doesn't follow standards
        if response:
            return response.buckets
        else:
            return []


================================================
FILE: ScoutSuite/providers/aliyun/facade/ram.py
================================================
from ScoutSuite.providers.aliyun.authentication_strategy import AliyunCredentials
from ScoutSuite.providers.aliyun.facade.utils import get_response
from ScoutSuite.providers.aliyun.utils import get_client

from ScoutSuite.core.console import print_exception
from aliyunsdkram.request.v20150501 import \
    ListUsersRequest, GetUserRequest, \
    GetUserMFAInfoRequest, \
    ListAccessKeysRequest, GetAccessKeyLastUsedRequest, \
    GetPasswordPolicyRequest, GetSecurityPreferenceRequest, \
    ListGroupsRequest, ListUsersForGroupRequest, \
    ListRolesRequest, \
    ListPoliciesRequest, GetPolicyVersionRequest, ListEntitiesForPolicyRequest


class RAMFacade:
    def __init__(self, credentials: AliyunCredentials):
        self._credentials = credentials
        self._client = get_client(credentials=self._credentials)

    async def get_users(self):
        """
        Get all users

        :return: a list of all users
        """
        response = await get_response(client=self._client,
                                      request=ListUsersRequest.ListUsersRequest())
        if response:
            return response['Users']['User']
        else:
            return []

    async def get_user_details(self, username):
        """
        Get additional details for a user

        :param username: The username of the user
        :return: a dict with the user's details
        """
        request = GetUserRequest.GetUserRequest()
        request.set_UserName(username)
        response = await get_response(client=self._client,
                                      request=request)
        if response:
            return response['User']
        else:
            return []

    async def get_user_api_keys(self, username):
        """
        Get API keys for a user

        :param username: The username of the user
        :return: the list of API keys for that user
        """
        request = ListAccessKeysRequest.ListAccessKeysRequest()
        request.set_UserName(username)
        response = await get_response(client=self._client,
                                      request=request)
        if response:
            return response['AccessKeys']['AccessKey']
        else:
            return []

    async def get_user_api_key_last_usage(self, username, key_id):
        """
        Get last usage date for an API key

        :param username: The username of the user
        :param key_id: The API key id
        :return: the list of API keys for that user
        """
        request = GetAccessKeyLastUsedRequest.GetAccessKeyLastUsedRequest()
        request.set_UserName(username)
        request.set_UserAccessKeyId(key_id)
        response = await get_response(client=self._client,
                                      request=request)
        if response:
            return response['AccessKeyLastUsed']['LastUsedDate']
        else:
            return []

    async def get_user_mfa_status(self, username):
        """
        Check if user has MFA configured

        :param username: The username of the user
        :return: status and MFA serial number
        """
        request = GetUserMFAInfoRequest.GetUserMFAInfoRequest()
        request.set_UserName(username)
        try:
            response = await get_response(client=self._client,
                                          request=request)
        except Exception as e:
            # TODO can't seem to differenciate between a user that has MFA disabled
            # and a user that has MFA enabled but not configured
            if e.error_code == 'EntityNotExist.User.MFADevice':
                # ignore, MFA is not configured
                return False, None
            else:
                print_exception('Unable to get MFA status for user {}: {}'.format(username,
                                                                                  e))
                return False, None
        else:
            return True, response['MFADevice']['SerialNumber']

    async def get_password_policy(self):
        """
        Get the account's password policy

        :return: the password policy
        """
        request = GetPasswordPolicyRequest.GetPasswordPolicyRequest()
        response = await get_response(client=self._client,
                                      request=request)
        if response:
            return response['PasswordPolicy']
        else:
            return []

    async def get_security_policy(self):
        """
        Get the account's security policy

        :return: the security policy
        """
        request = GetSecurityPreferenceRequest.GetSecurityPreferenceRequest()
        response = await get_response(client=self._client,
                                      request=request)
        if response:
            return response['SecurityPreference']
        else:
            return []

    async def get_groups(self):
        """
        Get all groups

        :return: a list of all groups
        """
        response = await get_response(client=self._client,
                                      request=ListGroupsRequest.ListGroupsRequest())
        if response:
            return response['Groups']['Group']
        else:
            return []

    async def get_group_users(self, group_name):
        """
        Get all users in a group

        :return: a list of users in groups
        """
        request = ListUsersForGroupRequest.ListUsersForGroupRequest()
        request.set_GroupName(group_name)
        response = await get_response(client=self._client,
                                      request=request)
        if response:
            return response['Users']['User']
        else:
            return []

    async def get_roles(self):
        """
        Get all roles

        :return: a list of all roles
        """
        response = await get_response(client=self._client,
                                      request=ListRolesRequest.ListRolesRequest())
        if response:
            return response['Roles']['Role']
        else:
            return []

    async def get_policies(self):
        """
        Get all custom policies

        :return: a list of all custom policies
        """
        response = await get_response(client=self._client,
                                      request=ListPoliciesRequest.ListPoliciesRequest())
        if response:
            return response['Policies']['Policy']
        else:
            return []

    async def get_policy_version(self, name, type, version):
        """
        Get all policies

        :return: a list of all policies
        """
        request = GetPolicyVersionRequest.GetPolicyVersionRequest()
        request.set_PolicyName(name)
        request.set_PolicyType(type)
        request.set_VersionId(version)
        response = await get_response(client=self._client,
                                      request=request)
        if response:
            return response['PolicyVersion']
        else:
            return []

    async def get_policy_entities(self, name, type):
        """
        Get all entities for a policy

        :return: a dict of all policy entities
        """
        request = ListEntitiesForPolicyRequest.ListEntitiesForPolicyRequest()
        request.set_PolicyName(name)
        request.set_PolicyType(type)
        response = await get_response(client=self._client,
                                      request=request)
        if response:
            response.pop('RequestId')
            return response
        else:
            return []


================================================
FILE: ScoutSuite/providers/aliyun/facade/rds.py
================================================
from aliyunsdkrds.request.v20140815 import DescribeDBInstancesRequest

from ScoutSuite.providers.aliyun.authentication_strategy import AliyunCredentials
from ScoutSuite.providers.aliyun.facade.utils import get_response
from ScoutSuite.providers.aliyun.utils import get_client


class RDSFacade:
    def __init__(self, credentials: AliyunCredentials):
        self._credentials = credentials

    async def get_instances(self, region):
        """
        Get all instances

        :return: a list of all instances
        """
        client = get_client(credentials=self._credentials, region=region)
        response = await get_response(client=client,
                                      request=DescribeDBInstancesRequest.DescribeDBInstancesRequest())
        if response:
            return response['Items']['DBInstance']
        else:
            return []


================================================
FILE: ScoutSuite/providers/aliyun/facade/utils.py
================================================
import json
from ScoutSuite.providers.utils import run_concurrently
from aliyunsdkcore.acs_exception.exceptions import ClientException
from aliyunsdkcore.acs_exception.exceptions import ServerException
from ScoutSuite.core.console import print_exception


async def get_response(client, request):
    try:
        response = await run_concurrently(lambda: client.do_action_with_exception(request))
        response_decoded = json.loads(response)

        truncated = response_decoded.get('IsTruncated', False)

        # handle truncated responses
        while truncated:
            request.set_Marker(response_decoded['Marker'])
            response_latest = await run_concurrently(lambda: client.do_action_with_exception(request))
            response_latest_decoded = json.loads(response_latest)
            truncated = response_latest_decoded.get('IsTruncated', False)
            response_decoded = await merge_responses(response_decoded, response_latest_decoded)

        return response_decoded
    except ServerException as e:
        if False:  # TODO define exceptions to handle
            print_exception(e)
        else:
            raise
    except ClientException as e:
        if False:  # TODO define exceptions to handle
            print_exception(e)
        else:
            raise
    except Exception as e:
        print_exception(f'Unhandled exception {e} for request {request}')


async def merge_responses(response_1, response_2):
    """
    Compares two responses and adds to the second one the content of the first one, unless they are specific fields
    we don't want to overwrite.

    :param response_1: the first response
    :param response_2: the second (latest) response
    :return: modified response_2
    """
    ignored_fields = ['IsTruncated', 'RequestId', 'Marker']
    for k in response_1:
        if k not in response_2 and k not in ignored_fields:
            response_2[k] = response_1[k]
        elif k in response_2 and k not in ignored_fields:
            if type(response_1[k]) == list and type(response_2[k]) == list:
                response_2[k] += response_1[k]
            # will recursively merge until it finds a list
            elif type(response_1[k]) == dict and type(response_2[k]) == dict:
                response_2[k] = await merge_responses(response_1[k], response_2[k])
            else:
                # TODO implement other cases (which ones?)
                print_exception('Unhandled response merge')
        else:
            pass
    return response_2


================================================
FILE: ScoutSuite/providers/aliyun/facade/vpc.py
================================================
from ScoutSuite.providers.aliyun.authentication_strategy import AliyunCredentials
from ScoutSuite.providers.aliyun.facade.utils import get_response
from ScoutSuite.providers.aliyun.utils import get_client

from aliyunsdkvpc.request.v20160428 import DescribeVpcsRequest


class VPCFacade:
    def __init__(self, credentials: AliyunCredentials):
        self._credentials = credentials

    async def get_vpcs(self, region):
        """
        Get all VPCs

        :return: a list of all VPCs
        """
        client = get_client(credentials=self._credentials, region=region)
        response = await get_response(client=client,
                                      request=DescribeVpcsRequest.DescribeVpcsRequest())
        if response:
            return response['Vpcs']['Vpc']
        else:
            return []


================================================
FILE: ScoutSuite/providers/aliyun/metadata.json
================================================
{
  "security": {
    "ram": {
      "resources": {
        "users": {
          "cols": 2,
          "path": "services.ram.users"
        },
        "groups": {
          "cols": 2,
          "path": "services.ram.groups"
        },
        "roles": {
          "cols": 2,
          "path": "services.ram.roles"
        },
        "policies": {
          "cols": 2,
          "path": "services.ram.policies"
        }
      },
      "summaries": {
        "password_policy": {
          "cols": 1,
          "path": "services.ram.password_policy"
        },
        "security_policy": {
          "cols": 1,
          "path": "services.ram.security_policy"
        }
      }
    },
    "kms": {
      "resources": {
        "keys": {
          "cols": 2,
          "path": "services.kms.regions.id.keys"
        }
      }
    }
  },
  "compute": {
    "ecs": {
      "resources": {
        "instances": {
          "cols": 2,
          "path": "services.ecs.regions.id.instances"
        }
      }
    }
  },
  "database": {
    "rds": {
      "resources": {
        "instances": {
          "cols": 2,
          "path": "services.rds.regions.id.instances"
        }
      }
    }
  },
  "storage": {
    "oss": {
      "resources": {
        "buckets": {
          "cols": 2,
          "path": "services.oss.buckets"
        }
      }
    }
  },
  "network": {
    "vpc": {
      "resources": {
        "vpcs": {
          "cols": 2,
          "path": "services.vpc.regions.id.vpcs"
        }
      }
    }
  },
  "management": {
    "actiontrail": {
      "resources": {
        "trails": {
          "cols": 1,
          "path": "services.actiontrail.trails"
        }
      }
    }
  }
}


================================================
FILE: ScoutSuite/providers/aliyun/provider.py
================================================
import os

from ScoutSuite.providers.aliyun.services import AliyunServicesConfig
from ScoutSuite.providers.base.provider import BaseProvider


class AliyunProvider(BaseProvider):
    """
    Implements provider for Azure
    """

    def __init__(self,
                 report_dir=None, timestamp=None, services=None, skipped_services=None, **kwargs):

        services = [] if services is None else services
        skipped_services = [] if skipped_services is None else skipped_services

        self.metadata_path = '%s/metadata.json' % os.path.split(os.path.abspath(__file__))[0]

        self.provider_code = 'aliyun'
        self.provider_name = 'Alibaba Cloud'
        self.environment = 'default'

        self.services_config = AliyunServicesConfig

        self.credentials = kwargs['credentials']
        self.account_id = self.credentials.caller_details['AccountId']

        super().__init__(report_dir, timestamp, services, skipped_services)

    def get_report_name(self):
        """
        Returns the name of the report using the provider's configuration
        """
        if self.account_id:
            return f'aliyun-{self.account_id}'
        else:
            return 'aliyun'

    def preprocessing(self, ip_ranges=None, ip_ranges_name_key=None):

        super().preprocessing()



================================================
FILE: ScoutSuite/providers/aliyun/resources/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aliyun/resources/actiontrail/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aliyun/resources/actiontrail/base.py
================================================
from ScoutSuite.providers.aliyun.resources.base import AliyunCompositeResources
from ScoutSuite.providers.aliyun.resources.actiontrail.trails import Trails


class ActionTrail(AliyunCompositeResources):
    _children = [
        (Trails, 'trails')
    ]

    async def fetch_all(self, **kwargs):
        await self._fetch_children(resource_parent=self)


================================================
FILE: ScoutSuite/providers/aliyun/resources/actiontrail/trails.py
================================================
from ScoutSuite.providers.aliyun.resources.base import AliyunResources


class Trails(AliyunResources):
    async def fetch_all(self):
        for raw_trail in await self.facade.actiontrail.get_trails():
            id, trail = self._parse_trails(raw_trail)
            self[id] = trail

    def _parse_trails(self, raw_trail):
        trail_dict = {}
        trail_dict['id'] = raw_trail.get('Name')
        trail_dict['name'] = raw_trail.get('Name')
        trail_dict['role_name'] = raw_trail.get('RoleName')
        trail_dict['home_region'] = raw_trail.get('HomeRegion')
        trail_dict['oss_bucket_name'] = raw_trail.get('OssBucketName')
        trail_dict['include_global_service_event'] = raw_trail.get('IncludeGlobalServiceEvent')
        trail_dict['status'] = raw_trail.get('Status')
        trail_dict['oss_key_prefix'] = raw_trail.get('OssKeyPrefix')
        trail_dict['region'] = raw_trail.get('Region')
        trail_dict['event_rw'] = raw_trail.get('EventRW')
        trail_dict['type'] = raw_trail.get('Type')
        trail_dict['sls_write_role_arn'] = raw_trail.get('SlsWriteRoleArn')
        trail_dict['sls_project_arn'] = raw_trail.get('SlsProjectArn')
        return trail_dict['id'], trail_dict



================================================
FILE: ScoutSuite/providers/aliyun/resources/base.py
================================================
"""This module provides implementations for Resources and CompositeResources for Aliyun."""

import abc

from ScoutSuite.providers.base.resources.base import Resources, CompositeResources


class AliyunResources(Resources, metaclass=abc.ABCMeta):
    """This is the base class for Aliyun resources."""

    pass


class AliyunCompositeResources(AliyunResources, CompositeResources, metaclass=abc.ABCMeta):
    """This class represents a collection of composite Resources (resources that include nested resources referred as
    their children). Classes extending AliyunCompositeResources have to define a '_children' attribute which consists of
    a list of tuples describing the children. The tuples are expected to respect the following format:
    (, ). 'child_name' is used to indicate the name under which the child resources will be
    stored in the parent object.
    """

    pass


================================================
FILE: ScoutSuite/providers/aliyun/resources/ecs/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aliyun/resources/ecs/base.py
================================================
from ScoutSuite.providers.aliyun.facade.base import AliyunFacade
from ScoutSuite.providers.aliyun.resources.regions import Regions
from ScoutSuite.providers.aliyun.resources.ecs.instances import Instances


class ECS(Regions):
    _children = [
        (Instances, 'instances')
    ]

    def __init__(self, facade: AliyunFacade):
        super().__init__('ecs', facade)


================================================
FILE: ScoutSuite/providers/aliyun/resources/ecs/instances.py
================================================
from ScoutSuite.providers.aliyun.resources.base import AliyunResources
from ScoutSuite.providers.aliyun.facade.base import AliyunFacade


class Instances(AliyunResources):
    def __init__(self, facade: AliyunFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        for raw_instance in await self.facade.ecs.get_instances(region=self.region):
            id, instance = await self._parse_instance(raw_instance)
            self[id] = instance

    async def _parse_instance(self, raw_instance):
        instance_dict = {}
        instance_dict['id'] = raw_instance.get('InstanceId')
        instance_dict['name'] = raw_instance.get('InstanceName')
        instance_dict['auto_release_time'] = raw_instance.get('AutoReleaseTime')
        instance_dict['region_id'] = raw_instance.get('RegionId')
        instance_dict['dedicated_instance_attribute'] = raw_instance.get('DedicatedInstanceAttribute')
        instance_dict['serial_number'] = raw_instance.get('SerialNumber')
        instance_dict['creation_time'] = raw_instance.get('CreationTime')
        instance_dict['spot_price_limit'] = raw_instance.get('SpotPriceLimit')
        instance_dict['expired_time'] = raw_instance.get('ExpiredTime')
        instance_dict['io_optimized'] = raw_instance.get('IoOptimized')
        instance_dict['memory'] = raw_instance.get('Memory')
        instance_dict['os_type'] = raw_instance.get('OSType')
        instance_dict['internet_charge_type'] = raw_instance.get('InternetChargeType')
        instance_dict['vpc_attributes'] = raw_instance.get('VpcAttributes')
        instance_dict['status'] = raw_instance.get('Status')
        instance_dict['description'] = raw_instance.get('Description')
        instance_dict['os_name_en'] = raw_instance.get('OSNameEn')
        instance_dict['host_name'] = raw_instance.get('HostName')
        instance_dict['cluster_id'] = raw_instance.get('ClusterId')
        instance_dict['image_id'] = raw_instance.get('ImageId')
        instance_dict['resource_group_id'] = raw_instance.get('ResourceGroupId')
        instance_dict['instance_type_family'] = raw_instance.get('InstanceTypeFamily')
        instance_dict['credit_specification'] = raw_instance.get('CreditSpecification')
        instance_dict['instance_network_type'] = raw_instance.get('InstanceNetworkType')
        instance_dict['instance_type'] = raw_instance.get('InstanceType')
        instance_dict['network_interfaces'] = raw_instance.get('NetworkInterfaces')
        instance_dict['eip_address'] = raw_instance.get('EipAddress')
        instance_dict['inner_ip_address'] = raw_instance.get('InnerIpAddress')
        instance_dict['gpu_amount'] = raw_instance.get('GPUAmount')
        instance_dict['operation_locks'] = raw_instance.get('OperationLocks')
        instance_dict['instance_charge_type'] = raw_instance.get('InstanceChargeType')
        instance_dict['zone_id'] = raw_instance.get('ZoneId')
        instance_dict['internet_max_bandwidth_out'] = raw_instance.get('InternetMaxBandwidthOut')
        instance_dict['sale_cycle'] = raw_instance.get('SaleCycle')
        instance_dict['spot_strategy'] = raw_instance.get('SpotStrategy')
        instance_dict['security_group_ids'] = raw_instance.get('SecurityGroupIds')
        instance_dict['ecs_capacity_reservation_attr'] = raw_instance.get('EcsCapacityReservationAttr')
        instance_dict['cpu'] = raw_instance.get('Cpu')
        instance_dict['public_ip_address'] = raw_instance.get('PublicIpAddress')
        instance_dict['deletion_protection'] = raw_instance.get('DeletionProtection')
        instance_dict['stopped_mode'] = raw_instance.get('StoppedMode')
        instance_dict['internet_max_bandwidth_in'] = raw_instance.get('InternetMaxBandwidthIn')
        instance_dict['deployment_set_id'] = raw_instance.get('DeploymentSetId')
        instance_dict['os_name'] = raw_instance.get('OSName')
        instance_dict['vlan_id'] = raw_instance.get('VlanId')
        instance_dict['recyclable'] = raw_instance.get('Recyclable')
        instance_dict['start_time'] = raw_instance.get('StartTime')
        instance_dict['gpu_spec'] = raw_instance.get('GPUSpec')
        instance_dict['device_available'] = raw_instance.get('DeviceAvailable')
        instance_dict['dedicated_host_attribute'] = raw_instance.get('DedicatedHostAttribute')
        return instance_dict['id'], instance_dict


================================================
FILE: ScoutSuite/providers/aliyun/resources/kms/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aliyun/resources/kms/base.py
================================================
from ScoutSuite.providers.aliyun.resources.regions import Regions
from ScoutSuite.providers.aliyun.facade.base import AliyunFacade
from ScoutSuite.providers.aliyun.resources.kms.keys import Keys


class KMS(Regions):
    _children = [
        (Keys, 'keys')
    ]

    def __init__(self, facade: AliyunFacade):
        super().__init__('kms', facade)


================================================
FILE: ScoutSuite/providers/aliyun/resources/kms/keys.py
================================================
from ScoutSuite.providers.aliyun.resources.base import AliyunResources
from ScoutSuite.providers.aliyun.facade.base import AliyunFacade


class Keys(AliyunResources):
    def __init__(self, facade: AliyunFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        for raw_key in await self.facade.kms.get_keys(region=self.region):
            id, key = await self._parse_key(raw_key)
            self[id] = key

    async def _parse_key(self, raw_key):
        key_dict = {}
        key_dict['id'] = raw_key.get('KeyId')
        key_dict['name'] = raw_key.get('KeyId')
        key_dict['arn'] = raw_key.get('KeyArn')

        # get additional details for the key
        raw_key_details = await self.facade.kms.get_key_details(key_dict['id'], region=self.region)

        key_dict['creation_date'] = raw_key_details.get('CreationDate')
        key_dict['delete_date'] = raw_key_details.get('DeleteDate')
        key_dict['origin'] = raw_key_details.get('Origin')
        key_dict['description'] = raw_key_details.get('Description')
        key_dict['creator'] = raw_key_details.get('Creator')
        key_dict['usage'] = raw_key_details.get('KeyUsage')
        key_dict['material_expire_time'] = raw_key_details.get('MaterialExpireTime')
        key_dict['state'] = raw_key_details.get('KeyState')

        if key_dict['delete_date'] == '':
            key_dict['delete_date'] = None
        if key_dict['material_expire_time'] == '':
            key_dict['material_expire_time'] = None

        return key_dict['id'], key_dict



================================================
FILE: ScoutSuite/providers/aliyun/resources/oss/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aliyun/resources/oss/base.py
================================================
from ScoutSuite.providers.aliyun.resources.base import AliyunCompositeResources
from ScoutSuite.providers.aliyun.resources.oss.buckets import Buckets


class OSS(AliyunCompositeResources):
    _children = [
        (Buckets, 'buckets')
    ]

    async def fetch_all(self, **kwargs):
        await self._fetch_children(resource_parent=self)


================================================
FILE: ScoutSuite/providers/aliyun/resources/oss/buckets.py
================================================
from ScoutSuite.providers.aliyun.resources.base import AliyunResources


class Buckets(AliyunResources):
    async def fetch_all(self):
        for raw_bucket in await self.facade.oss.get_buckets():
            id, bucket = self._parse_bucket(raw_bucket)
            self[id] = bucket

    def _parse_bucket(self, raw_bucket):
        bucket_dict = {}
        bucket_dict['name'] = bucket_dict['id'] = raw_bucket.name
        bucket_dict['location'] = raw_bucket.location
        bucket_dict['storage_class'] = raw_bucket.storage_class
        bucket_dict['creation_date'] = raw_bucket.creation_date
        return bucket_dict['id'], bucket_dict


================================================
FILE: ScoutSuite/providers/aliyun/resources/ram/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aliyun/resources/ram/api_keys.py
================================================
from ScoutSuite.providers.aliyun.resources.base import AliyunResources
from ScoutSuite.providers.aliyun.facade.base import AliyunFacade


class ApiKeys(AliyunResources):
    def __init__(self, facade: AliyunFacade, user):
        super().__init__(facade)
        self.user = user

    async def fetch_all(self):
        for raw_user_api_key in await self.facade.ram.get_user_api_keys(username=self.user['name']):
            id, api_key = await self._parse_api_key(raw_user_api_key)
            self[id] = api_key

    async def _parse_api_key(self, raw_api_key):
        api_key = {}
        api_key['id'] = raw_api_key['AccessKeyId']
        api_key['creation_datetime'] = raw_api_key['CreateDate']
        api_key['status'] = raw_api_key['Status']

        last_usage = await self.facade.ram.get_user_api_key_last_usage(self.user['name'], api_key['id'])
        api_key['last_usage_datetime'] = last_usage if last_usage != 'N/A' else None

        return api_key['id'], api_key


================================================
FILE: ScoutSuite/providers/aliyun/resources/ram/base.py
================================================
from ScoutSuite.providers.aliyun.facade.base import AliyunFacade
from ScoutSuite.providers.aliyun.resources.base import AliyunCompositeResources
from ScoutSuite.providers.aliyun.resources.ram.groups import Groups
from ScoutSuite.providers.aliyun.resources.ram.password_policy import PasswordPolicy
from ScoutSuite.providers.aliyun.resources.ram.policies import Policies
from ScoutSuite.providers.aliyun.resources.ram.roles import Roles
from ScoutSuite.providers.aliyun.resources.ram.security_policy import SecurityPolicy
from ScoutSuite.providers.aliyun.resources.ram.users import Users


class RAM(AliyunCompositeResources):
    _children = [
        (Users, 'users'),
        (Groups, 'groups'),
        (Roles, 'roles'),
        (Policies, 'policies'),
        (PasswordPolicy, 'password_policy'),
        (SecurityPolicy, 'security_policy')
    ]

    def __init__(self, facade: AliyunFacade):
        super().__init__(facade)
        self.service = 'ram'

    async def fetch_all(self, **kwargs):
        await self._fetch_children(resource_parent=self)

        # We do not want the report to count the password policies as resources,
        # they aren't really resources.
        self['password_policy_count'] = 0
        self['security_policy_count'] = 0

        # TODO for each user check last login & API key usage for "last activity"

    async def finalize(self):
        self._match_users_and_groups()
        self._match_policies_and_entities()

    def _match_users_and_groups(self):
        """
        Parses the users and groups to match
        :return: None
        """
        for user in self['users']:
            self['users'][user]['groups'] = []
            for group in self['groups']:
                if any(u['name'] == user for u in self['groups'][group]['users']):
                    self['users'][user]['groups'].append(group)

    def _match_policies_and_entities(self):
        for policy in self['policies']:
            for user in self['users']:
                if not self['users'][user].get('policies'):
                    self['users'][user]['policies'] = []
                if self['users'][user]['name'] in self['policies'][policy]['entities'].get('users', []):
                    self['users'][user]['policies'].append(self['policies'][policy]['id'])
        for policy in self['policies']:
            for group in self['groups']:
                if not self['groups'][group].get('policies'):
                    self['groups'][group]['policies'] = []
                if self['groups'][group]['name'] in self['policies'][policy]['entities'].get('groups', []):
                    self['groups'][group]['policies'].append(self['policies'][policy]['id'])
        for policy in self['policies']:
            for role in self['roles']:
                if not self['roles'][role].get('policies'):
                    self['roles'][role]['policies'] = []
                if self['roles'][role]['name'] in self['policies'][policy]['entities'].get('roles', []):
                    self['roles'][role]['policies'].append(self['policies'][policy]['id'])


================================================
FILE: ScoutSuite/providers/aliyun/resources/ram/groups.py
================================================
from ScoutSuite.providers.aliyun.resources.base import AliyunResources
from ScoutSuite.providers.aliyun.facade.base import AliyunFacade


class Groups(AliyunResources):
    def __init__(self, facade: AliyunFacade):
        super().__init__(facade)

    async def fetch_all(self):
        for raw_group in await self.facade.ram.get_groups():
            id, group = await self._parse_group(raw_group)
            self[id] = group

    async def _parse_group(self, raw_group):
        group_dict = {}
        group_dict['id'] = group_dict['name'] = raw_group.get('GroupName')
        group_dict['comments'] = raw_group.get('Comments')
        group_dict['create_date'] = raw_group.get('CreateDate')
        group_dict['update_date'] = raw_group.get('UpdateDate')

        group_dict['users'] = []
        for raw_user in await self.facade.ram.get_group_users(group_dict['name']):
            group_dict['users'].append({
                'name': raw_user.get('UserName'),
                'display_name': raw_user.get('DisplayName'),
                'join_date': raw_user.get('JoinDate')
            })

        return group_dict['id'], group_dict



================================================
FILE: ScoutSuite/providers/aliyun/resources/ram/password_policy.py
================================================
from ScoutSuite.providers.aliyun.resources.base import AliyunResources
from ScoutSuite.providers.aliyun.facade.base import AliyunFacade


class PasswordPolicy(AliyunResources):
    def __init__(self, facade: AliyunFacade):
        super().__init__(facade)

    async def fetch_all(self):
        raw_password_policy = await self.facade.ram.get_password_policy()
        password_policy = self._parse_password_policy(raw_password_policy)
        self.update(password_policy)

    def _parse_password_policy(self, raw_password_policy):
        password_policy_dict = {
            'minimum_password_length': raw_password_policy.get('MinimumPasswordLength'),
            'hard_expiry': raw_password_policy.get('HardExpiry'),
            'max_login_attempts': raw_password_policy.get('MaxLoginAttemps'),
            'max_password_age': raw_password_policy.get('MaxPasswordAge'),
            'password_reuse_prevention': raw_password_policy.get('PasswordReusePrevention'),
            'require_uppercase_characters': raw_password_policy.get('RequireUppercaseCharacters'),
            'require_lowercase_characters': raw_password_policy.get('RequireLowercaseCharacters'),
            'require_numbers': raw_password_policy.get('RequireNumbers'),
            'require_symbols': raw_password_policy.get('RequireSymbols'),
        }

        if password_policy_dict['password_reuse_prevention'] == 0:
            password_policy_dict['password_reuse_prevention'] = False
        else:
            password_policy_dict['password_reuse_prevention'] = True
            password_policy_dict['password_reuse_count'] = raw_password_policy.get('PasswordReusePrevention')

        return password_policy_dict


================================================
FILE: ScoutSuite/providers/aliyun/resources/ram/policies.py
================================================
from ScoutSuite.providers.aliyun.resources.base import AliyunResources
from ScoutSuite.providers.aliyun.facade.base import AliyunFacade
import json


class Policies(AliyunResources):
    def __init__(self, facade: AliyunFacade):
        super().__init__(facade)

    async def fetch_all(self):
        for raw_policy in await self.facade.ram.get_policies():
            id, policy = await self._parse_policy(raw_policy)
            if id:
                self[id] = policy

    async def _parse_policy(self, raw_policy):
        """
        Only processing policies with an
        :param raw_policy:
        :return:
        """
        if raw_policy.get('AttachmentCount') > 0:
            policy_dict = {}
            policy_dict['id'] = policy_dict['name'] = raw_policy.get('PolicyName')
            policy_dict['description'] = raw_policy.get('Description')
            policy_dict['create_date'] = raw_policy.get('CreateDate')
            policy_dict['update_date'] = raw_policy.get('UpdateDate')
            policy_dict['attachment_count'] = raw_policy.get('AttachmentCount')
            policy_dict['type'] = raw_policy.get('PolicyType')
            policy_dict['default_version'] = raw_policy.get('DefaultVersion')

            policy_version = await self.facade.ram.get_policy_version(policy_dict['name'],
                                                                      policy_dict['type'],
                                                                      policy_dict['default_version'])
            policy_version['PolicyDocument'] = json.loads(policy_version['PolicyDocument'])
            # policy_dict['policy_document'] = policy_version['PolicyDocument']
            policy_dict['policy_document'] = policy_version

            policy_entities = await self.facade.ram.get_policy_entities(policy_dict['name'],
                                                                      policy_dict['type'])
            policy_dict['entities'] = {}
            if policy_entities['Users']['User']:
                policy_dict['entities']['users'] = []
                for user in policy_entities['Users']['User']:
                    policy_dict['entities']['users'].append(user['UserName'])
            if policy_entities['Groups']['Group']:
                policy_dict['entities']['groups'] = []
                for group in policy_entities['Groups']['Group']:
                    policy_dict['entities']['groups'].append(group['GroupName'])
            if policy_entities['Roles']['Role']:
                policy_dict['entities']['roles'] = []
                for role in policy_entities['Roles']['Role']:
                    policy_dict['entities']['roles'].append(role['RoleName'])

            return policy_dict['id'], policy_dict
        else:
            return None, None


================================================
FILE: ScoutSuite/providers/aliyun/resources/ram/roles.py
================================================
from ScoutSuite.providers.aliyun.resources.base import AliyunResources
from ScoutSuite.providers.aliyun.facade.base import AliyunFacade


class Roles(AliyunResources):
    def __init__(self, facade: AliyunFacade):
        super().__init__(facade)

    async def fetch_all(self):
        for raw_role in await self.facade.ram.get_roles():
            id, role = await self._parse_role(raw_role)
            self[id] = role

    async def _parse_role(self, raw_role):
        role_dict = {}
        role_dict['identifier'] = raw_role.get('RoleId')  # required as groups use the name as an ID
        role_dict['id'] = role_dict['name'] = raw_role.get('RoleName')
        role_dict['create_date'] = raw_role.get('CreateDate')
        role_dict['description'] = raw_role.get('Description')
        role_dict['arn'] = raw_role.get('Arn')
        return role_dict['id'], role_dict




================================================
FILE: ScoutSuite/providers/aliyun/resources/ram/security_policy.py
================================================
from ScoutSuite.providers.aliyun.resources.base import AliyunResources
from ScoutSuite.providers.aliyun.facade.base import AliyunFacade


class SecurityPolicy(AliyunResources):
    def __init__(self, facade: AliyunFacade):
        super().__init__(facade)

    async def fetch_all(self):
        raw_security_policy = await self.facade.ram.get_security_policy()
        security_policy = self._parse_security_policy(raw_security_policy)
        self.update(security_policy)

    def _parse_security_policy(self, raw_security_policy):
        security_policy_dict = {
            'login_network_masks':
                raw_security_policy.get('LoginProfilePreference', {}).get('LoginNetworkMasks'),
            'login_session_duration':
                raw_security_policy.get('LoginProfilePreference', {}).get('LoginSessionDuration'),
            'enable_save_mfa_ticket':
                raw_security_policy.get('LoginProfilePreference', {}).get('EnableSaveMFATicket'),
            'allow_user_change_password':
                raw_security_policy.get('LoginProfilePreference', {}).get('AllowUserToChangePassword'),
            'allow_user_manage_access_keys':
                raw_security_policy.get('AccessKeyPreference', {}).get('AllowUserToManageAccessKeys'),
            'allow_user_manage_mfa_devices':
                raw_security_policy.get('MFAPreference', {}).get('AllowUserToManageMFADevices'),
            'allow_user_manage_public_keys':
                raw_security_policy.get('PublicKeyPreference', {}).get('AllowUserToManagePublicKeys'),
        }

        if security_policy_dict['login_network_masks'] == '':
            security_policy_dict['login_network_masks'] = None

        return security_policy_dict


================================================
FILE: ScoutSuite/providers/aliyun/resources/ram/users.py
================================================
from ScoutSuite.providers.aliyun.resources.base import AliyunCompositeResources

from .api_keys import ApiKeys


class Users(AliyunCompositeResources):
    _children = [
        (ApiKeys, 'api_keys')
    ]

    async def fetch_all(self):
        for raw_user in await self.facade.ram.get_users():
            id, user = await self._parse_user(raw_user)
            self[id] = user

        await self._fetch_children_of_all_resources(
            resources=self,
            scopes={user_id: {'user': user}
                    for user_id, user in self.items()}
        )

    async def _parse_user(self, raw_user):
        user = {}
        user['identifier'] = raw_user['UserId']  # required as groups use the name as an ID
        user['id'] = user['name'] = raw_user['UserName']
        user['display_name'] = raw_user['DisplayName']
        user['comments'] = raw_user['Comments']
        user['creation_datetime'] = raw_user['CreateDate']
        user['update_datetime'] = raw_user['CreateDate']
        user['creation_date'] = raw_user['CreateDate']

        # get additional details for the user
        user_details = await self.facade.ram.get_user_details(user['name'])
        user['email'] = user_details.get('Email')
        user['mobile_phone'] = user_details.get('MobilePhone')
        user['last_login_datetime'] = user_details.get('LastLoginDate') if user_details.get('LastLoginDate') != '' else None

        user['console_access'] = True if user_details.get('LastLoginDate') else False  # TODO this isn't valid

        # get the MFA status for the user
        mfa_enabled, mfa_serial_number = await self.facade.ram.get_user_mfa_status(user['name'])
        user['mfa_status'] = mfa_enabled
        user['mfa_serial_number'] = mfa_serial_number

        return user['id'], user


================================================
FILE: ScoutSuite/providers/aliyun/resources/rds/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aliyun/resources/rds/base.py
================================================
from ScoutSuite.providers.aliyun.resources.regions import Regions
from ScoutSuite.providers.aliyun.resources.rds.instances import Instances
from ScoutSuite.providers.aliyun.facade.base import AliyunFacade


class RDS(Regions):
    _children = [
        (Instances, 'instances')
    ]

    def __init__(self, facade: AliyunFacade):
        super().__init__('rds', facade)



================================================
FILE: ScoutSuite/providers/aliyun/resources/rds/instances.py
================================================
from ScoutSuite.providers.aliyun.resources.base import AliyunResources
from ScoutSuite.providers.aliyun.facade.base import AliyunFacade


class Instances(AliyunResources):
    def __init__(self, facade: AliyunFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        for raw_instance in await self.facade.rds.get_instances(region=self.region):
            id, instance = await self._parse_instance(raw_instance)
            self[id] = instance

    async def _parse_instance(self, raw_instance):
        instance_dict = {}

        instance_dict['id'] = raw_instance.get('DBInstanceId')
        instance_dict['name'] = raw_instance.get('DBInstanceDescription', raw_instance.get('DBInstanceId'))
        instance_dict['create_time'] = raw_instance.get('CreateTime')
        instance_dict['expire_time'] = raw_instance.get('ExpireTime')
        instance_dict['ins_id'] = raw_instance.get('InsId')
        instance_dict['lock_mode'] = raw_instance.get('LockMode')
        instance_dict['db_instance_net_type'] = raw_instance.get('DBInstanceNetType')
        instance_dict['read_only_db_instance_ids'] = raw_instance.get('ReadOnlyDBInstanceIds')
        instance_dict['lock_reason'] = raw_instance.get('LockReason')
        instance_dict['engine'] = raw_instance.get('Engine')
        instance_dict['vpc_id'] = raw_instance.get('VpcId')
        instance_dict['mutri_o_rsignle'] = raw_instance.get('MutriORsignle')
        instance_dict['connection_mode'] = raw_instance.get('ConnectionMode')
        instance_dict['region_id'] = raw_instance.get('RegionId')
        instance_dict['resource_group_id'] = raw_instance.get('ResourceGroupId')
        instance_dict['vswitch_id'] = raw_instance.get('VSwitchId')
        instance_dict['instance_network_type'] = raw_instance.get('InstanceNetworkType')
        instance_dict['db_instance_type'] = raw_instance.get('DBInstanceType')
        instance_dict['db_instance_status'] = raw_instance.get('DBInstanceStatus')
        instance_dict['zone_id'] = raw_instance.get('ZoneId')
        instance_dict['engine_version'] = raw_instance.get('EngineVersion')
        instance_dict['vpc_cloud_instance_id'] = raw_instance.get('VpcCloudInstanceId')
        instance_dict['pay_type'] = raw_instance.get('PayType')
        instance_dict['db_instance_class'] = raw_instance.get('DBInstanceClass')

        return instance_dict['id'], instance_dict



================================================
FILE: ScoutSuite/providers/aliyun/resources/regions.py
================================================
import abc

from ScoutSuite.providers.aliyun.resources.base import AliyunCompositeResources
from ScoutSuite.providers.aliyun.facade.base import AliyunFacade


class Regions(AliyunCompositeResources, metaclass=abc.ABCMeta):
    def __init__(self, service: str, facade: AliyunFacade):
        super().__init__(facade)
        self.service = service

    async def fetch_all(self, regions=None):
        self['regions'] = {}
        for region in await self.facade.build_region_list(self.service, regions):
            self['regions'][region] = {
                'id': region,
                'region': region,
                'name': region
            }

        await self._fetch_children_of_all_resources(
            resources=self['regions'],
            scopes={region: {'region': region} for region in self['regions']}
        )

        self._set_counts()

    def _set_counts(self):
        self['regions_count'] = len(self['regions'])
        for _, key in self._children:
            # VPCs should not be counted as resources. They exist whether you have resources or not,
            # so counting them would make the report confusing.
            if key == 'vpcs':
                continue

            self[key + '_count'] = sum([region[key + '_count'] for
                                        region in self['regions'].values()])


================================================
FILE: ScoutSuite/providers/aliyun/resources/vpc/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aliyun/resources/vpc/base.py
================================================
from ScoutSuite.providers.aliyun.resources.regions import Regions
from ScoutSuite.providers.aliyun.resources.vpc.vpcs import VPCs
from ScoutSuite.providers.aliyun.facade.base import AliyunFacade


class VPC(Regions):
    _children = [
        (VPCs, 'vpcs')
    ]

    def __init__(self, facade: AliyunFacade):
        super().__init__('vpc', facade)


================================================
FILE: ScoutSuite/providers/aliyun/resources/vpc/vpcs.py
================================================
from ScoutSuite.providers.aliyun.resources.base import AliyunResources
from ScoutSuite.providers.aliyun.facade.base import AliyunFacade


class VPCs(AliyunResources):
    def __init__(self, facade: AliyunFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        for raw_vpc in await self.facade.vpc.get_vpcs(region=self.region):
            id, vpc = self._parse_vpcs(raw_vpc)
            self[id] = vpc

    def _parse_vpcs(self, raw_vpc):
        vpc_dict = {}
        vpc_dict['id'] = raw_vpc.get('VpcId')

        if raw_vpc.get('VpcName') == '':
            vpc_dict['name'] = raw_vpc.get('VpcId')
        else:
            vpc_dict['name'] = raw_vpc.get('VpcName')

        vpc_dict['vrouter_id'] = raw_vpc.get('VRouterId')
        vpc_dict['vswitch_ids'] = raw_vpc.get('VSwitchIds')
        vpc_dict['description'] = raw_vpc.get('Description')
        vpc_dict['status'] = raw_vpc.get('Status')
        vpc_dict['nat_gateway_ids'] = raw_vpc.get('NatGatewayIds')
        vpc_dict['user_cidrs'] = raw_vpc.get('UserCidrs')
        vpc_dict['ipv6_cidr_block'] = raw_vpc.get('Ipv6CidrBlock')
        vpc_dict['region_id'] = raw_vpc.get('RegionId')
        vpc_dict['network_acl_num'] = raw_vpc.get('NetworkAclNum')
        vpc_dict['creation_time'] = raw_vpc.get('CreationTime')
        vpc_dict['router_table_ids'] = raw_vpc.get('RouterTableIds')
        vpc_dict['resource_group_id'] = raw_vpc.get('ResourceGroupId')
        vpc_dict['cen_status'] = raw_vpc.get('CenStatus')
        vpc_dict['cidr_block'] = raw_vpc.get('CidrBlock')
        vpc_dict['is_default'] = raw_vpc.get('IsDefault')

        return vpc_dict['id'], vpc_dict


================================================
FILE: ScoutSuite/providers/aliyun/rules/findings/actiontrail-not-configured.json
================================================
{
    "description": "Not Configured",
    "rationale": "No trail is configured, which means that API activity is not being logged.",
    "dashboard_name": "Trails",
    "path": "actiontrail.trails",
    "conditions": [
        "and",
        [
            "actiontrail.trails",
            "empty",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aliyun/rules/findings/actiontrail-not-enabled.json
================================================
{
    "description": "Not Enabled",
    "rationale": "No trail is enabled, which means that API activity is not being logged.",
    "dashboard_name": "Trails",
    "path": "actiontrail.trails.id",
    "conditions": [
        "and",
        [
            "actiontrail.trails.id.status",
            "notEqual",
            "Enable"
        ]
    ],
    "id_suffix": "status"
}

================================================
FILE: ScoutSuite/providers/aliyun/rules/findings/ecs-instance-with-deletion-protection-disabled.json
================================================
{
    "description": "Instance without Deletion Protection",
    "rationale": "It is good practice to enable this feature on production instances, to ensure that they may not be deleted by accident.",
    "dashboard_name": "Instances",
    "display_path": "ecs.regions.id.instances.id",
    "path": "ecs.regions.id.instances.id",
    "conditions": [
        "and",
        [
            "ecs.regions.id.instances.id.deletion_protection",
            "false",
            ""
        ]
    ],
    "id_suffix": "deletion_protection"
}

================================================
FILE: ScoutSuite/providers/aliyun/rules/findings/ecs-instance-with-public-ip.json
================================================
{
    "description": "Instance with a Public IP",
    "rationale": "It is good practice to maintain a list of known, publicly accessible instances and flag all other instances that meet this criteria.",
    "dashboard_name": "Instances",
    "display_path": "ecs.regions.id.instances.id",
    "path": "ecs.regions.id.instances.id",
    "conditions": [
        "and",
        [
            "ecs.regions.id.instances.id.public_ip_address",
            "notNull",
            ""
        ]
    ],
    "id_suffix": "public_ip_address"
}

================================================
FILE: ScoutSuite/providers/aliyun/rules/findings/kms-no-key-rotation.json
================================================
{
    "description": "KMS Keys Are Not Being Rotated",
    "rationale": "Keys should be routinely rotated to prevent usage of compromised keys.",
    "dashboard_name": "Keys",
    "display_path": "kms.regions.id.keys.id",
    "path": "kms.regions.id.keys.id",
    "conditions": [
        "and",
        [
            "kms.regions.id.keys.id.state",
            "equal",
            "Enabled"
        ],
        [
            "kms.regions.id.keys.id.creation_date",
            "olderThan",
            [
                "_ARG_0_",
                "days"
            ]
        ]
    ],
    "id_suffix": "creation_date"
}

================================================
FILE: ScoutSuite/providers/aliyun/rules/findings/ram-password-policy-expiration-threshold.json
================================================
{
    "description": "Passwords Should Expire after _ARG_0_ Days",
    "dashboard_name": "Password policy",
    "path": "ram.password_policy.max_password_age",
    "conditions": [
        "or",
        [
            "this",
            "moreThan",
            "_ARG_0_"
        ],
        [
            "this",
            "equal",
            "0"
        ]
    ],
    "arg_names": [
        "Maximum password age"
    ]
}

================================================
FILE: ScoutSuite/providers/aliyun/rules/findings/ram-password-policy-minimum-length.json
================================================
{
    "description": "Minimum Password Length Too Short",
    "dashboard_name": "Password policy",
    "path": "ram.password_policy.minimum_password_length",
    "conditions": [
        "or",
        [
            "this",
            "lessThan",
            "_ARG_0_"
        ]
    ],
    "arg_names": [
        "Minimum password length"
    ]
}

================================================
FILE: ScoutSuite/providers/aliyun/rules/findings/ram-password-policy-no-expiration.json
================================================
{
    "description": "Password Expiration Disabled",
    "dashboard_name": "Password policy",
    "path": "ram.password_policy.max_password_age",
    "conditions": [
        "or",
        [
            "this",
            "equal",
            "0"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aliyun/rules/findings/ram-password-policy-no-lowercase-required.json
================================================
{
    "description": "Password Policy Lacks Lowercase Requirement",
    "dashboard_name": "Password policy",
    "path": "ram.password_policy.require_lowercase_characters",
    "conditions": [
        "or",
        [
            "this",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aliyun/rules/findings/ram-password-policy-no-number-required.json
================================================
{
    "description": "Password Policy Lacks Number Requirement",
    "dashboard_name": "Password policy",
    "path": "ram.password_policy.require_numbers",
    "conditions": [
        "or",
        [
            "this",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aliyun/rules/findings/ram-password-policy-no-symbol-required.json
================================================
{
    "description": "Password Policy Lacks Symbol Requirement",
    "dashboard_name": "Password policy",
    "path": "ram.password_policy.require_symbols",
    "conditions": [
        "or",
        [
            "this",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aliyun/rules/findings/ram-password-policy-no-uppercase-required.json
================================================
{
    "description": "Password Policy Lacks Uppercase Requirement",
    "dashboard_name": "Password policy",
    "path": "ram.password_policy.require_uppercase_characters",
    "conditions": [
        "or",
        [
            "this",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aliyun/rules/findings/ram-password-policy-reuse-enabled.json
================================================
{
    "description": "Password Reuse Enabled",
    "dashboard_name": "Password policy",
    "path": "ram.password_policy.password_reuse_prevention",
    "conditions": [
        "or",
        [
            "this",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aliyun/rules/findings/ram-user-lacking-mfa.json
================================================
{
    "description": "User with Console Access Lacking MFA",
    "rationale": "User with console access should have multi-factor authentication (MFA) enabled",
    "dashboard_name": "Users",
    "path": "ram.users.id",
    "conditions": [
        "and",
        [
            "ram.users.id.console_access",
            "true",
            ""
        ],
        [
            "ram.users.id.mfa_status",
            "false",
            ""
        ]
    ],
    "id_suffix": "mfa_secure"
}

================================================
FILE: ScoutSuite/providers/aliyun/rules/findings/ram-user-unused-api-key.json
================================================
{
    "description": "User with Unused API Keys",
    "rationale": "",
    "dashboard_name": "Users",
    "path": "ram.users.id",
    "conditions": [
        "and",
        [
            "ram.users.id.api_keys.id.",
            "lengthMoreThan",
            "1"
        ]
    ],
    "id_suffix": "multiple_api_keys"
}

================================================
FILE: ScoutSuite/providers/aliyun/rules/findings/ram-user-unused-console-password.json
================================================
{
    "description": "User with Unused Console Password",
    "rationale": "",
    "dashboard_name": "Users",
    "path": "ram.users.id",
    "conditions": [
        "and",
        [
            "ram.users.id.api_keys.id.",
            "lengthMoreThan",
            "1"
        ]
    ],
    "id_suffix": "multiple_api_keys"
}

================================================
FILE: ScoutSuite/providers/aliyun/rules/findings/ram-user-with-multiple-api-keys.json
================================================
{
    "description": "User with Multiple API Keys",
    "rationale": "It is recommended for users to only have one access key.",
    "dashboard_name": "Users",
    "path": "ram.users.id",
    "conditions": [
        "and",
        [
            "ram.users.id.api_keys",
            "lengthMoreThan",
            "1"
        ]
    ],
    "id_suffix": "multiple_api_keys"
}

================================================
FILE: ScoutSuite/providers/aliyun/rules/findings/ram-user-with-old-api-key.json
================================================
{
    "description": "User with Old API Keys",
    "rationale": "",
    "dashboard_name": "Users",
    "path": "ram.users.id",
    "conditions": [
        "and",
        [
            "ram.users.id.api_keys.id.",
            "lengthMoreThan",
            "1"
        ]
    ],
    "id_suffix": "multiple_api_keys"
}

================================================
FILE: ScoutSuite/providers/aliyun/rules/rulesets/default.json
================================================
{
    "about": "Default ruleset for Alibaba Cloud.",
    "rules": {
        "actiontrail-not-configured.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "actiontrail-not-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ecs-instance-with-deletion-protection-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ecs-instance-with-public-ip.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kms-no-key-rotation.json": [
            {
                "args": [
                    "90"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "ram-password-policy-expiration-threshold.json": [
            {
                "args": [
                    "90"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "ram-password-policy-minimum-length.json": [
            {
                "args": [
                    "8"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "ram-password-policy-no-expiration.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ram-password-policy-no-lowercase-required.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ram-password-policy-no-number-required.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ram-password-policy-no-symbol-required.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ram-password-policy-no-uppercase-required.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ram-password-policy-reuse-enabled.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ram-user-lacking-mfa.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ram-user-unused-api-key.json": [
            {
                "enabled": false,
                "level": "warning"
            }
        ],
        "ram-user-unused-console-password.json": [
            {
                "enabled": false,
                "level": "warning"
            }
        ],
        "ram-user-with-multiple-api-keys.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ram-user-with-old-api-key.json": [
            {
                "enabled": false,
                "level": "warning"
            }
        ]
    }
}


================================================
FILE: ScoutSuite/providers/aliyun/rules/rulesets/filters.json
================================================
{
    "about": "Default set of filters for Scout",
    "rules": {}
}


================================================
FILE: ScoutSuite/providers/aliyun/services.py
================================================
from ScoutSuite.providers.aliyun.facade.base import AliyunFacade
from ScoutSuite.providers.base.services import BaseServicesConfig
from ScoutSuite.providers.aliyun.resources.ram.base import RAM
from ScoutSuite.providers.aliyun.resources.actiontrail.base import ActionTrail
from ScoutSuite.providers.aliyun.resources.vpc.base import VPC
from ScoutSuite.providers.aliyun.resources.ecs.base import ECS
from ScoutSuite.providers.aliyun.resources.rds.base import RDS
from ScoutSuite.providers.aliyun.resources.kms.base import KMS
from ScoutSuite.providers.aliyun.resources.oss.base import OSS



class AliyunServicesConfig(BaseServicesConfig):
    def __init__(self, credentials, **kwargs):
        super().__init__(credentials)

        facade = AliyunFacade(credentials)

        self.actiontrail = ActionTrail(facade)
        self.ram = RAM(facade)
        self.ecs = ECS(facade)
        self.rds = RDS(facade)
        self.vpc = VPC(facade)
        self.kms = KMS(facade)
        self.oss = OSS(facade)

    def _is_provider(self, provider_name):
        return provider_name == 'aliyun'


================================================
FILE: ScoutSuite/providers/aliyun/utils.py
================================================
import oss2
from aliyunsdkcore.client import AcsClient

from ScoutSuite.core.console import print_exception


def get_client(credentials, region=None):
    try:
        client = AcsClient(credential=credentials.credentials, region_id=region if region else 'cn-hangzhou')
        return client

    except Exception as e:
        print_exception(e)
        return None


def get_oss_client(credentials, region=None):
    try:
        auth = oss2.Auth(credentials.credentials.access_key_id, credentials.credentials.access_key_secret)
        client = oss2.Service(auth,
                              endpoint=f'oss-{region}.aliyuncs.com' if region
                              else 'oss-cn-hangzhou.aliyuncs.com')
        return client

    except Exception as e:
        print_exception(e)
        return None


================================================
FILE: ScoutSuite/providers/aws/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/authentication_strategy.py
================================================
import boto3
import logging

from ScoutSuite import __version__
from ScoutSuite.providers.aws.utils import get_caller_identity
from ScoutSuite.providers.base.authentication_strategy import AuthenticationStrategy, AuthenticationException


class AWSCredentials:

    def __init__(self, session):
        self.session = session


class AWSAuthenticationStrategy(AuthenticationStrategy):
    """
    Implements authentication for the AWS provider
    """

    def authenticate(self,
                     profile=None,
                     aws_access_key_id=None, aws_secret_access_key=None, aws_session_token=None,
                     **kwargs):

        try:

            # Set logging level to error for libraries as otherwise generates a lot of warnings
            logging.getLogger('botocore').setLevel(logging.ERROR)
            logging.getLogger('botocore.auth').setLevel(logging.ERROR)
            logging.getLogger('urllib3').setLevel(logging.ERROR)

            if profile:
                session = boto3.Session(profile_name=profile)
            elif aws_access_key_id and aws_secret_access_key:
                if aws_session_token:
                    session = boto3.Session(
                        aws_access_key_id=aws_access_key_id,
                        aws_secret_access_key=aws_secret_access_key,
                        aws_session_token=aws_session_token,
                    )
                else:
                    session = boto3.Session(
                        aws_access_key_id=aws_access_key_id,
                        aws_secret_access_key=aws_secret_access_key,
                    )
            else:
                session = boto3.Session()

            # Test querying for current user
            get_caller_identity(session)

            # Set custom user agent
            session._session.user_agent_name = 'Scout Suite'
            session._session.user_agent_extra = 'Scout Suite/{} (https://github.com/nccgroup/ScoutSuite)'.format(__version__)
            session._session.user_agent_version = __version__

            return AWSCredentials(session=session)

        except Exception as e:
            raise AuthenticationException(e)


================================================
FILE: ScoutSuite/providers/aws/facade/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/facade/acm.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.utils import map_concurrently, run_concurrently


class AcmFacade(AWSBaseFacade):
    async def get_certificates(self, region):
        try:
            cert_list = await AWSFacadeUtils.get_all_pages('acm', region, self.session, 'list_certificates', 'CertificateSummaryList')
            cert_arns = [cert['CertificateArn'] for cert in cert_list]
        except Exception as e:
            print_exception(f'Failed to get acm certificates: {e}')
            return []
        else:
            return await map_concurrently(self._get_certificate, cert_arns, region=region)

    async def _get_certificate(self, cert_arn: str, region: str):
        client = AWSFacadeUtils.get_client('acm', self.session, region)
        try:
            return await run_concurrently(lambda: client.describe_certificate(CertificateArn=cert_arn)['Certificate'])
        except Exception as e:
            print_exception(f'Failed to describe acm certificate: {e}')
            raise



================================================
FILE: ScoutSuite/providers/aws/facade/awslambda.py
================================================
import json

from ScoutSuite.core.console import print_exception, print_warning
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils


class LambdaFacade(AWSBaseFacade):
    async def get_functions(self, region):
        try:
            return await AWSFacadeUtils.get_all_pages('lambda', region, self.session, 'list_functions', 'Functions')
        except Exception as e:
            print_exception(f'Failed to get Lambda functions: {e}')
            return []

    async def get_access_policy(self, function_name, region):
        client = AWSFacadeUtils.get_client('lambda', self.session, region)
        try:
            policy = client.get_policy(FunctionName=function_name)
            if policy is not None and 'Policy' in policy:
                return json.loads(policy['Policy'])
        except Exception as e:
            # If there's no policy, it will return this exception. Hence why we ignore.
            if "ResourceNotFoundException" not in str(e):
                print_exception('Failed to get Lambda access policy: {}'.format(e))
            return None

    async def get_role_with_managed_policies(self, role_name):
        client = AWSFacadeUtils.get_client('iam', self.session)
        try:
            role = client.get_role(RoleName=role_name)['Role']
            managed_policies = client.list_attached_role_policies(RoleName=role_name)['AttachedPolicies']
            for policy in managed_policies:
                policy_version = client.get_policy(PolicyArn=policy['PolicyArn'])
                if 'Policy' in policy_version and 'DefaultVersionId' in policy_version['Policy']:
                    policy_version = policy_version['Policy']['DefaultVersionId']
                    document = client.get_policy_version(PolicyArn=policy['PolicyArn'], VersionId=policy_version)
                    if 'PolicyVersion' in document and 'Document' in document['PolicyVersion']:
                        policy['Document'] = document['PolicyVersion']['Document']
            role['policies'] = managed_policies
            return role
        except Exception as e:
            if 'NoSuchEntity' in str(e):
                print_warning(f'Failed to get role from managed policies: {e}')
            else:
                print_exception(f'Failed to get role from managed policies: {e}')
            return None

    async def get_env_variables(self, function_name, region):
        client = AWSFacadeUtils.get_client('lambda', self.session, region)
        try:
            function_configuration = client.get_function_configuration(FunctionName=function_name)
            if "Environment" in function_configuration and "Variables" in function_configuration["Environment"]:
                return function_configuration["Environment"]["Variables"]
        except Exception as e:
            if 'ResourceNotFoundException' in str(e):
                print_warning('Failed to get Lambda function configuration: {}'.format(e))
            else:
                print_exception('Failed to get Lambda function configuration: {}'.format(e))
        return []



================================================
FILE: ScoutSuite/providers/aws/facade/base.py
================================================
from boto3.session import Session

from ScoutSuite.providers.aws.facade.acm import AcmFacade
from ScoutSuite.providers.aws.facade.awslambda import LambdaFacade
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.cloudformation import CloudFormation
from ScoutSuite.providers.aws.facade.cloudtrail import CloudTrailFacade
from ScoutSuite.providers.aws.facade.cloudwatch import CloudWatch
from ScoutSuite.providers.aws.facade.cloudfront import CloudFront
from ScoutSuite.providers.aws.facade.codebuild import CodeBuild
from ScoutSuite.providers.aws.facade.config import ConfigFacade
from ScoutSuite.providers.aws.facade.directconnect import DirectConnectFacade
from ScoutSuite.providers.aws.facade.dynamodb import DynamoDBFacade
from ScoutSuite.providers.aws.facade.ec2 import EC2Facade
from ScoutSuite.providers.aws.facade.efs import EFSFacade
from ScoutSuite.providers.aws.facade.elasticache import ElastiCacheFacade
from ScoutSuite.providers.aws.facade.elb import ELBFacade
from ScoutSuite.providers.aws.facade.elbv2 import ELBv2Facade
from ScoutSuite.providers.aws.facade.emr import EMRFacade
from ScoutSuite.providers.aws.facade.iam import IAMFacade
from ScoutSuite.providers.aws.facade.kms import KMSFacade
from ScoutSuite.providers.aws.facade.rds import RDSFacade
from ScoutSuite.providers.aws.facade.redshift import RedshiftFacade
from ScoutSuite.providers.aws.facade.route53 import Route53Facade
from ScoutSuite.providers.aws.facade.s3 import S3Facade
from ScoutSuite.providers.aws.facade.ses import SESFacade
from ScoutSuite.providers.aws.facade.sns import SNSFacade
from ScoutSuite.providers.aws.facade.sqs import SQSFacade
from ScoutSuite.providers.aws.facade.secretsmanager import SecretsManagerFacade
from ScoutSuite.providers.aws.utils import get_aws_account_id, get_partition_name
from ScoutSuite.providers.utils import run_concurrently

from ScoutSuite.core.conditions import print_error

# Try to import proprietary facades
try:
    from ScoutSuite.providers.aws.facade.cognito_private import CognitoFacade
except ImportError:
    pass
try:
    from ScoutSuite.providers.aws.facade.docdb_private import DocDBFacade
except ImportError:
    pass
try:
    from ScoutSuite.providers.aws.facade.ecs_private import ECSFacade
except ImportError:
    pass
try:
    from ScoutSuite.providers.aws.facade.ecr_private import ECRFacade
except ImportError:
    pass
try:
    from ScoutSuite.providers.aws.facade.eks_private import EKSFacade
except ImportError:
    pass
try:
    from ScoutSuite.providers.aws.facade.guardduty_private import GuardDutyFacade
except ImportError:
    pass
try:
    from ScoutSuite.providers.aws.facade.ssm_private import SSMFacade
except ImportError:
    pass


class AWSFacade(AWSBaseFacade):
    def __init__(self, credentials=None):
        super().__init__()
        self.owner_id = get_aws_account_id(credentials.session)
        self.partition = get_partition_name(credentials.session)
        self.session = credentials.session
        self._instantiate_facades()

    async def build_region_list(self, service: str, chosen_regions=None, excluded_regions=None, partition_name='aws'):

        available_services = None
        try:
            available_services = await run_concurrently(
                lambda: Session(region_name='us-east-1').get_available_services())
        except Exception as e:
            # see https://github.com/nccgroup/ScoutSuite/issues/548
            # If failed with the us-east-1 region, we'll try to use the region from the profile
            try:
                available_services = await run_concurrently(
                    lambda: Session(region_name=self.session.region_name).get_available_services())
            except Exception as e:
                # see https://github.com/nccgroup/ScoutSuite/issues/685
                # If above failed, and regions were explicitly specified, will try with those until one works
                if chosen_regions:
                    for region in chosen_regions:
                        try:
                            available_services = await run_concurrently(
                                lambda: Session(region_name=region).get_available_services())
                            break
                        except Exception as e:
                            exception = e
                    if not available_services:
                        raise exception
                else:
                    raise e

        if service not in available_services:
            # the cognito service is a composition of two boto3 services
            if service == "cognito":
                if "cognito-idp" not in available_services:
                    raise Exception('Service cognito-idp is not available.')
                elif "cognito-identity" not in available_services:
                    raise Exception('Service cognito-identity is not available.')
            else:
                raise Exception('Service ' + service + ' is not available.')

        regions = None
        try:
            # the cognito service is a composition of two boto3 services
            if service != "cognito":
                regions = await run_concurrently(
                    lambda: Session(region_name='us-east-1').get_available_regions(service,
                                                                                   partition_name))
            else:
                idp_regions = await run_concurrently(
                    lambda: Session(region_name='us-east-1').get_available_regions("cognito-idp",
                                                                                   partition_name))
                identity_regions = await run_concurrently(
                    lambda: Session(region_name='us-east-1').get_available_regions("cognito-identity",
                                                                                   partition_name))
                regions = [value for value in idp_regions if value in identity_regions]
        except Exception as e:
            # see https://github.com/nccgroup/ScoutSuite/issues/548
            # If failed with the us-east-1 region, we'll try to use the region from the profile
            try:
                # the cognito service is a composition of two boto3 services
                if service != "cognito":
                    regions = await run_concurrently(
                        lambda: Session(region_name=self.session.region_name).get_available_regions(service,
                                                                                                    partition_name))
                else:
                    idp_regions = await run_concurrently(
                        lambda: Session(region_name=self.session.region_name).get_available_regions("cognito-idp",
                                                                                                    partition_name))
                    identity_regions = await run_concurrently(
                        lambda: Session(region_name=self.session.region_name).get_available_regions("cognito-identity",
                                                                                                    partition_name))
                    regions = [value for value in idp_regions if value in identity_regions]
            except Exception as e:
                # see https://github.com/nccgroup/ScoutSuite/issues/685
                # If above failed, and regions were explicitly specified, will try with those until one works
                if chosen_regions:
                    for region in chosen_regions:
                        try:
                            # the cognito service is a composition of two boto3 services
                            if service != "cognito":
                                regions = await run_concurrently(
                                    lambda: Session(region_name=region).get_available_regions(service,
                                                                                              partition_name))
                            else:
                                idp_regions = await run_concurrently(
                                    lambda: Session(region_name=region).get_available_regions(
                                        "cognito-idp",
                                        partition_name))
                                identity_regions = await run_concurrently(
                                    lambda: Session(region_name=region).get_available_regions(
                                        "cognito-identity",
                                        partition_name))
                                regions = [value for value in idp_regions if value in identity_regions]
                            break
                        except Exception as e:
                            exception = e
                    if not regions:
                        raise exception
                else:
                    raise e

        if not regions:
            # Could be an instance of https://github.com/boto/boto3/issues/1662
            if service == 'eks':  # TODO fix when the issue is resolved
                regions = ['ap-east-1',
                           'ap-northeast-1',
                           'ap-northeast-2',
                           'ap-south-1',
                           'ap-southeast-1',
                           'ap-southeast-2',
                           'ca-central-1',
                           'eu-central-1',
                           'eu-north-1',
                           'eu-west-1',
                           'eu-west-2',
                           'eu-west-3',
                           'me-south-1',
                           'sa-east-1',
                           'us-east-1',
                           'us-east-2',
                           # 'us-west-1',
                           'us-west-2']
            else:
                print_error('"get_available_regions" returned an empty array for service "{}", '
                            'something is wrong'.format(service))

        # identify regions that are not opted-in
        ec2_not_opted_in_regions = None
        try:
            ec2_not_opted_in_regions = self.session.client('ec2', 'us-east-1') \
                .describe_regions(AllRegions=True, Filters=[{'Name': 'opt-in-status', 'Values': ['not-opted-in']}])
        except Exception as e:
            # see https://github.com/nccgroup/ScoutSuite/issues/548
            # If failed with the us-east-1 region, we'll try to use the region from the profile
            try:
                ec2_not_opted_in_regions = \
                    self.session.client('ec2', self.session.region_name). \
                        describe_regions(AllRegions=True,
                                         Filters=[{'Name': 'opt-in-status',
                                                   'Values': ['not-opted-in']}])
            except Exception as e:
                # see https://github.com/nccgroup/ScoutSuite/issues/685
                # If above failed, and regions were explicitly specified, will try with those until
                # one works
                if chosen_regions:
                    for region in chosen_regions:
                        try:
                            ec2_not_opted_in_regions = self.session.client('ec2', region).describe_regions(
                                AllRegions=True,
                                Filters=[{'Name': 'opt-in-status',
                                          'Values': ['not-opted-in']}])
                            break
                        except Exception as e:
                            exception = e
                    if not ec2_not_opted_in_regions:
                        raise exception
                else:
                    raise e

        not_opted_in_regions = []
        if ec2_not_opted_in_regions['Regions']:
            for r in ec2_not_opted_in_regions['Regions']:
                not_opted_in_regions.append(r['RegionName'])

        # include specific regions
        if chosen_regions:
            regions = [r for r in regions if r in chosen_regions]
        # exclude specific regions
        if excluded_regions:
            regions = [r for r in regions if r not in excluded_regions]
        # exclude not opted in regions
        if not_opted_in_regions:
            regions = [r for r in regions if r not in not_opted_in_regions]

        return regions

    def _instantiate_facades(self):
        self.ec2 = EC2Facade(self.session, self.owner_id)
        self.acm = AcmFacade(self.session)
        self.awslambda = LambdaFacade(self.session)
        self.cloudformation = CloudFormation(self.session)
        self.cloudtrail = CloudTrailFacade(self.session)
        self.cloudwatch = CloudWatch(self.session)
        self.config = ConfigFacade(self.session)
        self.directconnect = DirectConnectFacade(self.session)
        self.dynamodb = DynamoDBFacade(self.session)
        self.efs = EFSFacade(self.session)
        self.elasticache = ElastiCacheFacade(self.session)
        self.route53 = Route53Facade(self.session)
        self.cloudfront = CloudFront(self.session)
        self.codebuild = CodeBuild(self.session)
        self.elb = ELBFacade(self.session)
        self.elbv2 = ELBv2Facade(self.session)
        self.iam = IAMFacade(self.session)
        self.kms = KMSFacade(self.session)
        self.rds = RDSFacade(self.session)
        self.redshift = RedshiftFacade(self.session)
        self.s3 = S3Facade(self.session)
        self.ses = SESFacade(self.session)
        self.sns = SNSFacade(self.session)
        self.sqs = SQSFacade(self.session)
        self.secretsmanager = SecretsManagerFacade(self.session)
        self.emr = EMRFacade(self.session)

        # Instantiate facades for proprietary services
        try:
            self.cognito = CognitoFacade(self.session)
        except NameError:
            pass
        try:
            self.docdb = DocDBFacade(self.session)
        except NameError:
            pass
        try:
            self.ecs = ECSFacade(self.session)
        except NameError:
            pass
        try:
            self.ecr = ECRFacade(self.session)
        except NameError:
            pass
        try:
            self.eks = EKSFacade(self.session)
        except NameError:
            pass
        try:
            self.guardduty = GuardDutyFacade(self.session)
        except NameError:
            pass
        try:
            self.ssm = SSMFacade(self.session)
        except NameError:
            pass


================================================
FILE: ScoutSuite/providers/aws/facade/basefacade.py
================================================
import boto3


class AWSBaseFacade:
    def __init__(self, session: boto3.session.Session = None):
        self.session = session


================================================
FILE: ScoutSuite/providers/aws/facade/cloudformation.py
================================================
import json

from ScoutSuite.core.console import print_exception, print_warning
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.utils import get_and_set_concurrently
from ScoutSuite.providers.utils import run_concurrently


class CloudFormation(AWSBaseFacade):

    async def get_stacks(self, region: str):
        try:
            stacks = await AWSFacadeUtils.get_all_pages(
                'cloudformation', region, self.session, 'list_stacks', 'StackSummaries')
        except Exception as e:
            print_exception(f'Failed to get CloudFormation stack: {e}')
            stacks = []
        else:
            stacks = [stack for stack in stacks if not CloudFormation._is_stack_deleted(stack)]
            await get_and_set_concurrently(
                [self._get_and_set_description, self._get_and_set_template, self._get_and_set_policy, self._get_stack_notifications],
                stacks, region=region)
        finally:
            return stacks

    async def _get_and_set_description(self, stack: {}, region: str):
        client = AWSFacadeUtils.get_client('cloudformation', self.session, region)
        try:
            stack_description = await run_concurrently(
                lambda: client.describe_stacks(StackName=stack['StackName'])['Stacks'][0])
        except Exception as e:
            if 'does not exist' in str(e):
                print_warning(f'Failed to describe CloudFormation stack: {e}')
            else:
                print_exception(f'Failed to describe CloudFormation stack: {e}')
        else:
            stack.update(stack_description)

    async def _get_and_set_template(self, stack: {}, region: str):
        client = AWSFacadeUtils.get_client('cloudformation', self.session, region)
        try:
            stack['template'] = await run_concurrently(
                lambda: client.get_template(StackName=stack['StackName'])['TemplateBody'])
        except Exception as e:
            if 'is not ready' not in str(e):
                print_exception(f'Failed to get CloudFormation template: {e}')
            stack['template'] = None

    async def _get_and_set_policy(self, stack: {}, region: str):
        client = AWSFacadeUtils.get_client('cloudformation', self.session, region)
        try:
            stack_policy = await run_concurrently(
                lambda: client.get_stack_policy(StackName=stack['StackName']))
        except Exception as e:
            print_exception(f'Failed to get CloudFormation stack policy: {e}')
        else:
            if 'StackPolicyBody' in stack_policy:
                stack['policy'] = json.loads(stack_policy['StackPolicyBody'])

    async def _get_stack_notifications(self, stack: {}, region: str):
        client = AWSFacadeUtils.get_client('cloudformation', self.session, region)
        try:
            stack_notifications = await run_concurrently(
                lambda: client.describe_stacks(StackName=stack['StackName'])['Stacks'])
        except Exception as e:
            print_exception(f'Failed to describe CloudFormation stack: {e}')
        else:
            if 'NotificationARNs' in stack_notifications:
                stack['NotificationARNs'] = stack_notifications['NotificationARNs']

    @staticmethod
    def _is_stack_deleted(stack):
        return stack.get('StackStatus', None) == 'DELETE_COMPLETE'


================================================
FILE: ScoutSuite/providers/aws/facade/cloudfront.py
================================================
import asyncio

from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.utils import run_concurrently

class CloudFront(AWSBaseFacade):

    async def get_distributions(self):
        client = AWSFacadeUtils.get_client('cloudfront',self.session)
        # When no cloudfront distribution exists, we first need to initiate the creation
        # of a new distributions generate_credential_report by calling
        # client.list_distributions and then check for COMPLETE status before trying to download it:
        aws_cloudfront_api_called, n_attempts = False, 3
        try:
            while not aws_cloudfront_api_called and n_attempts > 0:
                response = await run_concurrently(client.list_distributions)
                if 'ResponseMetadata' in response:
                    aws_cloudfront_api_called = True
                else:
                    n_attempts -= 1
                    await asyncio.sleep(0.1)  # Wait for 100ms before doing a new attempt.
        except Exception as e:
            print_exception('Failed to call aws cloudfront api: {}'.format(e))
            return []
        finally:
            if not aws_cloudfront_api_called and n_attempts == 0:
                print_exception('Failed to call aws cloudfront api in {} attempts'.format(n_attempts))
                return []

        try:
            return response.get('DistributionList', {}).get('Items', [])
        except Exception as e:
            print_exception(f'Failed to get CloudFront distribution lists: {e}')
            return []


================================================
FILE: ScoutSuite/providers/aws/facade/cloudtrail.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.utils import get_and_set_concurrently
from ScoutSuite.providers.utils import run_concurrently


class CloudTrailFacade(AWSBaseFacade):
    async def get_trails(self, region):
        client = AWSFacadeUtils.get_client('cloudtrail', self.session, region)
        try:
            trails = await run_concurrently(
                lambda: client.describe_trails()['trailList'])
        except Exception as e:
            print_exception(f'Failed to describe CloudTrail trail: {e}')
            trails = []
        else:
            await get_and_set_concurrently(
                [self._get_and_set_status, self._get_and_set_selectors], trails, region=region)
        finally:
            return trails

    async def _get_and_set_status(self, trail: {}, region: str):
        client = AWSFacadeUtils.get_client('cloudtrail', self.session, region)
        try:
            trail_status = await run_concurrently(
                lambda: client.get_trail_status(Name=trail['TrailARN']))
            trail.update(trail_status)
        except Exception as e:
            print_exception(f'Failed to get CloudTrail trail status: {e}')

    async def _get_and_set_selectors(self, trail: {}, region: str):
        client = AWSFacadeUtils.get_client('cloudtrail', self.session, region)
        try:
            # this call will fail for organization trails stored in another account
            trail['EventSelectors'] = await run_concurrently(
                lambda: client.get_event_selectors(TrailName=trail['TrailARN']).get('EventSelectors', []))
        except Exception as e:
            print_exception(f'Failed to get CloudTrail event selectors: {e}')


================================================
FILE: ScoutSuite/providers/aws/facade/cloudwatch.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils


class CloudWatch(AWSBaseFacade):

    async def get_alarms(self, region):
        try:
            return await AWSFacadeUtils.get_all_pages('cloudwatch', region, self.session, 'describe_alarms',
                                                      'MetricAlarms')
        except Exception as e:
            print_exception(f'Failed to get CloudWatch alarms: {e}')
            return []

    async def get_metric_filters(self, region):
        try:
            return await AWSFacadeUtils.get_all_pages('logs', region, self.session, 'describe_metric_filters',
                                                      'metricFilters')
        except Exception as e:
            print_exception('Failed to get CloudWatch metric filters: {}'.format(e))
            return []



================================================
FILE: ScoutSuite/providers/aws/facade/codebuild.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.utils import run_concurrently, map_concurrently


class CodeBuild(AWSBaseFacade):
    async def get_projects(self, region: str):
        codebuild_client = AWSFacadeUtils.get_client('codebuild', self.session, region)
        try:
            projects = await run_concurrently(lambda: codebuild_client.list_projects()['projects'])
        except Exception as e:
            print_exception(f'Failed to get CodeBuild projects: {e}')
            return []
        else:
            if not projects:
                return []
            return await map_concurrently(self._get_project_details, projects, region=region)
        
    async def _get_project_details(self, project: str, region: str):
        codebuild_client = AWSFacadeUtils.get_client('codebuild', self.session, region)
        try:
            project_details = await run_concurrently(lambda: codebuild_client.batch_get_projects(names=[project]))
        except Exception as e:
            print_exception(f'Failed to get CodeBuild project details: {e}')
            return {}
        else:
            project_details.pop('ResponseMetadata')
            project_details.pop('projectsNotFound')
            return project_details


================================================
FILE: ScoutSuite/providers/aws/facade/config.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.utils import run_concurrently


class ConfigFacade(AWSBaseFacade):

    async def get_rules(self, region):
        try:
            return await AWSFacadeUtils.get_all_pages('config', region, self.session, 'describe_config_rules', 'ConfigRules')
        except Exception as e:
            print_exception(f'Failed to get Config ruless: {e}')
            return []

    async def get_recorders(self, region: str):
        client = AWSFacadeUtils.get_client('config', self.session, region)

        try:
            recorders = (await run_concurrently(client.describe_configuration_recorders))['ConfigurationRecorders']
        except Exception as e:
            print_exception(f'Failed to get Config recorders: {e}')
            recorders = []

        try:
            recorder_statuses_list = \
                (await run_concurrently(client.describe_configuration_recorder_status))['ConfigurationRecordersStatus']
        except Exception as e:
            print_exception(f'Failed to get Config recorder statuses: {e}')
        else:
            # To accelerate the mapping of the statuses, we preprocess the data by creating a
            #  map. This prevents having to iterate over the list of statuses for each
            # recorder.
            recorder_statuses_map = {recorder['name']: recorder for recorder in recorder_statuses_list}
            for recorder in recorders:
                recorder['ConfigurationRecordersStatus'] = recorder_statuses_map[recorder['name']]

        return recorders


================================================
FILE: ScoutSuite/providers/aws/facade/directconnect.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.utils import run_concurrently


class DirectConnectFacade(AWSBaseFacade):
    async def get_connections(self, region):
        client = AWSFacadeUtils.get_client('directconnect', self.session, region)
        try:
            return await run_concurrently(lambda: client.describe_connections()['connections'])
        except Exception as e:
            print_exception(f'Failed to describe Direct Connect connections: {e}')
            return []


================================================
FILE: ScoutSuite/providers/aws/facade/dynamodb.py
================================================
from ScoutSuite.core.console import print_exception, print_warning
from ScoutSuite.providers.aws.facade.base import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.utils import run_concurrently, get_and_set_concurrently, map_concurrently


class DynamoDBFacade(AWSBaseFacade):
    _GET_TABLES_BATCH_SIZE = 100

    async def get_tables(self, region):
        try:
            tables_names = await AWSFacadeUtils.get_all_pages('dynamodb', region, self.session, 'list_tables',
                                                              'TableNames')
            return await map_concurrently(self._get_table, tables_names, region=region)
        except Exception as e:
            print_exception('Failed to get DynamoDB tables: {}'.format(e))
            return []

    async def _get_table(self, table_name: str, region: str):
        client = AWSFacadeUtils.get_client('dynamodb', self.session, region)

        try:
            table = await run_concurrently(lambda: client.describe_table(TableName=table_name)['Table'])
        except Exception as e:
            if 'ResourceNotFoundException' in str(e):
                print_warning('Failed to get DynamoDB table: {}'.format(e))
            else:
                print_exception('Failed to get DynamoDB table: {}'.format(e))
        else:
            await get_and_set_concurrently(
                [self._get_and_set_backup, self._get_and_set_continuous_backups, self._get_and_set_tags],
                [table],
                region=region)

        return table

    async def _get_and_set_backup(self, table: {}, region: str):
        client = AWSFacadeUtils.get_client('dynamodb', self.session, region)

        try:
            summaries = await run_concurrently(lambda: client.list_backups(TableName=table['TableName']))
            table['BackupSummaries'] = summaries.get('BackupSummaries')
        except Exception as e:
            if 'ResourceNotFoundException' in str(e):
                print_warning('Failed to list DynamoDB table backups: {}'.format(e))
            else:
                print_exception('Failed to list DynamoDB table backups: {}'.format(e))

    async def _get_and_set_continuous_backups(self, table: {}, region: str):
        client = AWSFacadeUtils.get_client('dynamodb', self.session, region)

        try:
            description = await run_concurrently(
                lambda: client.describe_continuous_backups(TableName=table['TableName']))
            table['ContinuousBackups'] = description.get('ContinuousBackupsDescription')
        except Exception as e:
            if 'ResourceNotFoundException' in str(e):
                print_warning('Failed to describe DynamoDB table continuous backups: {}'.format(e))
            else:
                print_exception('Failed to describe DynamoDB table continuous backups: {}'.format(e))

    async def _get_and_set_tags(self, table: {}, region: str):
        client = AWSFacadeUtils.get_client('dynamodb', self.session, region)

        try:
            tags = await run_concurrently(
                lambda: client.list_tags_of_resource(ResourceArn=table['TableArn']))
            table['tags'] = tags.get('Tags')
        except Exception as e:
            if 'ResourceNotFoundException' in str(e):
                print_warning('Failed to describe DynamoDB table tags: {}'.format(e))
            else:
                print_exception('Failed to describe DynamoDB table tags: {}'.format(e))



================================================
FILE: ScoutSuite/providers/aws/facade/ec2.py
================================================
import asyncio
import base64
import boto3
import zlib

from ScoutSuite.core.console import print_exception, print_warning
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.utils import get_and_set_concurrently
from ScoutSuite.providers.utils import run_concurrently


class EC2Facade(AWSBaseFacade):
    regional_flow_logs_cache_locks = {}
    flow_logs_cache = {}

    def __init__(self, session: boto3.session.Session, owner_id: str):
        self.owner_id = owner_id

        super().__init__(session)

    async def get_instance_user_data(self, region: str, instance_id: str):
        ec2_client = AWSFacadeUtils.get_client('ec2', self.session, region)
        try:
            user_data_response = await run_concurrently(
                lambda: ec2_client.describe_instance_attribute(Attribute='userData', InstanceId=instance_id))
        except Exception as e:
            print_exception(
                f'Failed to describe EC2 instance attributes: {e}')
            return None
        else:
            if 'Value' not in user_data_response['UserData'].keys():
                return None
            else:
                try:
                    return await self._decode_user_data(user_data_response['UserData']['Value'])
                except Exception as e:
                    print_exception(f'Unable to decode EC2 instance user data: {e}')

    async def _decode_user_data(self, user_data):
        try:
            value = base64.b64decode(user_data)
        except base64.binascii.Error as e:
            value = base64.b64decode(f'{user_data}===')
        if value[0:2] == b'\x1f\x8b':  # GZIP magic number
            return zlib.decompress(value, zlib.MAX_WBITS | 32).decode('utf-8')
        else:
            # Try another run of b64 decoding
            try:
                value = base64.b64decode(value)
            except Exception as e:
                value = value
            # Return a string, not a byte string
            try:
                return value.decode('utf-8')
            except UnicodeDecodeError:
                return value.decode('latin-1')

    async def get_instances(self, region: str, vpc: str):
        filters = [{'Name': 'vpc-id', 'Values': [vpc]}]
        try:
            reservations = \
                await AWSFacadeUtils.get_all_pages(
                    'ec2', region, self.session, 'describe_instances', 'Reservations', Filters=filters)

            instances = []
            for reservation in reservations:
                for instance in reservation['Instances']:
                    instance['ReservationId'] = reservation['ReservationId']
                    instance['OwnerId'] = reservation['OwnerId']
                    instances.append(instance)

            return instances
        except Exception as e:
            print_exception(f'Failed to describe EC2 instances: {e}')
            return []

    async def get_security_groups(self, region: str, vpc: str):
        filters = [{'Name': 'vpc-id', 'Values': [vpc]}]
        try:
            return await AWSFacadeUtils.get_all_pages(
                'ec2', region, self.session, 'describe_security_groups', 'SecurityGroups', Filters=filters)
        except Exception as e:
            print_exception(f'Failed to describe EC2 security groups: {e}')
            return []

    async def get_vpcs(self, region: str):
        ec2_client = AWSFacadeUtils.get_client('ec2', self.session, region)
        try:
            return await run_concurrently(lambda: ec2_client.describe_vpcs()['Vpcs'])
        except Exception as e:
            print_exception(f'Failed to describe EC2 VPC: {e}')
            return []

    async def get_images(self, region: str):
        filters = [{'Name': 'owner-id', 'Values': [self.owner_id]}]
        client = AWSFacadeUtils.get_client('ec2', self.session, region)
        try:
            return await run_concurrently(lambda: client.describe_images(Filters=filters)['Images'])
        except Exception as e:
            print_exception(f'Failed to get EC2 images: {e}')
            return []

    async def get_network_interfaces(self, region: str, vpc: str):
        filters = [{'Name': 'vpc-id', 'Values': [vpc]}]
        try:
            return await AWSFacadeUtils.get_all_pages(
                'ec2', region, self.session, 'describe_network_interfaces', 'NetworkInterfaces', Filters=filters)
        except Exception as e:
            print_exception(f'Failed to get EC2 network interfaces: {e}')
            return []

    async def get_volumes(self, region: str):
        try:
            volumes = await AWSFacadeUtils.get_all_pages('ec2', region, self.session, 'describe_volumes', 'Volumes')
            await get_and_set_concurrently([self._get_and_set_key_manager], volumes, region=region)
            return volumes
        except Exception as e:
            print_exception(f'Failed to get EC2 volumes: {e}')
            return []

    async def _get_and_set_key_manager(self, volume: {}, region: str):
        kms_client = AWSFacadeUtils.get_client('kms', self.session, region)
        if 'KmsKeyId' in volume:
            key_id = volume['KmsKeyId']
            try:
                volume['KeyManager'] = await run_concurrently(
                    lambda: kms_client.describe_key(KeyId=key_id)['KeyMetadata']['KeyManager'])
            except Exception as e:
                if 'NotFoundException' in e:
                    print_warning(f'Failed to describe KMS key: {e}')
                else:
                    print_exception(f'Failed to describe KMS key: {e}')
                volume['KeyManager'] = None
        else:
            volume['KeyManager'] = None

    async def get_snapshots(self, region: str):
        filters = [{'Name': 'owner-id', 'Values': [self.owner_id]}]

        try:
            snapshots = await AWSFacadeUtils.get_all_pages(
                'ec2', region, self.session, 'describe_snapshots', 'Snapshots', Filters=filters)
        except Exception as e:
            print_exception(f'Failed to get snapshots: {e}')
            snapshots = []
        else:
            await get_and_set_concurrently([self._get_and_set_snapshot_attributes], snapshots, region=region)
        finally:
            return snapshots

    async def _get_and_set_snapshot_attributes(self, snapshot: {}, region: str):
        ec2_client = AWSFacadeUtils.get_client('ec2', self.session, region)
        try:
            snapshot['CreateVolumePermissions'] = await run_concurrently(lambda: ec2_client.describe_snapshot_attribute(
                Attribute='createVolumePermission',
                SnapshotId=snapshot['SnapshotId'])['CreateVolumePermissions'])
        except Exception as e:
            if 'NotFound' in e:
                print_warning(f'Failed to describe EC2 snapshot attributes: {e}')
            else:
                print_exception(f'Failed to describe EC2 snapshot attributes: {e}')

    async def get_network_acls(self, region: str, vpc: str):
        filters = [{'Name': 'vpc-id', 'Values': [vpc]}]
        try:
            return await AWSFacadeUtils.get_all_pages(
                'ec2', region, self.session, 'describe_network_acls', 'NetworkAcls', Filters=filters)
        except Exception as e:
            print_exception(f'Failed to get EC2 network ACLs: {e}')
            return []

    async def get_flow_logs(self, region: str):
        try:
            await self.cache_flow_logs(region)
            return self.flow_logs_cache[region]
        except Exception as e:
            print_exception(f'Failed to get EC2 flow logs: {e}')
            return []

    async def cache_flow_logs(self, region: str):
        async with self.regional_flow_logs_cache_locks.setdefault(region, asyncio.Lock()):
            if region in self.flow_logs_cache:
                return

            self.flow_logs_cache[region] = \
                await AWSFacadeUtils.get_all_pages('ec2', region, self.session, 'describe_flow_logs', 'FlowLogs')

    async def get_subnets(self, region: str, vpc: str):
        ec2_client = AWSFacadeUtils.get_client('ec2', self.session, region)
        filters = [{'Name': 'vpc-id', 'Values': [vpc]}]
        try:
            subnets = await run_concurrently(lambda: ec2_client.describe_subnets(Filters=filters)['Subnets'])
        except Exception as e:
            print_exception(f'Failed to describe EC2 subnets: {e}')
            return None
        else:
            await get_and_set_concurrently([self._get_and_set_subnet_flow_logs], subnets, region=region)
            return subnets

    async def _get_and_set_subnet_flow_logs(self, subnet: {}, region: str):
        await self.cache_flow_logs(region)
        subnet['flow_logs'] = \
            [flow_log for flow_log in self.flow_logs_cache[region]
             if flow_log['ResourceId'] == subnet['SubnetId'] or flow_log['ResourceId'] == subnet['VpcId']]

    async def get_peering_connections(self, region):
        try:
            peering_connections = await AWSFacadeUtils.get_all_pages('ec2', region, self.session, 'describe_vpc_peering_connections', 'VpcPeeringConnections')
            return peering_connections
        except Exception as e:
            print_exception(f'Failed to get peering connections: {e}')
            return []

    async def get_route_tables(self, region):
        try:
            route_tables = await AWSFacadeUtils.get_all_pages('ec2', region, self.session, 'describe_route_tables', 'RouteTables')
            return route_tables
        except Exception as e:
            print_exception('Failed to get route tables: {}'.format(e))
            return []

    async def get_ebs_encryption(self, region):
        ec2_client = AWSFacadeUtils.get_client('ec2', self.session, region)
        try:
            encryption_settings = await run_concurrently(lambda: ec2_client.get_ebs_encryption_by_default())
            return encryption_settings
        except Exception as e:
            print_exception(f'Failed to retrieve EBS encryption settings: {e}')

    async def get_ebs_default_encryption_key(self, region):
        ec2_client = AWSFacadeUtils.get_client('ec2', self.session, region)
        try:
            encryption_key = await run_concurrently(lambda: ec2_client.get_ebs_default_kms_key_id())
            return encryption_key
        except Exception as e:
            print_exception(f'Failed to retrieve EBS encryption key ID: {e}')


================================================
FILE: ScoutSuite/providers/aws/facade/efs.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.utils import run_concurrently, get_and_set_concurrently


class EFSFacade(AWSBaseFacade):
    async def get_file_systems(self, region: str):

        try:
            file_systems = await AWSFacadeUtils.get_all_pages(
                'efs', region, self.session, 'describe_file_systems', 'FileSystems')
        except Exception as e:
            print_exception(f'Failed to get EFS file systems: {e}')
            file_systems = []
        else:
            await get_and_set_concurrently(
                [self._get_and_set_tags, self._get_and_set_mount_targets], file_systems, region=region)
        finally:
            return file_systems

    async def _get_and_set_tags(self, file_system: {}, region: str):
        client = AWSFacadeUtils.get_client('efs', self.session, region)
        try:
            file_system['Tags'] = await run_concurrently(
                lambda: client.describe_tags(FileSystemId=file_system['FileSystemId'])['Tags'])
        except Exception as e:
            print_exception(f'Failed to describe EFS tags: {e}')

    async def _get_and_set_mount_targets(self, file_system: {}, region: str):

        try:
            file_system['MountTargets'] = {}
            mount_targets = await AWSFacadeUtils.get_all_pages(
                'efs', region, self.session, 'describe_mount_targets', 'MountTargets',
                FileSystemId=file_system['FileSystemId'])
        except Exception as e:
            print_exception(f'Failed to get and set EFS mount targets: {e}')
        else:
            if len(mount_targets) == 0:
                return

            for mount_target in mount_targets:
                mount_target_id = mount_target['MountTargetId']
                file_system['MountTargets'][mount_target_id] = mount_target

            await get_and_set_concurrently(
                [self._get_and_set_mount_target_security_groups], mount_targets, region=region)

    async def _get_and_set_mount_target_security_groups(self, mount_target: {}, region: str):
        client = AWSFacadeUtils.get_client('efs', self.session, region)
        try:
            mount_target['SecurityGroups'] = \
                await run_concurrently(lambda: client.describe_mount_target_security_groups(
                    MountTargetId=mount_target['MountTargetId'])['SecurityGroups'])
        except Exception as e:
            print_exception(f'Failed to describe EFS mount target security groups: {e}')


================================================
FILE: ScoutSuite/providers/aws/facade/elasticache.py
================================================
from asyncio import Lock

from botocore.exceptions import ClientError

from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.aws.utils import ec2_classic
from ScoutSuite.providers.utils import get_and_set_concurrently


class ElastiCacheFacade(AWSBaseFacade):
    regional_clusters_cache_locks = {}
    regional_subnets_cache_locks = {}
    clusters_cache = {}
    subnets_cache = {}

    async def get_clusters(self, region, vpc):
        await self.cache_clusters(region)
        return [cluster for cluster in self.clusters_cache[region] if cluster['VpcId'] == vpc]

    async def cache_clusters(self, region):
        async with self.regional_clusters_cache_locks.setdefault(region, Lock()):
            if region in self.clusters_cache:
                return

            self.clusters_cache[region] = await AWSFacadeUtils.get_all_pages(
                'elasticache', region, self.session, 'describe_cache_clusters', 'CacheClusters')

            await get_and_set_concurrently(
                [self._get_and_set_cluster_vpc], self.clusters_cache[region], region=region)

    async def _get_and_set_cluster_vpc(self, cluster: {}, region: str):
        if 'CacheSubnetGroupName' not in cluster:
            cluster['VpcId'] = ec2_classic
        else:
            subnets = await AWSFacadeUtils.get_all_pages(
                'elasticache', region, self.session, 'describe_cache_subnet_groups', 'CacheSubnetGroups',
                CacheSubnetGroupName=cluster['CacheSubnetGroupName'])
            subnet_group = subnets[0]
            cluster['VpcId'] = subnet_group['VpcId']

    async def get_security_groups(self, region):
        client = AWSFacadeUtils.get_client('elasticache', self.session, region)

        try:
            return await AWSFacadeUtils.get_all_pages(
                'elasticache', region, self.session, 'describe_cache_security_groups', 'CacheSecurityGroups')
        except client.exceptions.InvalidParameterValueException:
            # Recent account are not allowed to use security groups at this level. Calling
            # describe_cache_security_groups will throw an InvalidParameterValueException exception.
            pass
        except Exception as e:
            print_exception(f'Failed to get ElastiCache security groups: {e}')

        return []

    async def get_subnet_groups(self, region, vpc):
        await self.cache_subnets(region)
        return [subnet for subnet in self.subnets_cache[region] if subnet['VpcId'] == vpc]

    async def cache_subnets(self, region):
        async with self.regional_subnets_cache_locks.setdefault(region, Lock()):
            if region in self.subnets_cache:
                return

            self.subnets_cache[region] = await AWSFacadeUtils.get_all_pages(
                'elasticache', region, self.session, 'describe_cache_subnet_groups', 'CacheSubnetGroups')

    async def get_parameter_groups(self, region):

        # If EC2-Classic isn't available (e.g., a new account)
        # this method will fail with:
        #   Code:    "InvalidParameterValue"
        #   Message: "Use of cache security groups is not permitted in
        #             this API version for your account."
        #   Type:    "Sender"
        try:
            return await AWSFacadeUtils.get_all_pages(
                'elasticache', region, self.session, 'describe_cache_parameter_groups', 'CacheParameterGroups')
        except ClientError as e:
            if e.response['Error']['Code'] != 'InvalidParameterValue':
                print_exception(f'Failed to describe cache parameter groups: {e}')
            return []


================================================
FILE: ScoutSuite/providers/aws/facade/elb.py
================================================
import asyncio

from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.aws.utils import ec2_classic
from ScoutSuite.providers.utils import run_concurrently, get_and_set_concurrently, map_concurrently
from ScoutSuite.providers.utils import get_non_provider_id


class ELBFacade(AWSBaseFacade):
    regional_load_balancers_cache_locks = {}
    load_balancers_cache = {}
    policies_cache = set()

    async def get_load_balancers(self, region: str, vpc: str):
        try:
            await self.cache_load_balancers(region)
            return [load_balancer for load_balancer in self.load_balancers_cache[region] if load_balancer['VpcId'] == vpc]
        except Exception as e:
            print_exception(f'Failed to get ELB load balancers: {e}')
            return []

    async def cache_load_balancers(self, region):
        async with self.regional_load_balancers_cache_locks.setdefault(region, asyncio.Lock()):
            if region in self.load_balancers_cache:
                return

            self.load_balancers_cache[region] = \
                await AWSFacadeUtils.get_all_pages('elb', region, self.session,
                                                   'describe_load_balancers', 'LoadBalancerDescriptions')

            for load_balancer in self.load_balancers_cache[region]:
                load_balancer['VpcId'] = \
                    load_balancer['VPCId'] if 'VPCId' in load_balancer and load_balancer['VPCId'] else ec2_classic

            await get_and_set_concurrently(
                [self._get_and_set_load_balancer_attributes], self.load_balancers_cache[region], region=region)

            await get_and_set_concurrently(
                [self._get_and_set_load_balancer_tags], self.load_balancers_cache[region], region=region)

    async def _get_and_set_load_balancer_attributes(self, load_balancer: {}, region: str):
        elb_client = AWSFacadeUtils.get_client('elb', self.session, region)
        try:
            load_balancer['attributes'] = await run_concurrently(
                lambda: elb_client.describe_load_balancer_attributes(
                    LoadBalancerName=load_balancer['LoadBalancerName'])['LoadBalancerAttributes']
            )
        except Exception as e:
            print_exception(f'Failed to describe ELB load balancer attributes: {e}')

    async def _get_and_set_load_balancer_tags(self, load_balancer: {}, region: str):
        elb_client = AWSFacadeUtils.get_client('elb', self.session, region)
        try:
            load_balancer['Tags'] = await run_concurrently(
                lambda: elb_client.describe_tags(
                    LoadBalancerNames=[load_balancer['LoadBalancerName']])['TagDescriptions'][0]['Tags']
            )
        except Exception as e:
            print_exception(f'Failed to describe ELB load balancer tags: {e}')

    async def get_policies(self, region: str):
        try:
            await self.cache_load_balancers(region)
            for load_balancer in self.load_balancers_cache[region]:
                load_balancer['policy_names'] = []
                for listener_description in load_balancer['ListenerDescriptions']:
                    for policy_name in listener_description['PolicyNames']:
                        policy_id = get_non_provider_id(policy_name)
                        if policy_id not in self.policies_cache:
                            load_balancer['policy_names'].append(policy_name)
                            self.policies_cache.add(policy_id)

            policies = await map_concurrently(self._get_policies, self.load_balancers_cache[region], region=region)
            # Because _get_policies returns a list, policies has to be flatten:
            return [policy for nested_policy in policies for policy in nested_policy]
        except Exception as e:
            print_exception(f'Failed to describe ELB policies: {e}')
            return []

    async def _get_policies(self, load_balancer: dict, region: str):
            if len(load_balancer['policy_names']) == 0:
                return []

            elb_client = AWSFacadeUtils.get_client('elb', self.session, region)
            try:
                return await run_concurrently(lambda: elb_client.describe_load_balancer_policies(
                    LoadBalancerName=load_balancer['LoadBalancerName'],
                    PolicyNames=load_balancer['policy_names'])['PolicyDescriptions']
                )
            except Exception as e:
                print_exception(f'Failed to retrieve load balancer policies: {e}')
                return []


================================================
FILE: ScoutSuite/providers/aws/facade/elbv2.py
================================================
import asyncio

from ScoutSuite.core.console import print_exception, print_warning
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.aws.utils import ec2_classic
from ScoutSuite.providers.utils import run_concurrently, get_and_set_concurrently


class ELBv2Facade(AWSBaseFacade):
    regional_load_balancers_cache_locks = {}
    load_balancers_cache = {}

    async def get_load_balancers(self, region: str, vpc: str):
        try:
            await self.cache_load_balancers(region)
            return [load_balancer for load_balancer in self.load_balancers_cache[region] if load_balancer['VpcId'] == vpc]
        except Exception as e:
            print_exception(f'Failed to get ELBv2 load balancers: {e}')
            return []

    async def cache_load_balancers(self, region):
        async with self.regional_load_balancers_cache_locks.setdefault(region, asyncio.Lock()):
            if region in self.load_balancers_cache:
                return

            self.load_balancers_cache[region] = \
                await AWSFacadeUtils.get_all_pages('elbv2', region, self.session,
                                                   'describe_load_balancers', 'LoadBalancers')

            for load_balancer in self.load_balancers_cache[region]:
                load_balancer['VpcId'] = \
                    load_balancer['VpcId'] if 'VpcId' in load_balancer and load_balancer['VpcId'] else ec2_classic

            await get_and_set_concurrently(
                [self._get_and_set_load_balancer_attributes], self.load_balancers_cache[region], region=region)

            await get_and_set_concurrently(
                [self._get_and_set_load_balancer_tags], self.load_balancers_cache[region], region=region)

    async def _get_and_set_load_balancer_attributes(self, load_balancer: dict, region: str):
        elbv2_client = AWSFacadeUtils.get_client('elbv2', self.session, region)
        try:
            load_balancer['attributes'] = await run_concurrently(
                lambda: elbv2_client.describe_load_balancer_attributes(
                    LoadBalancerArn=load_balancer['LoadBalancerArn'])['Attributes']
            )
        except Exception as e:
            print_exception(f'Failed to describe ELBv2 attributes: {e}')

    async def _get_and_set_load_balancer_tags(self, load_balancer: dict, region: str):
        elbv2_client = AWSFacadeUtils.get_client('elbv2', self.session, region)
        try:
            load_balancer['Tags'] = await run_concurrently(
                lambda: elbv2_client.describe_tags(
                    ResourceArns=[load_balancer['LoadBalancerArn']])['TagDescriptions'][0]['Tags']
            )
        except Exception as e:
            if 'LoadBalancerNotFound' in e:
                print_warning(f'Failed to describe ELBv2 tags: {e}')
            else:
                print_exception(f'Failed to describe ELBv2 tags: {e}')

    async def get_listeners(self, region: str, load_balancer_arn: str):
        return await AWSFacadeUtils.get_all_pages(
            'elbv2', region, self.session, 'describe_listeners', 'Listeners', LoadBalancerArn=load_balancer_arn)


================================================
FILE: ScoutSuite/providers/aws/facade/emr.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.utils import map_concurrently, run_concurrently


class EMRFacade(AWSBaseFacade):
    async def get_clusters(self, region):

        try:
            cluster_list = await AWSFacadeUtils.get_all_pages('emr', region, self.session, 'list_clusters', 'Clusters')
            cluster_ids = [cluster['Id'] for cluster in cluster_list]
        except Exception as e:
            print_exception(f'Failed to get EMR clusterss: {e}')
            return []
        else:
            return await map_concurrently(self._get_cluster, cluster_ids, region=region)

    async def _get_cluster(self, cluster_id: str, region: str):
        client = AWSFacadeUtils.get_client('emr', self.session, region)
        try:
            return await run_concurrently(lambda: client.describe_cluster(ClusterId=cluster_id)['Cluster'])
        except Exception as e:
            print_exception(f'Failed to describe EMR cluster: {e}')
            raise


================================================
FILE: ScoutSuite/providers/aws/facade/iam.py
================================================
import asyncio
import functools

from botocore.exceptions import ClientError

from ScoutSuite.core.console import print_exception, print_warning
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.utils import get_non_provider_id, run_concurrently, get_and_set_concurrently


class IAMFacade(AWSBaseFacade):
    async def get_credential_reports(self):
        client = AWSFacadeUtils.get_client('iam', self.session)
        # When no credential report exists, we first need to initiate the creation of a new report by calling
        # client.generate_credential_report and then check for COMPLETE status before trying to download it:
        report_generated, n_attempts = False, 3
        try:
            while not report_generated and n_attempts > 0:
                response = await run_concurrently(client.generate_credential_report)
                if response['State'] == 'COMPLETE':
                    report_generated = True
                else:
                    n_attempts -= 1
                    await asyncio.sleep(0.1)  # Wait for 100ms before doing a new attempt.
        except Exception as e:
            print_exception(f'Failed to generate credential report: {e}')
            return []
        finally:
            if not report_generated and n_attempts == 0:
                print_exception(f'Failed to complete credential report generation in {n_attempts} attempts')
                return []

        try:
            report = await run_concurrently(lambda: client.get_credential_report()['Content'])

            # The report is a CSV string. The first row contains the name of each column. The next rows
            # each represent an individual account. This algorithm provides a simple initial parsing.
            lines = report.splitlines()
            keys = lines[0].decode('utf-8').split(',')

            credential_reports = []
            for line in lines[1:]:
                credential_report = {}
                values = line.decode('utf-8').split(',')
                for key, value in zip(keys, values):
                    credential_report[key] = value

                credential_reports.append(credential_report)

            return credential_reports
        except Exception as e:
            if 'ReportNotPresent' in e:
                print_warning(f'Failed to download credential report: {e}')
            else:
                print_exception(f'Failed to download credential report: {e}')
            return []

    async def get_groups(self):
        groups = await AWSFacadeUtils.get_all_pages('iam', None, self.session, 'list_groups', 'Groups')
        await get_and_set_concurrently(
            [self._get_and_set_group_users,
             functools.partial(self._get_and_set_inline_policies, iam_resource_type='group')], groups)
        return groups

    async def get_policies(self):
        policies = await AWSFacadeUtils.get_all_pages(
            'iam', None, self.session, 'list_policies', 'Policies', OnlyAttached=True)
        await get_and_set_concurrently([self._get_and_set_policy_details], policies)
        return policies

    async def _get_and_set_policy_details(self, policy):
        client = AWSFacadeUtils.get_client('iam', self.session)
        try:
            policy_version = await run_concurrently(
                lambda: client.get_policy_version(PolicyArn=policy['Arn'], VersionId=policy['DefaultVersionId']))
            policy['PolicyDocument'] = policy_version['PolicyVersion']['Document']
        except Exception as e:
            print_exception(f'Failed to get policy version: {e}')
        else:
            policy['attached_to'] = {}
            attached_entities = await AWSFacadeUtils.get_multiple_entities_from_all_pages(
                'iam', None, self.session, 'list_entities_for_policy', ['PolicyGroups', 'PolicyRoles', 'PolicyUsers'],
                PolicyArn=policy['Arn'])

            for entity_type in attached_entities:
                resource_type = entity_type.replace('Policy', '').lower()
                if len(attached_entities[entity_type]):
                    policy['attached_to'][resource_type] = []

                for entity in attached_entities[entity_type]:
                    name_field = entity_type.replace('Policy', '')[
                                 :-1] + 'Name'
                    resource_name = entity[name_field]
                    id_field = entity_type.replace('Policy', '')[:-1] + 'Id'
                    resource_id = entity[id_field]
                    policy['attached_to'][resource_type].append(
                        {'name': resource_name, 'id': resource_id})

    async def get_users(self):
        users = await AWSFacadeUtils.get_all_pages('iam', None, self.session, 'list_users', 'Users')
        await get_and_set_concurrently(
            [functools.partial(self._get_and_set_inline_policies, iam_resource_type='user'),
             self._get_and_set_user_groups,
             self._get_and_set_user_tags,
             self._get_and_set_user_login_profile,
             self._get_and_set_user_access_keys,
             self._get_and_set_user_mfa_devices],
            users)
        return users

    async def _get_and_set_user_login_profile(self, user: {}):
        client = AWSFacadeUtils.get_client('iam', self.session)
        try:
            user['LoginProfile'] = await run_concurrently(
                lambda: client.get_login_profile(UserName=user['UserName'])['LoginProfile'])
        except ClientError as e:
            if e.response["Error"]["Code"] == "NoSuchEntity":
                #  If the user has not been assigned a password, the operation returns a 404 (NoSuchEntity ) error.
                pass
            else:
                print_exception(f'Failed to get login profile: {e}')
        except Exception as e:
            print_exception(f'Failed to get login profile: {e}')

    async def _get_and_set_user_groups(self, user: {}):
        groups = await AWSFacadeUtils.get_all_pages(
            'iam', None, self.session, 'list_groups_for_user', 'Groups', UserName=user['UserName'])
        user['groups'] = [group['GroupName'] for group in groups]

    async def _get_and_set_user_tags(self, user: {}):
        client = AWSFacadeUtils.get_client('iam', self.session)
        user['tags'] = client.list_user_tags(UserName=user['UserName'])

    async def get_roles(self):
        roles = await AWSFacadeUtils.get_all_pages('iam', None, self.session, 'list_roles', 'Roles')
        for role in roles:
            role['instances_count'] = 'N/A'
            # Get trust relationship
            role['assume_role_policy'] = {}
            role['assume_role_policy']['PolicyDocument'] = role.pop(
                'AssumeRolePolicyDocument')
        await get_and_set_concurrently(
            [functools.partial(self._get_and_set_inline_policies, iam_resource_type='role'),
             self._get_and_set_role_profiles,
             self._get_and_set_role_tags], roles)

        return roles

    async def _get_and_set_role_tags(self, role: {}):
        client = AWSFacadeUtils.get_client('iam', self.session)
        role['tags'] = client.list_role_tags(RoleName=role['RoleName'])

    async def _get_and_set_role_profiles(self, role: {}):
        profiles = await AWSFacadeUtils.get_all_pages(
            'iam', None, self.session, 'list_instance_profiles_for_role', 'InstanceProfiles',
            RoleName=role['RoleName'])
        role.setdefault('instance_profiles', {})
        for profile in profiles:
            profile_id = profile['InstanceProfileId']
            role['instance_profiles'].setdefault(profile_id, {})
            role['instance_profiles'][profile_id].setdefault(
                'arn', profile['Arn'])
            role['instance_profiles'][profile_id].setdefault(
                'name', profile['InstanceProfileName'])

    async def get_password_policy(self):
        client = AWSFacadeUtils.get_client('iam', self.session)
        try:
            return (await run_concurrently(client.get_account_password_policy))['PasswordPolicy']
        except ClientError as e:
            if e.response['Error']['Code'] != 'NoSuchEntity':
                print_exception(f'Failed to get account password policy: {e}')
            return None

    async def _get_and_set_user_access_keys(self, user: {}):
        client = AWSFacadeUtils.get_client('iam', self.session)
        try:
            user['AccessKeys'] = await run_concurrently(
                lambda: client.list_access_keys(UserName=user['UserName'])['AccessKeyMetadata'])
        except Exception as e:
            print_exception(f'Failed to list access keys: {e}')

    async def _get_and_set_user_mfa_devices(self, user: {}):
        user['MFADevices'] = await self.get_user_mfa_devices(user['UserName'])

    async def get_user_mfa_devices(self, username: str):
        client = AWSFacadeUtils.get_client('iam', self.session)
        try:
            return await run_concurrently(
                lambda: client.list_mfa_devices(UserName=username)['MFADevices'])
        except Exception as e:
            print_exception(f'Failed to list MFA devices for user: {e}')

    async def get_virtual_mfa_devices(self):
        client = AWSFacadeUtils.get_client('iam', self.session)
        try:
            return await run_concurrently(
                lambda: client.list_virtual_mfa_devices().get('VirtualMFADevices', []))
        except Exception as e:
            print_exception(f'Failed to list virtual MFA devices: {e}')
            return []

    async def _get_and_set_group_users(self, group: {}):
        client = AWSFacadeUtils.get_client('iam', self.session)
        try:
            users = await run_concurrently(lambda: client.get_group(GroupName=group['GroupName'])['Users'])
            group['Users'] = [user['UserId'] for user in users]
        except Exception as e:
            print_exception('Failed to get IAM group {}: {}'.format(group['GroupName'], e))

    async def _get_and_set_inline_policies(self, resource, iam_resource_type):
        client = AWSFacadeUtils.get_client('iam', self.session)
        list_policy_method = getattr(client, 'list_' + iam_resource_type + '_policies')
        resource_name = resource[iam_resource_type.title() + 'Name']
        args = {iam_resource_type.title() + 'Name': resource_name}

        resource['inline_policies'] = {}

        try:
            policy_names = await run_concurrently(lambda: list_policy_method(**args)['PolicyNames'])
            if len(policy_names) == 0:
                resource['inline_policies_count'] = 0
        except Exception as e:
            print_exception(f'Failed to list IAM policy: {e}')
        else:
            get_policy_method = getattr(client, 'get_' + iam_resource_type + '_policy')
            try:
                tasks = {
                    asyncio.ensure_future(
                        run_concurrently(lambda policy_name=policy_name:
                                         get_policy_method(**dict(args, PolicyName=policy_name)))
                    ) for policy_name in policy_names
                }
            except Exception as e:
                print_exception(f'Failed to get policy methods: {e}')
            else:
                for task in asyncio.as_completed(tasks):
                    policy = await task
                    policy_name = policy['PolicyName']
                    policy_id = get_non_provider_id(policy_name)
                    policy_document = policy['PolicyDocument']

                    resource['inline_policies'][policy_id] = {}
                    resource['inline_policies'][policy_id]['PolicyDocument'] = self._normalize_statements(
                        policy_document)
                    resource['inline_policies'][policy_id]['name'] = policy_name
                resource['inline_policies_count'] = len(resource['inline_policies'])

    def _normalize_statements(self, policy_document):
        if policy_document:
            if type(policy_document['Statement']) == list:
                pass
                # for statement in policy_document['Statement']:
                #     statement = self._normalize_single_statement(statement)
            elif type(policy_document['Statement']) == dict:
                policy_document['Statement'] = self._normalize_single_statement(policy_document['Statement'])
            else:
                print_exception('Failed to normalize policy document')
        return policy_document

    def _normalize_single_statement(self, statement):
        # Action or NotAction
        action_string = 'Action' if 'Action' in statement else 'NotAction'
        if type(statement[action_string]) != list:
            statement[action_string] = [statement[action_string]]
        # Resource or NotResource
        resource_string = 'Resource' if 'Resource' in statement else 'NotResource'
        if type(statement[resource_string]) != list:
            statement[resource_string] = [statement[resource_string]]
        # Result
        return statement



================================================
FILE: ScoutSuite/providers/aws/facade/kms.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.utils import run_concurrently, get_and_set_concurrently
import json



class KMSFacade(AWSBaseFacade):

    async def get_keys(self, region: str):

        try:
            keys = await AWSFacadeUtils.get_all_pages('kms', region, self.session, 'list_keys', 'Keys')
            await get_and_set_concurrently(
                [self._get_and_set_key_policy,
                 self._get_and_set_key_metadata,
                 self._get_and_set_key_aliases],
                keys, region=region)
        except Exception as e:
            print_exception(f'Failed to get KMS keys: {e}')
            keys = []
        finally:
            return keys

    async def _get_and_set_key_policy(self, key: {}, region: str):
        client = AWSFacadeUtils.get_client('kms', self.session, region)
        try:
            response = await run_concurrently(
                lambda: client.get_key_policy(KeyId=key['KeyId'],
                                              PolicyName='default'))
            key['policy'] = json.loads(response.get('Policy'))
        except Exception as e:
            print_exception(f'Failed to get KMS key policy: {e}')

    async def _get_and_set_key_metadata(self, key: {}, region: str):
        client = AWSFacadeUtils.get_client('kms', self.session, region)
        try:
            key['metadata'] = await run_concurrently(lambda: client.describe_key(KeyId=key['KeyId']))
        except Exception as e:
            print_exception(f'Failed to describe KMS key: {e}')

    async def _get_and_set_key_aliases(self, key: {}, region: str):
        client = AWSFacadeUtils.get_client('kms', self.session, region)
        try:
            response = await run_concurrently(
                lambda: client.list_aliases(KeyId=key['KeyId'])
            )
            key['aliases'] = response.get('Aliases')
        except Exception as e:
            print_exception(f'Failed to get KMS aliases: {e}')

    async def get_grants(self, region: str, key_id: str):
        try:
            return await AWSFacadeUtils.get_all_pages('kms', region, self.session, 'list_grants', 'Grants',
                                                      KeyId=key_id)
        except Exception as e:
            print_exception(f'Failed to list KMS Grants: {e}')
            return []

    async def get_key_rotation_status(self, region: str, key_id: str):
        client = AWSFacadeUtils.get_client('kms', self.session, region)
        try:
            return await run_concurrently(
                lambda: client.get_key_rotation_status(KeyId=key_id))
        except Exception as e:
            print_exception(f'Failed to get KMS key rotation: {e}')


================================================
FILE: ScoutSuite/providers/aws/facade/rds.py
================================================
from asyncio import Lock

from botocore.exceptions import ClientError
from ScoutSuite.core.console import print_exception, print_warning
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.aws.utils import get_aws_account_id
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.utils import ec2_classic
from ScoutSuite.providers.utils import run_concurrently, get_and_set_concurrently


class RDSFacade(AWSBaseFacade):
    _regional_instances_cache_locks = {}
    _instances_cache = {}
    _regional_snapshots_cache_locks = {}
    _snapshots_cache = {}
    _regional_subnet_groups_cache_locks = {}
    _subnet_groups_cache = {}

    async def get_instances(self, region: str, vpc: str):
        try:
            await self._cache_instances(region)
            return [instance for instance in self._instances_cache[region] if instance['VpcId'] == vpc]
        except Exception as e:
            print_exception(f'Failed to get RDS instances: {e}')
            return []

    async def _cache_instances(self, region: str):
        async with self._regional_instances_cache_locks.setdefault(region, Lock()):
            if region in self._instances_cache:
                return

            self._instances_cache[region] = await AWSFacadeUtils.get_all_pages(
                'rds', region, self.session, 'describe_db_instances', 'DBInstances')

            for instance in self._instances_cache[region]:
                instance['VpcId'] = instance['DBSubnetGroup']['VpcId'] \
                    if 'DBSubnetGroup' in instance and 'VpcId' in instance['DBSubnetGroup'] \
                    and instance['DBSubnetGroup']['VpcId'] \
                    else ec2_classic

            await get_and_set_concurrently(
                [self._get_and_set_instance_clusters, self._get_and_set_instance_tags], self._instances_cache[region], region=region)


    async def _get_and_set_instance_tags(self, instance: {}, region: str):
        client = AWSFacadeUtils.get_client('rds', self.session, region)
        account_id = get_aws_account_id(self.session)
        try:
            instance_tagset = await run_concurrently(lambda: client.list_tags_for_resource(
                ResourceName=instance['DBInstanceArn']))
            instance['Tags'] = {x['Key']: x['Value'] for x in instance_tagset['TagList']}
        except ClientError as e:
            if e.response['Error']['Code'] != 'NoSuchTagSet':
                print_exception('Failed to get db instance tags for {}: {}'.format(instance['DBInstanceIdentifier'], e))
        except Exception as e:
            if 'DBInstanceNotFound' in e:
                print_warning('Failed to get db instance tags for {}: {}'.format(instance['DBInstanceIdentifier'], e))
            else:
                print_exception('Failed to get db instance tags for {}: {}'.format(instance['DBInstanceIdentifier'], e))
            instance['Tags'] = {}

    async def _get_and_set_instance_clusters(self, instance: {}, region: str):
        client = AWSFacadeUtils.get_client('rds', self.session, region)
        if 'DBClusterIdentifier' in instance:
            cluster_id = instance['DBClusterIdentifier']
            try:
                clusters = await run_concurrently(
                    lambda: client.describe_db_clusters(DBClusterIdentifier=cluster_id))
                cluster = clusters['DBClusters'][0]
                instance['MultiAZ'] = cluster['MultiAZ']
            except Exception as e:
                print_exception(f'Failed to describe RDS clusters: {e}')

    async def get_snapshots(self, region: str, vpc: str):
        try:
            await self._cache_snapshots(region)
            return [snapshot for snapshot in self._snapshots_cache[region] if snapshot['VpcId'] == vpc]
        except Exception as e:
            print_exception(f'Failed to get RDS snapshots: {e}')
            return []

    async def _cache_snapshots(self, region: str):
        async with self._regional_snapshots_cache_locks.setdefault(region, Lock()):
            if region in self._snapshots_cache:
                return

            # First, fetch regular snapshots
            self._snapshots_cache[region] = await AWSFacadeUtils.get_all_pages(
                'rds', region, self.session, 'describe_db_snapshots', 'DBSnapshots')

            for snapshot in self._snapshots_cache[region]:
                snapshot['VpcId'] = snapshot['VpcId'] if 'VpcId' in snapshot else ec2_classic

            await get_and_set_concurrently(
                [self._get_and_set_snapshot_attributes], self._snapshots_cache[region], region=region)

            # Now, Cluster snapshots, as they are a different resource on the API
            cluster_snapshots_for_region = await AWSFacadeUtils.get_all_pages(
                'rds', region, self.session, 'describe_db_cluster_snapshots', 'DBClusterSnapshots')

            for snapshot in cluster_snapshots_for_region:
                snapshot['VpcId'] = snapshot['VpcId'] if 'VpcId' in snapshot else ec2_classic

            await get_and_set_concurrently(
                [self._get_and_set_cluster_snapshot_attributes], cluster_snapshots_for_region, region=region)

            self._snapshots_cache[region].extend(cluster_snapshots_for_region)

    async def _get_and_set_snapshot_attributes(self, snapshot: {}, region: str):
        client = AWSFacadeUtils.get_client('rds', self.session, region)
        try:
            attributes = await run_concurrently(
                lambda: client.describe_db_snapshot_attributes(
                    DBSnapshotIdentifier=snapshot['DBSnapshotIdentifier'])['DBSnapshotAttributesResult'])
            snapshot['Attributes'] =\
                attributes['DBSnapshotAttributes'] if 'DBSnapshotAttributes' in attributes else {}
        except Exception as e:
            if 'DBSnapshotNotFound' in e:
                print_warning(f'Failed to describe RDS snapshot attributes: {e}')
            else:
                print_exception(f'Failed to describe RDS snapshot attributes: {e}')
            snapshot['Attributes'] = {}

    async def _get_and_set_cluster_snapshot_attributes(self, snapshot: {}, region: str):
        client = AWSFacadeUtils.get_client('rds', self.session, region)
        try:
            attributes = await run_concurrently(
                lambda: client.describe_db_cluster_snapshot_attributes(
                    DBClusterSnapshotIdentifier=snapshot['DBClusterSnapshotIdentifier'])['DBClusterSnapshotAttributesResult'])
            snapshot['Attributes'] =\
                attributes['DBClusterSnapshotAttributes'] if 'DBClusterSnapshotAttributes' in attributes else {}
        except Exception as e:
            print_exception(f'Failed to describe RDS cluster snapshot attributes: {e}')
            snapshot['Attributes'] = {}

    async def get_subnet_groups(self, region: str, vpc: str):
        try:
            await self._cache_subnet_groups(region)
            return [subnet_group for subnet_group in self._subnet_groups_cache[region] if subnet_group['VpcId'] == vpc]
        except Exception as e:
            print_exception(f'Failed to get RDS subnet groups: {e}')
            return []

    async def _cache_subnet_groups(self, region: str):
        async with self._regional_subnet_groups_cache_locks.setdefault(region, Lock()):
            if region in self._subnet_groups_cache:
                return

            self._subnet_groups_cache[region] = await AWSFacadeUtils.get_all_pages(
                'rds', region, self.session, 'describe_db_subnet_groups', 'DBSubnetGroups')
                
    async def get_parameter_groups(self, region: str):
        try:
            parameter_groups = await AWSFacadeUtils.get_all_pages(
                'rds', region, self.session, 'describe_db_parameter_groups', 'DBParameterGroups')
            await get_and_set_concurrently(
                [self._get_and_set_db_parameters], parameter_groups, region=region)
        except Exception as e:
            print_exception(f'Failed to get RDS parameter groups: {e}')
            parameter_groups = []
        finally:
            return parameter_groups

    async def _get_and_set_db_parameters(self, parameter_group: {}, region: str):
        name = parameter_group['DBParameterGroupName']
        try:
            parameters = await AWSFacadeUtils.get_all_pages(
                'rds', region, self.session, 'describe_db_parameters', 'Parameters', DBParameterGroupName=name)
            parameter_group['Parameters'] = {}
            for parameter in parameters:
                # Discard non-modifiable parameters
                if not parameter['IsModifiable']:
                    continue
                parameter_name = parameter.pop('ParameterName')
                parameter_group['Parameters'][parameter_name] = parameter
        except Exception as e:
            print_exception(f'Failed fetching DB parameters for {name}: {e}')

    async def get_security_groups(self, region: str) :
        try:
            return await AWSFacadeUtils.get_all_pages(
                'rds', region, self.session, 'describe_db_security_groups', 'DBSecurityGroups')
        except Exception as e:
            print_exception(f'Failed to get RDS security groups: {e}')
            return []


================================================
FILE: ScoutSuite/providers/aws/facade/redshift.py
================================================
from asyncio import Lock

from botocore.utils import ClientError

from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.aws.utils import ec2_classic


class RedshiftFacade(AWSBaseFacade):
    regional_cluster_cache_locks = {}
    clusters_cache = {}

    async def get_clusters(self, region: str, vpc: str):

        try:
            await self.cache_clusters(region)
            return [cluster for cluster in self.clusters_cache[region] if cluster['VpcId'] == vpc]
        except Exception as e:
            print_exception(f'Failed to get Redshift clusters: {e}')
            return []

    async def cache_clusters(self, region):
        async with self.regional_cluster_cache_locks.setdefault(region, Lock()):
            if region in self.clusters_cache:
                return

            self.clusters_cache[region] = await AWSFacadeUtils.get_all_pages(
                'redshift', region, self.session, 'describe_clusters', 'Clusters')

            for cluster in self.clusters_cache[region]:
                cluster['VpcId'] = \
                    cluster['VpcId'] if 'VpcId' in cluster and cluster['VpcId'] else ec2_classic

    async def get_cluster_parameter_groups(self, region: str):
        try:
            return await AWSFacadeUtils.get_all_pages(
                'redshift', region, self.session, 'describe_cluster_parameter_groups', 'ParameterGroups')
        except Exception as e:
            print_exception(f'Failed to get Redshift parameter groups: {e}')
            return []

    async def get_cluster_security_groups(self, region: str):
        # For VPC-by-default customers, describe_cluster_parameters will throw an exception. Just try and ignore it:
        try:
            return await AWSFacadeUtils.get_all_pages(
                'redshift', region, self.session, 'describe_cluster_security_groups', 'ClusterSecurityGroups')
        except ClientError as e:
            if e.response['Error']['Code'] != 'InvalidParameterValue':
                print_exception(f'Failed to describe cluster security groups: {e}')
            return []

    async def get_cluster_parameters(self, region: str, parameter_group: str):
        return await AWSFacadeUtils.get_all_pages(
            'redshift', region, self.session, 'describe_cluster_parameters', 'Parameters',
            ParameterGroupName=parameter_group)


================================================
FILE: ScoutSuite/providers/aws/facade/route53.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils


class Route53Facade(AWSBaseFacade):
    async def get_domains(self, region):
        try:
            return await AWSFacadeUtils.get_all_pages('route53domains', region, self.session,
                                                      'list_domains', 'Domains')
        except Exception as e:
            print_exception(f'Failed to get Route53 domains: {e}')
            return []

    async def get_hosted_zones(self):
        try:
            return await AWSFacadeUtils.get_all_pages('route53', None, self.session,
                                                      'list_hosted_zones', 'HostedZones')
        except Exception as e:
            print_exception(f'Failed to get Route53 hosted zones: {e}')

    async def get_resource_records(self, hosted_zone_id):
        try:
            return await AWSFacadeUtils.get_all_pages('route53', None, self.session,
                                                      'list_resource_record_sets', 'ResourceRecordSets',
                                                      HostedZoneId=hosted_zone_id)
        except Exception as e:
            print_exception(f'Failed to get Route53 resource records: {e}')


================================================
FILE: ScoutSuite/providers/aws/facade/s3.py
================================================
import json

from botocore.exceptions import ClientError

from ScoutSuite.core.console import print_exception, print_debug, print_warning
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.utils import run_concurrently, get_and_set_concurrently


class S3Facade(AWSBaseFacade):
    async def get_buckets(self):
        try:
            # If there are regions specified, try for each of them until one works.
            # Otherwise, try all the available regions until one works.
            # This is required in case there's an IAM policy that denies access to APIs on a regional basis,
            # as per https://github.com/nccgroup/ScoutSuite/issues/727
            buckets = []
            exception = None
            region_list = self.regions if self.regions else await run_concurrently(lambda: self.session.get_available_regions('s3'))
            for region in region_list:
                try:
                    client = AWSFacadeUtils.get_client('s3', self.session, region)
                    buckets = await run_concurrently(lambda: client.list_buckets()['Buckets'])
                except Exception as e:
                    exception = e
                else:
                    exception = None  # Fix for https://github.com/nccgroup/ScoutSuite/issues/916#issuecomment-728783965
                    break
            if not buckets:
                if exception:
                    print_exception(f'Failed to list buckets: {exception}')
                return []
        except Exception as e:
            print_exception(f'Failed to list buckets: {e}')
            return []
        else:
            # We need first to retrieve bucket locations before retrieving bucket details
            await get_and_set_concurrently([self._get_and_set_s3_bucket_location], buckets, region=region)

            # Then we can retrieve bucket details concurrently
            await get_and_set_concurrently(
                [self._get_and_set_s3_bucket_logging,
                 self._get_and_set_s3_bucket_versioning,
                 self._get_and_set_s3_bucket_webhosting,
                 self._get_and_set_s3_bucket_default_encryption,
                 self._get_and_set_s3_acls,
                 self._get_and_set_s3_bucket_policy,
                 self._get_and_set_s3_bucket_tags,
                 self._get_and_set_s3_bucket_block_public_access],
                buckets)

            # Non-async post-processing
            for bucket in buckets:
                self._set_s3_bucket_secure_transport(bucket)
            # Try to update CreationDate of all buckets with the correct values from 'us-east-1'
            self._get_and_set_s3_bucket_creationdate(buckets)

            return buckets

    async def _get_and_set_s3_bucket_location(self, bucket: {}, region=None):
        client = AWSFacadeUtils.get_client('s3', self.session, region)
        try:
            location = await run_concurrently(lambda: client.get_bucket_location(Bucket=bucket['Name']))
        except Exception as e:
            if 'NoSuchBucket' in str(e) or 'InvalidToken' in str(e):
                print_warning('Failed to get bucket location for {}: {}'.format(bucket['Name'], e))
            else:
                print_exception('Failed to get bucket location for {}: {}'.format(bucket['Name'], e))
            location = None

        if location:
            region = location['LocationConstraint'] if location['LocationConstraint'] else 'us-east-1'

            # Fixes issue #59: location constraint can be either EU or eu-west-1 for Ireland...
            if region == 'EU':
                region = 'eu-west-1'
        else:
            region = None

        bucket['region'] = region

    async def _get_and_set_s3_bucket_logging(self, bucket: {}):
        client = AWSFacadeUtils.get_client('s3', self.session, bucket['region'], )
        try:
            logging = await run_concurrently(lambda: client.get_bucket_logging(Bucket=bucket['Name']))
        except Exception as e:
            if 'NoSuchBucket' in str(e) or 'InvalidToken' in str(e):
                print_warning('Failed to get logging configuration for {}: {}'.format(bucket['Name'], e))
            else:
                print_exception('Failed to get logging configuration for {}: {}'.format(bucket['Name'], e))
            bucket['logging'] = 'Unknown'
        else:
            if 'LoggingEnabled' in logging:
                bucket['logging'] = \
                    logging['LoggingEnabled']['TargetBucket'] + '/' + logging['LoggingEnabled']['TargetPrefix']
            else:
                bucket['logging'] = 'Disabled'

    async def _get_and_set_s3_bucket_versioning(self, bucket: {}):
        client = AWSFacadeUtils.get_client('s3', self.session, bucket['region'])
        try:
            versioning = await run_concurrently(lambda: client.get_bucket_versioning(Bucket=bucket['Name']))
            bucket['versioning_status_enabled'] = self._status_to_bool(versioning.get('Status'))
            bucket['version_mfa_delete_enabled'] = self._status_to_bool(versioning.get('MFADelete'))
        except Exception as e:
            if 'NoSuchBucket' in str(e) or 'InvalidToken' in str(e):
                print_warning('Failed to get versioning configuration for {}: {}'.format(bucket['Name'], e))
            else:
                print_exception('Failed to get versioning configuration for {}: {}'.format(bucket['Name'], e))
            bucket['versioning_status_enabled'] = None
            bucket['version_mfa_delete_enabled'] = None

    async def _get_and_set_s3_bucket_webhosting(self, bucket: {}):
        client = AWSFacadeUtils.get_client('s3', self.session, bucket['region'])
        try:
            result = await run_concurrently(lambda: client.get_bucket_website(Bucket=bucket['Name']))
            bucket['web_hosting_enabled'] = 'IndexDocument' in result
        except Exception as e:
            if "NoSuchWebsiteConfiguration" in str(e):
                bucket['web_hosting_enabled'] = False
            else:
                if 'NoSuchBucket' in str(e) or 'InvalidToken' in str(e):
                    print_warning('Failed to get web hosting configuration for {}: {}'.format(bucket['Name'], e))
                else:
                    print_exception('Failed to get web hosting configuration for {}: {}'.format(bucket['Name'], e))

    async def _get_and_set_s3_bucket_default_encryption(self, bucket: {}):
        bucket_name = bucket['Name']
        client = AWSFacadeUtils.get_client('s3', self.session, bucket['region'])
        try:
            config = await run_concurrently(lambda: client.get_bucket_encryption(Bucket=bucket['Name']))
            bucket['default_encryption_enabled'] = True
            bucket['default_encryption_algorithm'] = config.get('ServerSideEncryptionConfiguration', {})\
                .get('Rules', [{}])[0].get('ApplyServerSideEncryptionByDefault', {}).get('SSEAlgorithm')
            bucket['default_encryption_key'] = config.get('ServerSideEncryptionConfiguration', {})\
                .get('Rules', [{}])[0].get('ApplyServerSideEncryptionByDefault', {}).get('KMSMasterKeyID')
        except ClientError as e:
            if 'ServerSideEncryptionConfigurationNotFoundError' in e.response['Error']['Code']:
                bucket['default_encryption_enabled'] = False
                bucket['default_encryption_algorithm'] = None
                bucket['default_encryption_key'] = None
            else:
                bucket['default_encryption_enabled'] = None
                bucket['default_encryption_algorithm'] = None
                bucket['default_encryption_key'] = None
                if 'NoSuchBucket' in str(e) or 'InvalidToken' in str(e):
                    print_warning(f'Failed to get encryption configuration for {bucket_name}: {e}')
                else:
                    print_exception(f'Failed to get encryption configuration for {bucket_name}: {e}')
        except Exception as e:
            bucket['default_encryption'] = 'Unknown'
            bucket['default_encryption_algorithm'] = None
            bucket['default_encryption_key'] = None
            if 'NoSuchBucket' in str(e) or 'InvalidToken' in str(e):
                print_warning(f'Failed to get encryption configuration for {bucket_name}: {e}')
            else:
                print_exception(f'Failed to get encryption configuration for {bucket_name}: {e}')

    async def _get_and_set_s3_acls(self, bucket: {}, key_name=None):
        bucket_name = bucket['Name']
        client = AWSFacadeUtils.get_client('s3', self.session, bucket['region'])
        try:
            grantees = {}
            if key_name:
                grants = await run_concurrently(lambda: client.get_object_acl(Bucket=bucket_name, Key=key_name))
            else:
                grants = await run_concurrently(lambda: client.get_bucket_acl(Bucket=bucket_name))
            for grant in grants['Grants']:
                if 'ID' in grant['Grantee']:
                    grantee = grant['Grantee']['ID']
                    display_name = grant['Grantee']['DisplayName'] if \
                        'DisplayName' in grant['Grantee'] else grant['Grantee']['ID']
                elif 'URI' in grant['Grantee']:
                    grantee = grant['Grantee']['URI'].split('/')[-1]
                    display_name = self._s3_group_to_string(grant['Grantee']['URI'])
                else:
                    grantee = display_name = 'Unknown'
                permission = grant['Permission']
                grantees.setdefault(grantee, {})
                grantees[grantee]['DisplayName'] = display_name
                if 'URI' in grant['Grantee']:
                    grantees[grantee]['URI'] = grant['Grantee']['URI']
                grantees[grantee].setdefault('permissions', self._init_s3_permissions())
                self._set_s3_permissions(grantees[grantee]['permissions'], permission)
            bucket['grantees'] = grantees
        except Exception as e:
            if 'NoSuchBucket' in str(e) or 'InvalidToken' in str(e):
                print_warning(f'Failed to get ACL configuration for {bucket_name}: {e}')
            else:
                print_exception(f'Failed to get ACL configuration for {bucket_name}: {e}')
            bucket['grantees'] = {}

    async def _get_and_set_s3_bucket_policy(self, bucket: {}):
        client = AWSFacadeUtils.get_client('s3', self.session, bucket['region'])
        try:
            bucket_policy = await run_concurrently(lambda: client.get_bucket_policy(Bucket=bucket['Name']))
            bucket['policy'] = json.loads(bucket_policy['Policy'])
        except ClientError as e:
            if e.response['Error']['Code'] != 'NoSuchBucketPolicy':
                if 'NoSuchBucket' in str(e) or 'InvalidToken' in str(e):
                    print_warning('Failed to get bucket policy for {}: {}'.format(bucket['Name'], e))
                else:
                    print_exception('Failed to get bucket policy for {}: {}'.format(bucket['Name'], e))
        except Exception as e:
            if 'NoSuchBucket' in str(e) or 'InvalidToken' in str(e):
                print_warning('Failed to get bucket policy for {}: {}'.format(bucket['Name'], e))
            else:
                print_exception('Failed to get bucket policy for {}: {}'.format(bucket['Name'], e))
            bucket['grantees'] = {}

    async def _get_and_set_s3_bucket_tags(self, bucket: {}):
        client = AWSFacadeUtils.get_client('s3', self.session, bucket['region'])
        try:
            bucket_tagset = await run_concurrently(lambda: client.get_bucket_tagging(Bucket=bucket['Name']))
            bucket['tags'] = {x['Key']: x['Value'] for x in bucket_tagset['TagSet']}
        except ClientError as e:
            if e.response['Error']['Code'] != 'NoSuchTagSet':
                if 'NoSuchBucket' in str(e) or 'InvalidToken' in str(e):
                    print_warning('Failed to get bucket tags for {}: {}'.format(bucket['Name'], e))
                else:
                    print_exception('Failed to get bucket tags for {}: {}'.format(bucket['Name'], e))
        except Exception as e:
            if 'NoSuchBucket' in str(e) or 'InvalidToken' in str(e):
                print_warning('Failed to get bucket tags for {}: {}'.format(bucket['Name'], e))
            else:
                print_exception('Failed to get bucket tags for {}: {}'.format(bucket['Name'], e))
            bucket['tags'] = {}

    async def _get_and_set_s3_bucket_block_public_access(self, bucket: {}):
        client = AWSFacadeUtils.get_client('s3', self.session, bucket['region'])
        try:
            bucket_public_access_block_conf = await run_concurrently(lambda: client.get_public_access_block(Bucket=bucket['Name']))
            bucket['public_access_block_configuration'] = bucket_public_access_block_conf['PublicAccessBlockConfiguration']
        except ClientError as e:
            # No such configuration found for the bucket, nothing to be done
            pass
        except Exception as e:
            if 'NoSuchBucket' in str(e) or 'InvalidToken' in str(e):
                print_warning('Failed to get the public access block configuration for {}: {}'.format(bucket['Name'], e))
            else:
                print_exception('Failed to get the public access block configuration for {}: {}'.format(bucket['Name'], e))

    def _get_and_set_s3_bucket_creationdate(self, buckets):
        # When using region other than 'us-east-1', the 'CreationDate' is the last modified time according to bucket's
        # last replication in the respective region
        # Source: https://github.com/aws/aws-cli/issues/3597#issuecomment-424167129
        # Fixes issue https://github.com/nccgroup/ScoutSuite/issues/858
        client = AWSFacadeUtils.get_client('s3', self.session, 'us-east-1')
        try:
            buckets_useast1 = client.list_buckets()['Buckets']
            for bucket in buckets:
                # Find the bucket with the same name and update 'CreationDate' from the 'us-east-1' region data,
                # if doesn't exist keep the original value
                bucket['CreationDate'] = next((b['CreationDate'] for b in buckets_useast1 if
                                               b['Name'] == bucket['Name']), bucket['CreationDate'])
        except Exception as e:
            # Only output exception when in debug mode
            print_debug('Failed to get bucket creation date from "us-east-1" region')

    def _set_s3_bucket_secure_transport(self, bucket: {}):
        try:
            if 'policy' in bucket:
                bucket['secure_transport_enabled'] = False
                for statement in bucket['policy']['Statement']:
                    # evaluate statement to see if it contains a condition disallowing HTTP transport
                    # TODO this might not cover all cases
                    if 'Condition' in statement and \
                            'Bool' in statement['Condition']:
                        for key in statement['Condition']['Bool'].keys():
                            if key.lower() == 'aws:securetransport' and \
                                    ((statement['Condition']['Bool'][key] == 'false' and
                                    statement['Effect'] == 'Deny') or
                                    (statement['Condition']['Bool'][key] == 'true' and
                                    statement['Effect'] == 'Allow')):
                                bucket['secure_transport_enabled'] = True
                    elif 'Condition' in statement and \
                            'NumericLessThan' in statement['Condition']:
                        for key in statement['Condition']['NumericLessThan'].keys():
                            if key.lower() == 's3:tlsversion' and \
                                    ((statement['Condition']['NumericLessThan'][key] >= '1.2' and
                                    statement['Effect'] == 'Deny') or
                                    (statement['Condition']['NumericGreaterThan'][key] >= '1.1' and
                                    statement['Effect'] == 'Allow')):
                                bucket['secure_transport_enabled'] = True
            else:
                bucket['secure_transport_enabled'] = False
        except Exception as e:
            if 'NoSuchBucket' in str(e) or 'InvalidToken' in str(e):
                print_warning('Failed to evaluate bucket policy for {}: {}'.format(bucket['Name'], e))
            else:
                print_exception('Failed to evaluate bucket policy for {}: {}'.format(bucket['Name'], e))
            bucket['secure_transport'] = None

    def get_s3_public_access_block(self, account_id):
        # We need a region to generate the client
        # However, the settings are global, so they are not region-dependent
        region = 'us-east-1'
        client = AWSFacadeUtils.get_client('s3control', self.session, region)
        try:
            s3_public_access_block = client.get_public_access_block(AccountId=account_id)
            return s3_public_access_block['PublicAccessBlockConfiguration']
        except ClientError:
            # No public access block configuration at the S3 level, returning the default
            return {
                "BlockPublicAcls": False,
                "IgnorePublicAcls": False,
                "BlockPublicPolicy": False,
                "RestrictPublicBuckets": False
            }
        except Exception as e:
            if 'NoSuchBucket' in str(e) or 'InvalidToken' in str(e):
                print_warning(
                    f'Failed to get the public access block configuration for the account {account_id}: {e}')
            else:
                print_exception(
                    f'Failed to get the public access block configuration for the account {account_id}: {e}')
            return None

    @staticmethod
    def _init_s3_permissions():
        permissions = {'read': False, 'write': False, 'read_acp': False, 'write_acp': False}
        return permissions

    @staticmethod
    def _set_s3_permissions(permissions: str, name: str):
        if name == 'READ' or name == 'FULL_CONTROL':
            permissions['read'] = True
        if name == 'WRITE' or name == 'FULL_CONTROL':
            permissions['write'] = True
        if name == 'READ_ACP' or name == 'FULL_CONTROL':
            permissions['read_acp'] = True
        if name == 'WRITE_ACP' or name == 'FULL_CONTROL':
            permissions['write_acp'] = True

    @staticmethod
    def _s3_group_to_string(uri: str):
        if uri == 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers':
            return 'Authenticated users'
        elif uri == 'http://acs.amazonaws.com/groups/global/AllUsers':
            return 'Everyone'
        elif uri == 'http://acs.amazonaws.com/groups/s3/LogDelivery':
            return 'Log delivery'
        else:
            return uri

    @staticmethod
    def _status_to_bool(value: str):
        """ Converts a string to True if it is equal to 'Enabled' or to False otherwise. """
        return value == 'Enabled'


================================================
FILE: ScoutSuite/providers/aws/facade/secretsmanager.py
================================================
import json

from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.utils import map_concurrently, run_concurrently, get_and_set_concurrently


class SecretsManagerFacade(AWSBaseFacade):
    async def get_secrets(self, region):
        try:
            secrets_list = await AWSFacadeUtils.get_all_pages('secretsmanager', region, self.session,
                                                              'list_secrets', 'SecretList')
        except Exception as e:
            print_exception(f'Failed to get Secrets Manager secrets: {e}')
            return []
        else:
            secrets_list = await map_concurrently(self._describe_secrets, secrets_list, region=region)

            await get_and_set_concurrently(
                [
                    self._get_and_set_secret_policy
                ],
                secrets_list,
                region=region)

            return secrets_list

    async def _describe_secrets(self, secret: str, region: str):
        client = AWSFacadeUtils.get_client('secretsmanager', self.session, region)

        try:
            secret_description = await run_concurrently(lambda: client.describe_secret(SecretId=secret.get('ARN')))
        except Exception as e:
            print_exception('Failed to get Secrets Manager secret details: {}'.format(e))
            return secret
        else:
            secret_description.pop('ResponseMetadata')
            return secret_description

    async def _get_and_set_secret_policy(self, secret: {}, region: str):
        client = AWSFacadeUtils.get_client('secretsmanager', self.session, region)

        try:
            policy = await run_concurrently(lambda: client.get_resource_policy(SecretId=secret.get('ARN')))
            policy_json = policy.get('ResourcePolicy')
            if policy_json:
                secret['policy'] = json.loads(policy_json)
            else:
                secret['policy'] = {}
        except Exception as e:
            print_exception('Failed to get Secrets Manager secret policy: {}'.format(e))
            secret['policy'] = {}


================================================
FILE: ScoutSuite/providers/aws/facade/ses.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.utils import map_concurrently
from ScoutSuite.providers.utils import run_concurrently


class SESFacade(AWSBaseFacade):
    async def get_identities(self, region: str):
        try:
            identity_names = await AWSFacadeUtils.get_all_pages(
                'ses', region, self.session, 'list_identities', 'Identities')

            return await map_concurrently(self._get_identity_dkim_attributes, identity_names, region=region)
        except Exception as e:
            print_exception(f'Failed to get SES identities: {e}')
            return []

    async def _get_identity_dkim_attributes(self, identity_name: str, region: str):
        ses_client = AWSFacadeUtils.get_client('ses', self.session, region)
        try:
            dkim_attributes = await run_concurrently(
                lambda: ses_client.get_identity_dkim_attributes(Identities=[identity_name])['DkimAttributes'][
                    identity_name]
            )
        except Exception as e:
            print_exception(f'Failed to get SES DKIM attributes: {e}')
            raise
        return identity_name, dkim_attributes

    async def get_identity_policies(self, region: str, identity_name: str):
        ses_client = AWSFacadeUtils.get_client('ses', self.session, region)
        try:
            policy_names = await run_concurrently(
                lambda: ses_client.list_identity_policies(Identity=identity_name)['PolicyNames']
            )
        except Exception as e:
            print_exception(f'Failed to list SES policies: {e}')
            policy_names = []

        if len(policy_names) == 0:
            return {}

        try:
            return await run_concurrently(
                lambda: ses_client.get_identity_policies(Identity=identity_name, PolicyNames=policy_names)['Policies']
            )
        except Exception as e:
            print_exception(f'Failed to get SES policies: {e}')
            return None


================================================
FILE: ScoutSuite/providers/aws/facade/sns.py
================================================
import asyncio

from ScoutSuite.core.console import print_exception, print_warning
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.utils import run_concurrently, get_and_set_concurrently


class SNSFacade(AWSBaseFacade):
    regional_subscriptions_cache_locks = {}
    subscriptions_cache = {}

    async def get_topics(self, region: str):
        try:
            topics = await AWSFacadeUtils.get_all_pages('sns', region, self.session, 'list_topics', 'Topics')
            await get_and_set_concurrently([self._get_and_set_topic_attributes], topics, region=region)
        except Exception as e:
            print_exception(f'Failed to get CloudWatch alarms: {e}')
            topics = []
        finally:
            return topics

    async def _get_and_set_topic_attributes(self, topic: {}, region: str):
        sns_client = AWSFacadeUtils.get_client('sns', self.session, region)
        try:
            topic['attributes'] = await run_concurrently(
                lambda: sns_client.get_topic_attributes(TopicArn=topic['TopicArn'])['Attributes']
            )
        except Exception as e:
            if 'NotFound' in e:
                print_warning(f'Failed to get SNS topic attributes: {e}')
            else:
                print_exception(f'Failed to get SNS topic attributes: {e}')

    async def get_subscriptions(self, region: str, topic_name: str):
        await self.cache_subscriptions(region)
        return [subscription for subscription in self.subscriptions_cache[region]
                if subscription['topic_name'] == topic_name]

    async def cache_subscriptions(self, region: str):
        async with self.regional_subscriptions_cache_locks.setdefault(region, asyncio.Lock()):
            if region in self.subscriptions_cache:
                return

            self.subscriptions_cache[region] = \
                await AWSFacadeUtils.get_all_pages('sns', region, self.session, 'list_subscriptions', 'Subscriptions')

            for subscription in self.subscriptions_cache[region]:
                topic_arn = subscription.pop('TopicArn')
                subscription['topic_name'] = topic_arn.split(':')[-1]


================================================
FILE: ScoutSuite/providers/aws/facade/sqs.py
================================================
from ScoutSuite.core.console import print_exception, print_warning
from ScoutSuite.providers.aws.facade.basefacade import AWSBaseFacade
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.utils import run_concurrently, map_concurrently


class SQSFacade(AWSBaseFacade):
    async def get_queues(self, region: str, attribute_names: []):
        sqs_client = AWSFacadeUtils.get_client('sqs', self.session, region)
        try:
            raw_queues = await run_concurrently(sqs_client.list_queues)
        except Exception as e:
            print_exception(f'Failed to list SQS queues: {e}')
            return []
        else:
            if 'QueueUrls' not in raw_queues:
                return []
            queue_urls = raw_queues['QueueUrls']

            return await map_concurrently(
                self._get_queue_attributes, queue_urls, region=region, attribute_names=attribute_names)

    async def _get_queue_attributes(self, queue_url: str, region: str, attribute_names: []):
        sqs_client = AWSFacadeUtils.get_client('sqs', self.session, region)
        try:
            queue_attributes = await run_concurrently(
                lambda: sqs_client.get_queue_attributes(QueueUrl=queue_url, AttributeNames=attribute_names)[
                    'Attributes']
            )
        except Exception as e:
            if 'NonExistentQueue' in e:
                print_warning(f'Failed to get SQS queue attributes: {e}')
            else:
                print_exception(f'Failed to get SQS queue attributes: {e}')

        return queue_url, queue_attributes


================================================
FILE: ScoutSuite/providers/aws/facade/utils.py
================================================
import boto3
from botocore.exceptions import ClientError

from ScoutSuite.core.conditions import print_exception
from ScoutSuite.providers.utils import run_concurrently


class AWSFacadeUtils:
    _clients = {}

    @staticmethod
    async def get_all_pages(service: str, region: str, session: boto3.session.Session, paginator_name: str,
                            entity: str, **paginator_args):
        """
        Gets all the entities from a paginator given an entity key

        :param service:str: Name of the AWS service (ec2, iam, etc.)
        :param region:str: Region
        :param session:boto3.session.Session: Boto3 session used to authenticate the client
        :param paginator_name:str: Name of the paginator
        :param entity:str: Key used to retreive the entities in the paginator's response
        :param **paginator_args: Arguments passed to the paginator

        :return: A list of the fetched entities.
        """

        results = await AWSFacadeUtils.get_multiple_entities_from_all_pages(
            service, region, session, paginator_name, [entity], **paginator_args)
        if len(results) > 0:
            return results[entity]
        else:
            return []

    @staticmethod
    async def get_multiple_entities_from_all_pages(service: str, region: str, session: boto3.session.Session,
                                                   paginator_name: str, entities: list, **paginator_args):
        """
        Gets all the entities from a paginator given multiple entitiy keys
            :param service:str: Name of the AWS service (ec2, iam, etc.)
            :param region:str: Region
            :param session:boto3.session.Session: Boto3 session used to authenticate the client
            :param paginator_name:str: Name of the paginator
            :param entities:list: Keys used to retreive the entities in the paginator's response
            :param **paginator_args: Arguments passed to the paginator

            :return: A dictionary with the entity keys as keys, and the fetched entities lists as values.
        """

        client = AWSFacadeUtils.get_client(service, session, region)

        # Building a paginator doesn't require any API call so no need to do it concurrently:
        paginator = client.get_paginator(
            paginator_name).paginate(**paginator_args)

        # Getting all pages from a paginator requires API calls so we need to do it concurrently:
        try:
            return await run_concurrently(lambda: AWSFacadeUtils._get_all_pages_from_paginator(paginator, entities))
        except ClientError as e:
            if e.response['Error']['Code'] in ['AccessDenied',
                                               'AccessDeniedException',
                                               'UnauthorizedOperation',
                                               'AuthorizationError']:
                print_exception(f'Failed to get all pages from paginator for the {service} service: {e}')
                return []
            else:
                raise

    @staticmethod
    def _get_all_pages_from_paginator(paginator, entities: list):
        resources = {entity: [] for entity in entities}

        # There's an API call hidden behind each iteration:
        for page in paginator:
            for entity in entities:
                resources[entity].extend(page[entity])

        return resources

    @staticmethod
    def get_client(service: str, session: boto3.session.Session, region: str = None):
        """
        Instantiates an AWS API client

        :param service: Service targeted, e.g. ec2
        :param session: The aws session
        :param region:  Region desired, e.g. us-east-2

        :return:
        """

        try:
            return AWSFacadeUtils._clients.setdefault(
                (service, region),
                session.client(service, region_name=region) if region else session.client(service))
        except Exception as e:
            print_exception(f'Failed to create client for the {service} service: {e}')
            return None


================================================
FILE: ScoutSuite/providers/aws/metadata.json
================================================
{
    "analytics": {
        "emr": {
            "resources": {
                "clusters": {
                    "cols": 2,
                    "path": "services.emr.regions.id.vpcs.id.clusters",
                    "callbacks": [
                        [ "match_security_groups_and_resources_callback", {"status_path": ["Status", "State"], "sg_list_attribute_name": ["Ec2InstanceAttributes", "EmrManagedMasterSecurityGroup"], "sg_id_attribute_name": ""} ],
                        [ "match_security_groups_and_resources_callback", {"status_path": ["Status", "State"], "sg_list_attribute_name": ["Ec2InstanceAttributes", "EmrManagedSlaveSecurityGroup"], "sg_id_attribute_name": ""} ]
                    ]
                }
            }
        }
    },
    "management": {
        "cloudformation": {
            "resources": {
                "stacks": {
                    "cols": 2,
                    "path": "services.cloudformation.regions.id.stacks",
                    "callbacks": [
                        [ "match_roles_and_cloudformation_stacks_callback", {} ]
                    ]
                }
            }
        },
        "cloudtrail": {
            "resources": {
                "regions": {
                    "cols": 2,
                    "path": "services.cloudtrail.regions"
                },
                "trails": {
                    "cols": 2,
                    "path": "services.cloudtrail.regions.id.trails"
                }
            }
        },
        "cloudwatch": {
            "resources": {
                "alarms": {
                    "cols": 2,
                    "path": "services.cloudwatch.regions.id.alarms"
                },
                "metric_filters": {
                    "cols": 2,
                    "path": "services.cloudwatch.regions.id.metric_filters"
                }
            }
        },
        "config": {
            "resources": {
                "regions": {
                    "cols": 2,
                    "path": "services.config.regions"
                },
                "recorders": {
                    "path": "services.config.regions.id.recorders"
                },
                "rules": {
                    "path": "services.config.regions.id.rules"
                }
            }
        },
        "ssm" : {
            "resources": {
                "parameters": {
                    "cols": 2,
                    "path": "services.ssm.regions.id.parameters"
                }
            }
        }
    },
    "messaging": {
        "sns": {
            "resources": {
                "topics": {
                    "cols": 2,
                    "path": "services.sns.regions.id.topics"
                }
            }
        },
        "ses": {
            "resources": {
                "identities": {
                    "cols": 2,
                    "path": "services.ses.regions.id.identities"
                }
            }
        },
        "sqs" : {
            "resources": {
                "queues": {
                    "cols": 2,
                    "path": "services.sqs.regions.id.queues"
                }
            }
        }
    },
    "network": {
        "vpc": {
            "resources": {
                "network_acls": {
                    "cols": 2,
                    "path": "services.vpc.regions.id.vpcs.id.network_acls",
                    "callbacks": [
                        [ "match_network_acls_and_subnets_callback", {} ],
                        [ "process_network_acls_callback", {} ]
                    ]
                },
                "vpcs": {
                    "cols": 2,
                    "path": "services.vpc.regions.id.vpcs"
                },
                "flow_logs": {
                    "path": "services.vpc.regions.id.flow_logs",
                    "callbacks": [
                        [ "sort_vpc_flow_logs_callback", {} ],
                        [ "match_roles_and_vpc_flowlogs_callback", {} ]
                    ]
                },
                "subnets": {
                    "cols": 2,
                    "path": "services.vpc.regions.id.vpcs.id.subnets"
                },
                "peering_connections": {
                    "path": "services.vpc.regions.id.peering_connections",
                    "callbacks": [
                        [ "process_vpc_peering_connections_callback", {} ]
                    ]
                }
            }
        },
        "route53": {
            "resources": {
                "domains": {
                    "cols": 2,
                    "path": "services.route53.regions.id.domains"
                },
                "hosted_zones": {
                    "cols": 2,
                    "path": "services.route53.regions.id.hosted_zones"
                }
            }
        },
        "directconnect": {
            "resources": {
                "connections": {
                    "cols": 2,
                    "path": "services.directconnect.connections"
                }
            }
        },
        "cloudfront": {
            "resources": {
                "distributions": {
                    "cols": 2,
                    "path": "services.cloudfront.distributions"
                }
            }
        }
    },
    "compute": {
        "summaries": {
            "external attack surface": {
                "cols": 1,
                "path": "service_groups.compute.summaries.external_attack_surface",
                "callbacks": [
                    [
                        "merge",
                        {
                            "attribute": "external_attack_surface"
                        }
                    ]
                ]
            }
        },
        "ec2": {
            "resources": {
                "instances": {
                    "cols": 2,
                    "path": "services.ec2.regions.id.vpcs.id.instances",
                    "callbacks": [  ]
                },
                "security_groups": {
                    "cols": 2,
                    "path": "services.ec2.regions.id.vpcs.id.security_groups"
                },
                "volumes": {
                    "cols": 2,
                    "path": "services.ec2.regions.id.volumes"
                },
                "snapshots": {
                    "cols": 2,
                    "path": "services.ec2.regions.id.snapshots"
                },
                "network_interfaces": {
                    "path": "services.ec2.regions.id.vpcs.id.network_interfaces",
                    "hidden": true,
                    "callbacks": [
                        [
                            "match_security_groups_and_resources_callback",
                            {
                                "sg_list_attribute_name": [
                                    "Groups"
                                ],
                                "sg_id_attribute_name": "GroupId"
                            }
                        ]
                    ]
                },
                "images": {
                    "cols": 2,
                    "path": "services.ec2.regions.id.images"
                },
                "regional_settings": {
                    "cols": 2,
                    "path": "services.ec2.regions.id.regional_settings"
                }
            },
            "summaries": {
                "external attack surface": {
                    "cols": 1,
                    "path": "services.ec2.external_attack_surface",
                    "callbacks": [
                        [
                            "list_ec2_network_attack_surface_callback",
                            {
                                "path": "services.ec2.regions.id.vpcs.id.instances.id.network_interfaces.id.PrivateIpAddresses"
                            }
                        ]
                    ]
                }
            }
        },
        "elb": {
            "resources": {
                "elbs": {
                    "cols": 2,
                    "path": "services.elb.regions.id.vpcs.id.elbs",
                    "callbacks": [
                        [
                            "match_security_groups_and_resources_callback",
                            {
                                "status_path": [
                                    "Scheme"
                                ],
                                "sg_list_attribute_name": [
                                    "security_groups"
                                ],
                                "sg_id_attribute_name": "GroupId"
                            }
                        ],
                        [
                            "get_lb_attack_surface",
                            { }
                        ]
                    ]
                },
                "elb_policies": {
                    "cols": 2,
                    "path": "services.elb.regions.id.elb_policies"
                }
            },
            "summaries": {
                "external attack surface": {
                    "cols": 1,
                    "path": "services.elb.external_attack_surface"
                }
            }
        },
        "elbv2": {
            "resources": {
                "lbs": {
                    "cols": 2,
                    "path": "services.elbv2.regions.id.vpcs.id.lbs",
                    "callbacks": [
                        [
                            "match_security_groups_and_resources_callback",
                            {
                                "status_path": [
                                    "State",
                                    "Code"
                                ],
                                "sg_list_attribute_name": [
                                    "security_groups"
                                ],
                                "sg_id_attribute_name": "GroupId"
                            }
                        ],
                        [
                            "get_lb_attack_surface",
                            { }
                        ]
                    ]
                }
            },
            "summaries": {
                "external attack surface": {
                    "cols": 1,
                    "path": "services.elbv2.external_attack_surface"
                }
            }
        },
        "awslambda": {
            "resources": {
                "functions": {
                    "path": "services.awslambda.regions.id.functions",
                    "callbacks": [
                        [
                            "match_security_groups_and_resources_callback",
                            {
                                "status_path": [
                                    "runtime"
                                ],
                                "sg_list_attribute_name": [
                                    "VpcConfig",
                                    "SecurityGroupIds"
                                ]
                            }
                        ]
                    ]
                }
            }
        }
    },
    "containers": {
        "ecr": {
            "resources": {
                "images": {
                    "cols": 2,
                    "path": "services.ecr.regions.id.images"
                },
                "repositories": {
                    "cols": 2,
                    "path": "services.ecr.regions.id.repositories"
                }
            }
        },
        "ecs": {
            "resources": {
                "regions": {
                    "cols": 2,
                    "path": "services.ecs.regions"
                },
                "clusters": {
                    "cols": 2,
                    "path": "services.ecs.regions.id.clusters"
                }
            }
        },
        "eks": {
            "resources": {
                "clusters": {
                    "cols": 2,
                    "path": "services.eks.regions.id.clusters"
                }
            }
        }
    },
    "security": {
        "iam": {
            "resources": {
                "groups": {
                    "cols": 2,
                    "path": "services.iam.groups"
                },
                "policies": {
                    "cols": 2,
                    "path": "services.iam.policies"
                },
                "roles": {
                    "cols": 2,
                    "path": "services.iam.roles"
                },
                "users": {
                    "cols": 2,
                    "path": "services.iam.users"
                },
                "credential_reports": {
                    "cols": 2,
                    "path": "services.iam.credential_reports"
                }
            },
            "summaries": {
                "permissions": {
                    "cols": 1,
                    "path": "services.iam.permissions"
                },
                "password_policy": {
                    "cols": 1,
                    "path": "services.iam.password_policy"
                }
            }
        },
        "cognito": {
            "resources": {
                "identity_pools": {
                    "cols": 2,
                    "path": "services.cognito.regions.id.identity_pools"
                },
                "user_pools": {
                    "cols": 2,
                    "path": "services.cognito.regions.id.user_pools"
                }
            }
        },
        "acm": {
            "resources": {
                "certificates": {
                    "cols": 2,
                    "path": "services.acm.regions.id.certificates"
                }
            }
        },
        "guardduty": {
            "resources": {
                "regions": {
                    "cols": 2,
                    "path": "services.guardduty.regions"
                },
                "detectors": {
                    "path": "services.guardduty.regions.id.detectors"
                }
            }
        },
        "kms": {
            "resources": {
                "keys": {
                    "path": "services.kms.regions.id.keys"
                }
            }
        },
        "secretsmanager" : {
            "resources": {
                "secrets": {
                    "cols": 2,
                    "path": "services.secretsmanager.regions.id.secrets"
                }
            }
        }
    },
    "database": {
        "summaries": {
            "external attack surface": {
                "cols": 1,
                "path": "service_groups.database.summaries.external_attack_surface",
                "callbacks": [
                    [ "merge", {"attribute": "external_attack_surface"} ]
                ]
            }
        },
        "dynamodb": {
            "resources": {
                "tables": {
                    "path": "services.dynamodb.regions.id.tables"
                }
            }
        },
        "docdb": {
            "resources": {
                "clusters": {
                    "path": "services.docdb.regions.id.clusters"
                }
            }
        },
        "elasticache": {
            "resources": {
                "clusters": {
                    "cols": 2,
                    "path": "services.elasticache.regions.id.vpcs.id.clusters",
                    "callbacks": [
                        [ "match_security_groups_and_resources_callback", {"status_path": ["CacheClusterStatus"], "sg_list_attribute_name": ["SecurityGroups"], "sg_id_attribute_name": "SecurityGroupId"} ],
                        [ "get_db_attack_surface", {} ]
                    ]
                },
                "parameter_groups": {
                    "cols": 2,
                    "path": "services.elasticache.regions.id.parameter_groups"
                },
                "security_groups": {
                    "no_exceptions": true,
                    "cols": 2,
                    "path": "services.elasticache.regions.id.security_groups"
                },
                "subnet_groups": {
                    "cols": 2,
                    "path": "services.elasticache.regions.id.vpcs.id.subnet_groups"
                }
            }
        },
        "rds": {
            "resources": {
                "instances": {
                    "cols": 2,
                    "path": "services.rds.regions.id.vpcs.id.instances",
                    "callbacks": [
                        [ "match_security_groups_and_resources_callback", {"status_path": ["DBInstanceStatus"], "sg_list_attribute_name": ["VpcSecurityGroups"], "sg_id_attribute_name": "VpcSecurityGroupId"} ],
                        [ "get_db_attack_surface", {} ]
                    ]
                },
                "security_groups": {
                    "no_exceptions": true,
                    "cols": 2,
                    "path": "services.rds.regions.id.security_groups"
                },
                "snapshots": {
                    "cols": 2,
                    "path": "services.rds.regions.id.vpcs.id.snapshots"
                },
                "parameter_groups": {
                    "cols": 2,
                    "path": "services.rds.regions.id.parameter_groups"
                },
                "subnet_groups": {
                    "cols": 2,
                    "path": "services.rds.regions.id.vpcs.id.subnet_groups"
                }
            },
            "summaries": {
                "external attack surface": {
                    "cols": 1,
                    "path": "services.rds.external_attack_surface"
                }
            }
        },
        "redshift": {
            "resources": {
                "clusters": {
                    "cols": 2,
                    "path": "services.redshift.regions.id.vpcs.id.clusters",
                    "callbacks": [
                        [ "match_security_groups_and_resources_callback", {"status_path": ["ClusterStatus"], "sg_list_attribute_name": ["VpcSecurityGroups"], "sg_id_attribute_name": "VpcSecurityGroupId"} ],
                        [ "get_db_attack_surface", {} ]
                    ]
                },
                "parameter_groups": {
                    "cols": 2,
                    "path": "services.redshift.regions.id.parameter_groups"
                },
                "security_groups": {
                    "cols": 2,
                    "path": "services.redshift.regions.id.security_groups"
                }
            },
            "summaries": {
                "external attack surface": {
                    "cols": 1,
                    "path": "services.redshift.external_attack_surface"
                }
            }
        }
    },
    "storage": {
        "efs": {
            "hidden": true,
            "resources": {
                "file_systems": {
                    "path": "services.efs.regions.id.file_systems",
                    "callbacks": [
                        [ "match_security_groups_and_resources_callback", {"status_path": ["LifeCycleState"], "sg_list_attribute_name": ["security_groups"]} ]
                    ]
                }
            }
        },
        "s3": {
            "resources": {
                "buckets": {
                    "cols": 2,
                    "path": "services.s3.buckets"
                }
            }
        }
    }
}


================================================
FILE: ScoutSuite/providers/aws/provider.py
================================================
import copy
import os

from ScoutSuite.core.console import print_error, print_exception, print_warning, print_debug
from ScoutSuite.providers.aws.services import AWSServicesConfig
from ScoutSuite.providers.aws.resources.vpc.base import put_cidr_name
from ScoutSuite.providers.aws.utils import ec2_classic, get_aws_account_id, get_partition_name
from ScoutSuite.providers.base.configs.browser import combine_paths, get_object_at, get_value_at
from ScoutSuite.providers.base.provider import BaseProvider
from ScoutSuite.utils import manage_dictionary


class AWSProvider(BaseProvider):
    """
    Implements provider for AWS
    """

    def __init__(self, profile='default', report_dir=None, timestamp=None, services=None, skipped_services=None,
                 result_format='json', **kwargs):
        services = [] if services is None else services
        skipped_services = [] if skipped_services is None else skipped_services

        self.metadata_path = '%s/metadata.json' % os.path.split(os.path.abspath(__file__))[0]

        self.sg_map = {}
        self.subnet_map = {}

        self.profile = profile
        self.services_config = AWSServicesConfig

        self.provider_code = 'aws'
        self.provider_name = 'Amazon Web Services'
        self.environment = self.profile
        self.result_format = result_format

        self.credentials = kwargs['credentials']

        self.partition = get_partition_name(self.credentials.session)

        self.account_id = get_aws_account_id(self.credentials.session)

        super().__init__(report_dir, timestamp,
                                          services, skipped_services, result_format)

    def get_report_name(self):
        """
        Returns the name of the report using the provider's configuration
        """
        if self.profile:
            return f'aws-{self.profile}'
        elif self.account_id:
            return f'aws-{self.account_id}'
        else:
            return 'aws'

    def preprocessing(self, ip_ranges=None, ip_ranges_name_key=None):
        """
        Tweak the AWS config to match cross-service resources and clean any fetching artifacts

        :param ip_ranges:
        :param ip_ranges_name_key:
        :return: None
        """
        ip_ranges = [] if ip_ranges is None else ip_ranges

        # Various data processing calls
        # Note that order of processing can matter

        # TODO - this should be moved to the `finalize` method of the base resource, as it's not cross-service
        self._map_all_subnets()

        # TODO - this should be moved to the `finalize` method of the base resource, as it's not cross-service
        if 'ec2' in self.service_list:
            self._map_all_sgs()
            self._add_security_group_name_to_ec2_grants()
            self._check_ec2_zone_distribution()
            self._add_last_snapshot_date_to_ec2_volumes()

        if 'ec2' in self.service_list and 'iam' in self.service_list:
            self._match_instances_and_roles()
        
        if 'ec2' in self.service_list and 'vpc' in self.service_list:
            self._match_instances_and_vpcs()
            self._match_instances_and_subnets()
        
        if 'ec2' in self.service_list and 'codebuild' in self.service_list:
            self._update_sg_usage_codebuild()

        if 'awslambda' in self.service_list and 'iam' in self.service_list:
            self._match_lambdas_and_roles()

        if 'elbv2' in self.service_list and 'ec2' in self.service_list:
            self._add_security_group_data_to_elbv2()

        if 's3' in self.service_list and 'iam' in self.service_list:
            self._match_iam_policies_and_buckets()

        # TODO - this should be moved to the `finalize` method of the base resource, as it's not cross-service
        if 'elb' in self.services:
            self._parse_elb_policies()

        if 'emr' in self.service_list and 'ec2' in self.service_list and 'vpc' in self.service_list:
            self._set_emr_vpc_ids()

        self._add_cidr_display_name(ip_ranges, ip_ranges_name_key)

        super().preprocessing()

    def _add_cidr_display_name(self, ip_ranges, ip_ranges_name_key):
        if len(ip_ranges):
            callback_args = {'ip_ranges': ip_ranges,
                             'ip_ranges_name_key': ip_ranges_name_key}
            self._go_to_and_do(self.services['ec2'],
                               ['regions', 'vpcs', 'security_groups', 'rules', 'protocols', 'ports'],
                               ['services', 'ec2'],
                               put_cidr_name,
                               callback_args)

    def _add_security_group_name_to_ec2_grants(self):
        """
        Github issue #24: display the security group names in the list of grants (added here to have ligher JS code)
        """
        self._go_to_and_do(self.services['ec2'],
                           ['regions', 'vpcs', 'security_groups', 'rules', 'protocols', 'ports', 'security_groups'],
                           [],
                           self.add_security_group_name_to_ec2_grants_callback,
                           {'AWSAccountId': self.account_id})

    def _add_security_group_data_to_elbv2(self):
        def check_security_group_rules(lb, index, traffic_type):
            none = 'N/A'
            if traffic_type == 'ingress':
                output = 'valid_inbound_rules'
            elif traffic_type == 'egress':
                output = 'valid_outbound_rules'
            for protocol in lb['security_groups'][index]['rules'][traffic_type]['protocols']:
                for port in lb['security_groups'][index]['rules'][traffic_type]['protocols'][protocol]['ports']:
                    lb['security_groups'][index][output] = True
                    if port not in lb['listeners'] and port != none:
                        lb['security_groups'][index][output] = False

        ec2_config = self.services['ec2']
        elbv2_config = self.services['elbv2']
        for region in elbv2_config['regions']:
            for vpc in elbv2_config['regions'][region]['vpcs']:
                for lb in elbv2_config['regions'][region]['vpcs'][vpc]['lbs']:
                    for i in range(0, len(elbv2_config['regions'][region]['vpcs'][vpc]['lbs'][lb]['security_groups'])):
                        for sg in ec2_config['regions'][region]['vpcs'][vpc]['security_groups']:
                            group_id = elbv2_config['regions'][region]['vpcs'][vpc]['lbs'][lb]['security_groups'][i][
                                'GroupId']
                            if 'GroupId' in elbv2_config['regions'][region]['vpcs'][vpc]['lbs'][lb]['security_groups'][
                                i] and group_id == sg:
                                elbv2_config['regions'][region]['vpcs'][vpc]['lbs'][lb]['security_groups'][i] = \
                                    ec2_config['regions'][region]['vpcs'][vpc]['security_groups'][sg]
                                elbv2_config['regions'][region]['vpcs'][vpc]['lbs'][lb]['security_groups'][i][
                                    'GroupId'] = group_id

                        check_security_group_rules(
                            elbv2_config['regions'][region]['vpcs'][vpc]['lbs'][lb], i, 'ingress')
                        check_security_group_rules(
                            elbv2_config['regions'][region]['vpcs'][vpc]['lbs'][lb], i, 'egress')

    def _check_ec2_zone_distribution(self):
        regions = self.services['ec2']['regions'].values()
        self.services['ec2']['number_of_regions_with_instances'] = sum(r['instances_count'] > 0 for r in regions)

        for regions in self.services['ec2']['regions'].values():
            instances_availability_zones = set()
            for vpcs in regions['vpcs'].values():
                for instance in vpcs['instances'].values():
                    instances_availability_zones.add(instance.get('availability_zone'))
            regions['instances_availability_zones'] = len(instances_availability_zones)

    def _add_last_snapshot_date_to_ec2_volumes(self):
        for region in self.services['ec2']['regions'].values():
            for volumeId, volume in region.get('volumes').items():
                completed_snapshots = [s for s in region['snapshots'].values() if
                                       s['volume_id'] == volumeId and s['state'] == 'completed']
                sorted_snapshots = sorted(
                    completed_snapshots, key=lambda s: s['start_time'], reverse=True)
                volume['LastSnapshotDate'] = sorted_snapshots[0]['start_time'] if len(
                    sorted_snapshots) > 0 else None

    def add_security_group_name_to_ec2_grants_callback(self, current_config, path, current_path, ec2_grant,
                                                       callback_args):
        sg_id = ec2_grant['GroupId']
        if sg_id in current_path:
            target = current_path[:(current_path.index(sg_id) + 1)]
            ec2_grant['GroupName'] = get_value_at(self.services['ec2'], target, 'name')
        elif 'UserId' in ec2_grant and ec2_grant['UserId'] == callback_args['AWSAccountId']:
            if 'VpcId' in ec2_grant:
                target = current_path[:(current_path.index('vpcs') + 1)]
                target.append(ec2_grant['VpcId'])
                target.append('security_groups')
                target.append(sg_id)
            else:
                target = current_path[:(
                        current_path.index('security_groups') + 1)]
                target.append(sg_id)
            ec2_grant['GroupName'] = get_value_at(self.services['ec2'], target, 'name')
        elif 'PeeringStatus' in ec2_grant:
            # Can't infer the name of the SG in the peered account
            pass
        else:
            print_warning('Failed to handle EC2 grant: %s' % ec2_grant)

    def process_network_acls_callback(self, current_config, path, current_path, privateip_id, callback_args):
        # Check if the network ACL allows all traffic from all IP addresses
        self._process_network_acls_check_for_allow_all(
            current_config, 'ingress')
        self._process_network_acls_check_for_allow_all(
            current_config, 'egress')
        # Check if the network ACL only has the default rules
        self._process_network_acls_check_for_aws_default(
            current_config, 'ingress')
        self._process_network_acls_check_for_aws_default(
            current_config, 'egress')

    @staticmethod
    def _process_network_acls_check_for_allow_all(network_acl, direction):
        network_acl['allow_all_%s_traffic' % direction] = 0
        for rule_number in network_acl['rules'][direction]:
            rule = network_acl['rules'][direction][rule_number]
            if rule['RuleAction'] == 'deny':
                # If a deny rule appears before an allow all, do not raise the flag
                break
            if (rule['CidrBlock'] == '0.0.0.0/0') and (rule['RuleAction'] == 'allow') and (
                    rule['port_range'] == '1-65535') and (rule['protocol'] == 'ALL'):
                network_acl['allow_all_%s_traffic' % direction] = rule_number
                break

    @staticmethod
    def _process_network_acls_check_for_aws_default(network_acl, direction):
        if len(network_acl['rules'][direction]) == 2 and int(
                network_acl['allow_all_%s_traffic' % direction]) > 0 and '100' in network_acl['rules'][direction]:
            # Assume it is AWS' default rules because there are 2 rules (100 and 65535) and the first rule allows all
            # traffic
            network_acl['use_default_%s_rules' % direction] = True
        else:
            network_acl['use_default_%s_rules' % direction] = False

    def list_ec2_network_attack_surface_callback(self, current_config, path, current_path, privateip_id, callback_args):
        try:
            manage_dictionary(self.services['ec2'], 'external_attack_surface', {})
            if 'Association' in current_config and current_config['Association']:
                public_ip = current_config['Association']['PublicIp']
                self._security_group_to_attack_surface(self.services['ec2']['external_attack_surface'],
                                                       public_ip, current_path,
                                                       [g['GroupId']
                                                        for g in current_config['Groups']],
                                                       [])
                self._complete_information_on_ec2_attack_surface(current_config, current_path, public_ip)

            # IPv6
            if 'Ipv6Addresses' in current_config and len(current_config['Ipv6Addresses']) > 0:
                for ipv6 in current_config.get('Ipv6Addresses', []):
                    ip = ipv6['Ipv6Address']
                    self._security_group_to_attack_surface(self.services['ec2']['external_attack_surface'],
                                                           ip, current_path,
                                                           [g['GroupId'] for g in current_config['Groups']], [])
                    self._complete_information_on_ec2_attack_surface(current_config, current_path, ip)
        except Exception as e:
            print_exception(f"Error listing EC2 network attack surface: {e}")

    def _complete_information_on_ec2_attack_surface(self, current_config, current_path, public_ip):
        try:
            # Get the EC2 instance info
            ec2_info = self.services
            for p in current_path[1:-3]:
                ec2_info = ec2_info[p]
            # Fill the rest of the attack surface details on that IP
            self.services['ec2']['external_attack_surface'][public_ip]['InstanceName'] = ec2_info.get('name')
            if current_config is not None and 'PublicDnsName' in current_config.get('Association', {}):
                self.services['ec2']['external_attack_surface'][public_ip]['PublicDnsName'] = \
                    current_config.get('Association', {}).get('PublicDnsName')
        except Exception as e:
            print_exception(f"Error completing EC2 network attack surface information: {e}")

    def _map_all_sgs(self):
        sg_map = dict()
        self._go_to_and_do(self.services['ec2'],
                           ['regions', 'vpcs', 'security_groups'],
                           ['services', 'ec2'],
                           self.map_resource,
                           {'map': sg_map})
        self.sg_map = sg_map

    def _map_all_subnets(self):
        subnet_map = dict()
        self._go_to_and_do(self.services['vpc'],
                           ['regions', 'vpcs', 'subnets'],
                           ['services', 'vpc'],
                           self.map_resource,
                           {'map': subnet_map})
        self.subnet_map = subnet_map

    @staticmethod
    def map_resource(current_config, path, current_path, resource_id, callback_args):
        if resource_id not in callback_args['map']:
            callback_args['map'][resource_id] = {'region': current_path[3]}
            if len(current_path) > 5:
                callback_args['map'][resource_id]['vpc_id'] = current_path[5]

    def _match_iam_policies_and_buckets(self):
        s3_info = self.services['s3']
        iam_info = self.services['iam']
        if 'Action' in iam_info['permissions']:
            for action in (x for x in iam_info['permissions']['Action'] if
                           ((x.startswith('s3:') and x != 's3:ListAllMyBuckets') or (x == '*'))):
                for iam_entity in iam_info['permissions']['Action'][action]:
                    if 'Allow' in iam_info['permissions']['Action'][action][iam_entity]:
                        for allowed_iam_entity in iam_info['permissions']['Action'][action][iam_entity]['Allow']:
                            # For resource statements, we can easily rely on the existing permissions structure
                            if 'Resource' in \
                                    iam_info['permissions']['Action'][action][iam_entity]['Allow'][allowed_iam_entity]:
                                for full_path in (x for x in
                                                  iam_info['permissions']['Action'][action][iam_entity]['Allow'][
                                                      allowed_iam_entity]['Resource'] if
                                                  x.startswith('arn:aws:s3:') or x == '*'):
                                    parts = full_path.split('/')
                                    bucket_name = parts[0].split(':')[-1]
                                    self._update_iam_permissions(s3_info, bucket_name, iam_entity, allowed_iam_entity,
                                                                 iam_info['permissions']['Action'][action][iam_entity][
                                                                     'Allow'][allowed_iam_entity]['Resource'][
                                                                     full_path])
                            # For notresource statements, we must fetch the policy document to determine which
                            # buckets are not protected
                            if 'NotResource' in iam_info['permissions']['Action'][action][iam_entity]['Allow'][
                                allowed_iam_entity]:
                                for full_path in (x for x in
                                                  iam_info['permissions']['Action'][action][iam_entity]['Allow'][
                                                      allowed_iam_entity]['NotResource'] if
                                                  x.startswith('arn:aws:s3:') or x == '*'):
                                    for policy_type in ['InlinePolicies', 'ManagedPolicies']:
                                        if policy_type in \
                                                iam_info['permissions']['Action'][action][iam_entity]['Allow'][
                                                    allowed_iam_entity]['NotResource'][full_path]:
                                            for policy in \
                                                    iam_info['permissions']['Action'][action][iam_entity]['Allow'][
                                                        allowed_iam_entity]['NotResource'][full_path][policy_type]:
                                                self._update_bucket_permissions(s3_info, iam_info, action, iam_entity,
                                                                                allowed_iam_entity, full_path,
                                                                                policy_type,
                                                                                policy)

    def _update_bucket_permissions(self, s3_info, iam_info, action, iam_entity, allowed_iam_entity, full_path,
                                   policy_type,
                                   policy_name):
        global policy
        allowed_buckets = []
        # By default, all buckets are allowed
        for bucket_name in s3_info['buckets']:
            allowed_buckets.append(bucket_name)
        if policy_type == 'InlinePolicies':
            policy = iam_info[iam_entity.title(
            )][allowed_iam_entity]['Policies'][policy_name]['PolicyDocument']
        elif policy_type == 'ManagedPolicies':
            policy = iam_info['ManagedPolicies'][policy_name]['PolicyDocument']
        else:
            print_error('Error, found unknown policy type.')
        for statement in policy['Statement']:
            for target_path in statement['NotResource']:
                parts = target_path.split('/')
                bucket_name = parts[0].split(':')[-1]
                path = '/' + '/'.join(parts[1:]) if len(parts) > 1 else '/'
                if (path == '/' or path == '/*') and (bucket_name in allowed_buckets):
                    # Remove bucket from list
                    allowed_buckets.remove(bucket_name)
                elif bucket_name == '*':
                    allowed_buckets = []
        policy_info = {policy_type: {}}
        policy_info[policy_type][policy_name] = \
            iam_info['permissions']['Action'][action][iam_entity]['Allow'][allowed_iam_entity]['NotResource'][
                full_path][
                policy_type][policy_name]
        for bucket_name in allowed_buckets:
            self._update_iam_permissions(
                s3_info, bucket_name, iam_entity, allowed_iam_entity, policy_info)

    def _update_iam_permissions(self, s3_info, bucket_name, iam_entity, allowed_iam_entity, policy_info):
        if 's3' in self.service_list and 'iam' in self.service_list:  # validate both services were included in run
            if bucket_name != '*' and bucket_name in s3_info['buckets']:
                bucket = s3_info['buckets'][bucket_name]
                manage_dictionary(bucket, iam_entity, {})
                manage_dictionary(bucket, iam_entity + '_count', 0)
                if allowed_iam_entity not in bucket[iam_entity]:
                    bucket[iam_entity][allowed_iam_entity] = {}
                    bucket[iam_entity + '_count'] = bucket[iam_entity + '_count'] + 1

                if 'inline_policies' in policy_info:
                    manage_dictionary(
                        bucket[iam_entity][allowed_iam_entity], 'inline_policies', {})
                    bucket[iam_entity][allowed_iam_entity]['inline_policies'].update(
                        policy_info['inline_policies'])
                if 'policies' in policy_info:
                    manage_dictionary(bucket[iam_entity]
                                      [allowed_iam_entity], 'policies', {})
                    bucket[iam_entity][allowed_iam_entity]['policies'].update(
                        policy_info['policies'])
            elif bucket_name == '*':
                for bucket in s3_info['buckets']:
                    self._update_iam_permissions(
                        s3_info, bucket, iam_entity, allowed_iam_entity, policy_info)
            else:
                # Could be an error or cross-account access, ignore
                pass

    def match_network_acls_and_subnets_callback(self, current_config, path, current_path, acl_id, callback_args):
        for association in current_config['Associations']:
            subnet_path = current_path[:-1] + \
                          ['subnets', association['SubnetId']]
            subnet = get_object_at(self, subnet_path)
            subnet['network_acl'] = acl_id

    def _match_instances_and_subnets(self):
        ec2_instances = self._get_ec2_instances_details(['id', 'vpc', 'region', 'SubnetId'])  # fetch all EC2 instances with only required fields
        for instance in ec2_instances.values():
            subnet = self.services['vpc']['regions'][instance['region']]['vpcs'][instance['vpc']]['subnets'][instance['SubnetId']]  # find the subnet reference
            manage_dictionary(subnet, 'instances', [])  # initialize instances list for the subnet (if not already set)
            if instance['id'] not in subnet['instances']:  # if instance is not already mapped to the subnet
                subnet['instances'].append(instance['id'])  # append EC2 instance ID to instance list in subnet

    def _get_ec2_instances_details(self, details=None):
        """
        Fetches a list of EC2 instances 

        :param details [str]:       (Optional) List of details to be included, if not specified, all details will be included
        :return:                    A dictionary of EC2 instances with the specified details
        """
        ec2_instances = {}
        for ec2_region_id, ec2_region_data in self.services['ec2']['regions'].items():
            if ec2_region_data['instances_count'] > 0:
                for region_vpc_id, region_vpc_data in ec2_region_data['vpcs'].items():
                    if region_vpc_data['instances_count'] > 0:
                        for ec2_instance_id, ec2_instance_data in region_vpc_data['instances'].items():
                            ec2_instances[ec2_instance_id] = ec2_instance_data.copy()
                            ec2_instances[ec2_instance_id]['region'] = ec2_region_id
                            ec2_instances[ec2_instance_id]['vpc'] = region_vpc_id
        if details is not None:
            for instance_key in ec2_instances.keys():
                for detail in list(ec2_instances[instance_key].keys()):
                    if detail not in details:
                        ec2_instances[instance_key].pop(detail, None)
        return ec2_instances

    def _match_instances_and_vpcs(self):
        ec2_instances = self._get_ec2_instances_details(['id', 'vpc', 'region'])  # fetch all EC2 instances with only required fields
        for instance in ec2_instances.values():
            vpc = self.services['vpc']['regions'][instance['region']]['vpcs'][instance['vpc']]  # find the VPC reference
            manage_dictionary(vpc, 'instances', [])  # initialize instances list for the VPC (if not already set)
            if instance['id'] not in vpc['instances']:  # if instance is not already mapped to the VPC
                vpc['instances'].append(instance['id'])  # append EC2 instance ID to instance list in VPC

    def _match_instances_and_roles(self):
        if 'ec2' in self.service_list and 'iam' in self.service_list:  # validate both services were included in run
            ec2_config = self.services['ec2']
            iam_config = self.services['iam']
            role_instances = {}
            for r in ec2_config['regions']:
                for v in ec2_config['regions'][r]['vpcs']:
                    if 'instances' in ec2_config['regions'][r]['vpcs'][v]:
                        for i in ec2_config['regions'][r]['vpcs'][v]['instances']:
                            instance_profile = ec2_config['regions'][r]['vpcs'][v]['instances'][i]['IamInstanceProfile']
                            instance_profile_id = instance_profile['Id'] if instance_profile else None
                            if instance_profile_id:
                                manage_dictionary(
                                    role_instances, instance_profile_id, [])
                                role_instances[instance_profile_id].append(i)
            for role_id in iam_config['roles']:
                iam_config['roles'][role_id]['instances_count'] = 0
                for instance_profile_id in iam_config['roles'][role_id]['instance_profiles']:
                    if instance_profile_id in role_instances:
                        iam_config['roles'][role_id]['instance_profiles'][instance_profile_id]['instances'] = \
                            role_instances[instance_profile_id]
                        iam_config['roles'][role_id]['instances_count'] += len(
                            role_instances[instance_profile_id])

    def _match_lambdas_and_roles(self):
        if self.services.get('awslambda') and self.services.get('iam'):
            awslambda_config = self.services['awslambda']
            iam_config = self.services['iam']
            awslambda_funtions = {}
            for r in awslambda_config['regions']:
                for lambda_function in awslambda_config['regions'][r]['functions']:
                    awslambda_function = awslambda_config['regions'][r]['functions'][lambda_function]
                    awslambda_function['region'] = r
                    if awslambda_function['role_arn'] in awslambda_funtions:
                        awslambda_funtions[awslambda_function['role_arn']][awslambda_function['name']] = awslambda_function
                    else:
                        awslambda_funtions[awslambda_function['role_arn']] = {awslambda_function['name']: awslambda_function}
            for role_id in iam_config['roles']:
                iam_config['roles'][role_id]['awslambdas_count'] = 0
                if iam_config['roles'][role_id]['arn'] in awslambda_funtions:
                    iam_config['roles'][role_id]['awslambdas'] = awslambda_funtions[iam_config['roles'][role_id]['arn']]
                    iam_config['roles'][role_id]['awslambdas_count'] = len(awslambda_funtions[iam_config['roles'][role_id]['arn']])

    def process_vpc_peering_connections_callback(self, current_config, path, current_path, pc_id, callback_args):

        # Create a list of peering connection IDs in each VPC
        info = 'AccepterVpcInfo' if current_config['AccepterVpcInfo'][
                                        'OwnerId'] == self.account_id else 'RequesterVpcInfo'
        region = current_path[current_path.index('regions') + 1]
        vpc_id = current_config[info]['VpcId']
        if vpc_id not in self.services['vpc']['regions'][region]['vpcs']:
            region = current_config['AccepterVpcInfo']['Region']

        # handle edge case where the region wasn't included in the execution
        if region in self.services['vpc']['regions']:
            target = self.services['vpc']['regions'][region]['vpcs'][vpc_id]
            manage_dictionary(target, 'peering_connections', [])
            if pc_id not in target['peering_connections']:
                target['peering_connections'].append(pc_id)

        # VPC information for the peer'd VPC
        current_config['peer_info'] = copy.deepcopy(
            current_config['AccepterVpcInfo' if info == 'RequesterVpcInfo' else 'RequesterVpcInfo'])
        if 'PeeringOptions' in current_config['peer_info']:
            current_config['peer_info'].pop('PeeringOptions')
        if hasattr(self, 'organization') and current_config['peer_info']['OwnerId'] in self.organization:
            current_config['peer_info']['name'] = self.organization[current_config['peer_info']['OwnerId']][
                'Name']
        else:
            current_config['peer_info']['name'] = current_config['peer_info']['OwnerId']

    def match_roles_and_cloudformation_stacks_callback(self,
                                                       current_config, path, current_path, stack_id, callback_args):
        try:
            if 'RoleARN' not in current_config:
                return
            role_arn = current_config.pop('RoleARN')
            current_config['iam_role'] = self._get_role_info('arn', role_arn)
        except Exception as e:
            print_exception(f'Unable to match roles and CloudFormation stacks: {e}')

    def match_roles_and_vpc_flowlogs_callback(self, current_config, path, current_path, flowlog_id, callback_args):
        if 'DeliverLogsPermissionArn' not in current_config:
            return
        delivery_role_arn = current_config.pop('DeliverLogsPermissionArn')
        current_config['delivery_role'] = self._get_role_info(
            'arn', delivery_role_arn)

    def _get_role_info(self, attribute_name, attribute_value):
        try:
            iam_role_info = {'name': None, 'id': None}
            for role_id in self.services['iam'].get('roles', []):
                if self.services['iam']['roles'][role_id][attribute_name] == attribute_value:
                    iam_role_info['name'] = self.services['iam']['roles'][role_id]['name']
                    iam_role_info['id'] = role_id
                    break
            return iam_role_info
        except Exception as e:
            print_exception(f'Unable to get role info for attribute {attribute_name} with value {attribute_value}: {e}')

    def match_security_groups_and_resources_callback(self, current_config, path, current_path, resource_id,
                                                     callback_args):
        if 'ec2' in self.service_list:  # validate that the service was included in run
            service = current_path[1]
            original_resource_path = combine_paths(
                copy.deepcopy(current_path), [resource_id])
            resource = get_object_at(self, original_resource_path)
            if 'resource_id_path' not in callback_args:
                resource_type = current_path[-1]
                resource_path = copy.deepcopy(current_path)
                resource_path.append(resource_id)
            else:
                resource_path = combine_paths(copy.deepcopy(
                    current_path), callback_args['resource_id_path'])
                resource_id = resource_path[-1]
                resource_type = resource_path[-2]
            if 'status_path' in callback_args:
                status_path = combine_paths(copy.deepcopy(
                    original_resource_path), callback_args['status_path'])
                obj = get_object_at(self, status_path)
                if obj:
                    resource_status = obj.replace('.', '_')
                else:
                    resource_status = obj
            else:
                resource_status = None
            unknown_vpc_id = True if current_path[4] != 'vpcs' else False
            # Issue 89 & 91 : can instances have no security group?
            try:
                try:
                    sg_attribute = get_object_at(
                        resource, callback_args['sg_list_attribute_name'])
                except Exception as e:
                    return
                if type(sg_attribute) != list:
                    sg_attribute = [sg_attribute]
                for resource_sg in sg_attribute:
                    if type(resource_sg) == dict:
                        sg_id = resource_sg[callback_args['sg_id_attribute_name']]
                    else:
                        sg_id = resource_sg
                    if unknown_vpc_id and sg_id:
                        vpc_id = self.sg_map[sg_id]['vpc_id']
                        sg_base_path = copy.deepcopy(current_path[0:4])
                        sg_base_path[1] = 'ec2'
                        sg_base_path = sg_base_path + \
                                       ['vpcs', vpc_id, 'security_groups']
                    else:
                        sg_base_path = copy.deepcopy(current_path[0:6])
                        sg_base_path[1] = 'ec2'
                        sg_base_path.append('security_groups')
                    sg_path = copy.deepcopy(sg_base_path)
                    sg_path.append(sg_id)
                    sg = get_object_at(self, sg_path)
                    # Add usage information
                    manage_dictionary(sg, 'used_by', {})
                    manage_dictionary(sg['used_by'], service, {})
                    manage_dictionary(sg['used_by'][service], 'resource_type', {})
                    manage_dictionary(sg['used_by'][service]['resource_type'], resource_type, {
                    } if resource_status else [])
                    if resource_status:
                        manage_dictionary(
                            sg['used_by'][service]['resource_type'][resource_type], resource_status, [])
                        if resource_id not in sg['used_by'][service]['resource_type'][resource_type][resource_status]:
                            sg['used_by'][service]['resource_type'][resource_type][resource_status].append(
                                {'id': resource_id, 'name': resource['name']})
                    else:
                        sg['used_by'][service]['resource_type'][resource_type].append(
                            {'id': resource_id, 'name': resource['name']})
            except Exception as e:
                if resource_type == 'elbs' and current_path[5] == ec2_classic:
                    pass
                elif not self.services['ec2']:  # service not included in run
                    pass
                elif not str(e):
                    print_exception(f'Failed to parse {resource_type}')
                else:
                    print_exception(f'Failed to parse {resource_type}: {e}')

    def _set_emr_vpc_ids(self):
        clear_list = []
        self._go_to_and_do(self.services['emr'],
                           ['regions', 'vpcs'],
                           ['services', 'emr'],
                           self.set_emr_vpc_ids_callback,
                           {'clear_list': clear_list})
        for region in clear_list:
            self.services['emr']['regions'][region]['vpcs'].pop('EMR-UNKNOWN-VPC')

    def set_emr_vpc_ids_callback(self, current_config, path, current_path, vpc_id, callback_args):
        if vpc_id != 'EMR-UNKNOWN-VPC':
            return
        region = current_path[3]
        vpc_id = sg_id = subnet_id = None
        pop_list = []
        for cluster_id in current_config['clusters']:
            cluster = current_config['clusters'][cluster_id]
            if 'EmrManagedMasterSecurityGroup' in cluster['Ec2InstanceAttributes']:
                sg_id = cluster['Ec2InstanceAttributes']['EmrManagedMasterSecurityGroup']
            elif 'RequestedEc2SubnetIds' in cluster['Ec2InstanceAttributes']:
                subnet_id = cluster['Ec2InstanceAttributes']['RequestedEc2SubnetIds']
            else:
                print_warning('Unable to determine VPC id for EMR cluster %s' % str(cluster_id))
                continue
            if sg_id in self.sg_map:
                vpc_id = self.sg_map[sg_id]['vpc_id']
                pop_list.append(cluster_id)
            else:
                sid_found = False
                if subnet_id:
                    for sid in subnet_id:
                        if sid in self.subnet_map:
                            vpc_id = self.subnet_map[sid]['vpc_id']
                            pop_list.append(cluster_id)
                            sid_found = True
                if not sid_found:
                    print_warning('Unable to determine VPC id for %s' % (str(subnet_id) if subnet_id else str(sg_id)))
                    continue
            if vpc_id:
                region_vpcs_config = get_object_at(self, current_path)
                manage_dictionary(region_vpcs_config, vpc_id, {'clusters': {}})
                region_vpcs_config[vpc_id]['clusters'][cluster_id] = cluster
        for cluster_id in pop_list:
            current_config['clusters'].pop(cluster_id)
        if len(current_config['clusters']) == 0:
            callback_args['clear_list'].append(region)

    def sort_vpc_flow_logs_callback(self, current_config, path, current_path, flow_log_id, callback_args):
        attached_resource = current_config['resource_id']
        if attached_resource.startswith('vpc-'):
            vpc_path = combine_paths(
                current_path[0:4], ['vpcs', attached_resource])
            try:
                attached_vpc = get_object_at(self, vpc_path)
            except Exception:
                print_debug(
                    'It appears that the flow log %s is attached to a resource that was previously deleted (%s).' % (
                        flow_log_id, attached_resource))
                return
            manage_dictionary(attached_vpc, 'flow_logs', [])
            if flow_log_id not in attached_vpc['flow_logs']:
                attached_vpc['flow_logs'].append(flow_log_id)
            for subnet_id in attached_vpc['subnets']:
                manage_dictionary(
                    attached_vpc['subnets'][subnet_id], 'flow_logs', [])
                if flow_log_id not in attached_vpc['subnets'][subnet_id]['flow_logs']:
                    attached_vpc['subnets'][subnet_id]['flow_logs'].append(
                        flow_log_id)
        elif attached_resource.startswith('subnet-'):
            subnet_path = combine_paths(current_path[0:4],
                                        ['vpcs', self.subnet_map[attached_resource]['vpc_id'], 'subnets',
                                         attached_resource])
            subnet = get_object_at(self, subnet_path)
            manage_dictionary(subnet, 'flow_logs', [])
            if flow_log_id not in subnet['flow_logs']:
                subnet['flow_logs'].append(flow_log_id)
        else:
            print_warning('Resource %s attached to flow logs is not handled' % attached_resource)

    def get_db_attack_surface(self, current_config, path, current_path, db_id, callback_args):
        service = current_path[1]
        service_config = self.services[service]
        manage_dictionary(service_config, 'external_attack_surface', {})
        if (service == 'redshift' or service == 'rds') and 'PubliclyAccessible' in current_config and current_config[
            'PubliclyAccessible']:
            public_dns = current_config['Endpoint']['Address']
            listeners = [current_config['Endpoint']['Port']]
            security_groups = current_config['VpcSecurityGroups']
            self._security_group_to_attack_surface(service_config['external_attack_surface'], public_dns,
                                                   current_path, [
                                                       g['VpcSecurityGroupId'] for g in security_groups],
                                                   listeners)
        elif 'ConfigurationEndpoint' in current_config:
            # TODO : get the proper addresss
            public_dns = current_config['ConfigurationEndpoint']['Address'].replace(
                '.cfg', '')
            listeners = [current_config['ConfigurationEndpoint']['Port']]
            security_groups = current_config.get('SecurityGroups', {})
            self._security_group_to_attack_surface(service_config['external_attack_surface'], public_dns,
                                                   current_path, [
                                                       g['SecurityGroupId'] for g in security_groups],
                                                   listeners)
            # TODO :: Get Redis endpoint information

    def get_lb_attack_surface(self, current_config, path, current_path, elb_id, callback_args):
        try:
            public_dns = current_config['DNSName']
            elb_config = self.services[current_path[1]]
            manage_dictionary(elb_config, 'external_attack_surface', {})
            if current_path[1] == 'elbv2' and current_config['Type'] == 'network':
                # Network LBs do not have a security group, lookup listeners instead
                manage_dictionary(
                    elb_config['external_attack_surface'], public_dns, {'protocols': {}})
                for listener in current_config['listeners']:
                    protocol = current_config['listeners'][listener]['Protocol']
                    manage_dictionary(elb_config['external_attack_surface'][public_dns]['protocols'], protocol,
                                      {'ports': {}})
                    manage_dictionary(elb_config['external_attack_surface'][public_dns]['protocols'][protocol]['ports'],
                                      listener, {'cidrs': []})
                    elb_config['external_attack_surface'][public_dns]['protocols'][protocol]['ports'][listener][
                        'cidrs'].append({'CIDR': '0.0.0.0/0'})
            elif current_path[1] == 'elbv2' and current_config['Scheme'] == 'internet-facing':
                elb_config['external_attack_surface'][public_dns] = {
                    'protocols': {}}
                security_groups = [g['GroupId']
                                   for g in current_config['security_groups']]
                listeners = []
                for listener in current_config['listeners']:
                    listeners.append(listener)
                self._security_group_to_attack_surface(elb_config['external_attack_surface'], public_dns,
                                                       current_path, security_groups, listeners)
            elif current_config['Scheme'] == 'internet-facing':
                # Classic ELbs do not have a security group, lookup listeners instead
                public_dns = current_config['DNSName']
                manage_dictionary(elb_config['external_attack_surface'], public_dns, {
                    'protocols': {'TCP': {'ports': {}}}})
                for listener in current_config['listeners']:
                    manage_dictionary(elb_config['external_attack_surface'][public_dns]['protocols']['TCP']['ports'],
                                      listener, {'cidrs': []})
                    elb_config['external_attack_surface'][public_dns]['protocols']['TCP']['ports'][listener][
                        'cidrs'].append({'CIDR': '0.0.0.0/0'})
        except Exception as e:
            print_exception(f'Failed to get LB attack surface: {e}')


    def _security_group_to_attack_surface(self, attack_surface_config, public_ip, current_path,
                                          security_groups, listeners=None):
        try:
            listeners = [] if listeners is None else listeners
            manage_dictionary(attack_surface_config, public_ip, {'protocols': {}})
            instance_path = current_path[:-3]
            if 'ec2' in self.service_list:  # validate that the service was included in run
                for sg_id in security_groups:
                    sg_path = copy.deepcopy(current_path[0:6])
                    sg_path[1] = 'ec2'
                    sg_path.append('security_groups')
                    sg_path.append(sg_id)
                    sg_path.append('rules')
                    sg_path.append('ingress')
                    ingress_rules = get_object_at(self, sg_path)
                    for p in ingress_rules['protocols']:
                        for port in ingress_rules['protocols'][p]['ports']:
                            if len(listeners) == 0 and 'cidrs' in ingress_rules['protocols'][p]['ports'][port]:
                                manage_dictionary(
                                    attack_surface_config[public_ip]['protocols'], p, {'ports': {}})
                                manage_dictionary(attack_surface_config[public_ip]['protocols'][p]['ports'], port,
                                                  {'cidrs': []})
                                attack_surface_config[public_ip]['protocols'][p]['ports'][port]['cidrs'] += \
                                    ingress_rules['protocols'][p]['ports'][port]['cidrs']
                            else:
                                ports = port.split('-')
                                if len(ports) > 1:
                                    try:
                                        if port[0]:
                                            port_min = int(ports[0])
                                        else:
                                            port_min = None
                                        if port[1]:
                                            port_max = int(ports[1])
                                        else:
                                            port_max = None
                                    except Exception as e:
                                        port_min = None
                                        port_max = None
                                elif port == 'N/A':
                                    port_min = port_max = None
                                elif port == 'ALL':
                                    port_min = 0
                                    port_max = 65535
                                elif p == 'ICMP':
                                    port_min = port_max = None
                                else:
                                    port_min = port_max = int(port)
                                for listener in listeners:
                                    if (port_min and port_max) and port_min < int(listener) < port_max and \
                                            'cidrs' in ingress_rules['protocols'][p]['ports'][port]:
                                        manage_dictionary(
                                            attack_surface_config[public_ip]['protocols'], p, {'ports': {}})
                                        manage_dictionary(attack_surface_config[public_ip]['protocols'][p]['ports'],
                                                          str(listener), {'cidrs': []})
                                        attack_surface_config[public_ip]['protocols'][p]['ports'][str(listener)]['cidrs'] += \
                                            ingress_rules['protocols'][p]['ports'][port]['cidrs']
        except Exception as e:
            print_exception(f'Failed to match SG to attack surface: {e}')

    def _parse_elb_policies(self):
        self._go_to_and_do(self.services['elb'],
                           ['regions'],
                           [],
                           self.parse_elb_policies_callback,
                           {})

    def parse_elb_policies_callback(self, current_config, path, current_path, region_id, callback_args):
        region_config = get_object_at(self, ['services', 'elb', ] + current_path + [region_id])
        region_config['elb_policies'] = current_config['elb_policies']
        for policy_id in region_config['elb_policies']:
            if region_config['elb_policies'][policy_id]['PolicyTypeName'] != 'SSLNegotiationPolicyType':
                continue
            # protocols, options, ciphers
            policy = region_config['elb_policies'][policy_id]
            protocols = {}
            options = {}
            ciphers = {}
            for attribute in policy['PolicyAttributeDescriptions']:
                if attribute['AttributeName'] in ['Protocol-SSLv3', 'Protocol-TLSv1', 'Protocol-TLSv1.1',
                                                  'Protocol-TLSv1.2']:
                    protocols[attribute['AttributeName']] = attribute['AttributeValue']
                elif attribute['AttributeName'] in ['Server-Defined-Cipher-Order']:
                    options[attribute['AttributeName']] = attribute['AttributeValue']
                elif attribute['AttributeName'] == 'Reference-Security-Policy':
                    policy['reference_security_policy'] = attribute['AttributeValue']
                else:
                    ciphers[attribute['AttributeName']] = attribute['AttributeValue']
                policy['protocols'] = protocols
                policy['options'] = options
                policy['ciphers'] = ciphers

    def _update_sg_usage_codebuild(self):
        try:
            for region in self.services['codebuild']['regions']:
                for codebuild_project in self.services['codebuild']['regions'][region]['build_projects']:
                    if 'vpc' in self.services['codebuild']['regions'][region]['build_projects'][codebuild_project] and 'security_groups' in self.services['codebuild']['regions'][region]['build_projects'][codebuild_project]:
                        cb_project = self.services['codebuild']['regions'][region]['build_projects'][codebuild_project]
                        for cb_project_sg in cb_project['security_groups']:
                            manage_dictionary(self.services['ec2']['regions'][region]['vpcs'][cb_project['vpc']]['security_groups'][cb_project_sg], 'used_by', {'resource_type': {'codebuild_project': []}})
                            self.services['ec2']['regions'][region]['vpcs'][cb_project['vpc']]['security_groups'][cb_project_sg]['used_by']['resource_type']['codebuild_project'].append({
                                'id': cb_project['arn'], 'name': cb_project['name']
                            })
        except Exception as e:
            print_exception(f'Failed to update security group usage for CodeBuild: {e}')


================================================
FILE: ScoutSuite/providers/aws/resources/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/acm/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/acm/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.regions import Regions

from .certificates import Certificates


class Certificates(Regions):
    _children = [
        (Certificates, 'certificates')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__('acm', facade)


================================================
FILE: ScoutSuite/providers/aws/resources/acm/certificates.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources

from ScoutSuite.providers.utils import get_non_provider_id


class Certificates(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        raw_certificates = await self.facade.acm.get_certificates(self.region)
        for raw_certificate in raw_certificates:
            name, resource = self._parse_certificate(raw_certificate)
            self[name] = resource

    def _parse_certificate(self, raw_certificate):
        raw_certificate['name'] = raw_certificate.get('DomainName')
        raw_certificate['id'] = get_non_provider_id(raw_certificate['name'])
        raw_certificate['arn'] = raw_certificate.get('DomainName')

        return raw_certificate['id'], raw_certificate


================================================
FILE: ScoutSuite/providers/aws/resources/awslambda/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/awslambda/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.regions import Regions

from .functions import Functions


class Lambdas(Regions):
    _children = [
        (Functions, 'functions')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__('lambda', facade)


================================================
FILE: ScoutSuite/providers/aws/resources/awslambda/functions.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.utils import get_non_provider_id


class Functions(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        raw_functions = await self.facade.awslambda.get_functions(self.region)
        for raw_function in raw_functions:
            name, resource = await self._parse_function(raw_function)
            self[name] = resource

    async def _parse_function(self, raw_function):

        function_dict = {}
        function_dict['name'] = raw_function.get('FunctionName')
        function_dict['arn'] = raw_function.get('FunctionArn')
        function_dict['runtime'] = raw_function.get('Runtime')
        function_dict['handler'] = raw_function.get('Handler')
        function_dict['code_size'] = raw_function.get('CodeSize')
        function_dict['description'] = raw_function.get('Description')
        function_dict['timeout'] = raw_function.get('Timeout')
        function_dict['memory_size'] = raw_function.get('MemorySize')
        function_dict['last_modified'] = raw_function.get('LastModified')
        function_dict['code_sha256'] = raw_function.get('CodeSha256')
        function_dict['version'] = raw_function.get('Version')
        function_dict['tracing_config'] = raw_function.get('TracingConfig')
        function_dict['revision_id'] = raw_function.get('RevisionId')

        await self._add_role_information(function_dict, raw_function.get('Role'))
        await self._add_access_policy_information(function_dict)
        await self._add_env_variables(function_dict)

        return get_non_provider_id(function_dict['name']), function_dict

    async def _add_role_information(self, function_dict, role_id):
        # Make it easier to build rules based on policies attached to execution roles
        function_dict['role_arn'] = role_id
        role_name = role_id.split("/")[-1]
        function_dict['execution_role'] = await self.facade.awslambda.get_role_with_managed_policies(role_name)
        if function_dict.get('execution_role'):
            statements = []
            for policy in function_dict['execution_role'].get('policies'):
                if 'Document' in policy and 'Statement' in policy['Document']:
                    statements += policy['Document']['Statement']
            function_dict['execution_role']['policy_statements'] = statements

    async def _add_access_policy_information(self, function_dict):
        access_policy = await self.facade.awslambda.get_access_policy(function_dict['name'], self.region)

        if access_policy:
            function_dict['access_policy'] = access_policy
        else:
            # If there's no policy, set an empty one
            function_dict['access_policy'] = {'Version': '2012-10-17',
                                              'Id': 'default',
                                              'Statement': []}

    async def _add_env_variables(self, function_dict):
        env_variables = await self.facade.awslambda.get_env_variables(function_dict['name'], self.region)
        function_dict["env_variables"] = env_variables
        # The following properties are for easier rule creation
        if env_variables:
            function_dict["env_variable_names"] = list(env_variables.keys())
            function_dict["env_variable_values"] = list(env_variables.values())
        else:
            function_dict["env_variable_names"] = []
            function_dict["env_variable_values"] = []


================================================
FILE: ScoutSuite/providers/aws/resources/base.py
================================================
"""This module provides implementations for Resources and CompositeResources for AWS."""

import abc

from ScoutSuite.providers.base.resources.base import Resources, CompositeResources


class AWSResources(Resources, metaclass=abc.ABCMeta):
    """This is the base class for AWS resources."""

    pass


class AWSCompositeResources(AWSResources, CompositeResources, metaclass=abc.ABCMeta):
    """This class represents a collection of AWSResources. Classes extending AWSCompositeResources should define a
    "_children" attribute which consists of a list of tuples describing the children. The tuples are expected to
    respect the following format: (, ). The child_name is used by indicates the name under
    which the child will be stored in the parent object.
    """

    pass


================================================
FILE: ScoutSuite/providers/aws/resources/cloudformation/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/cloudformation/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.regions import Regions
from .stacks import Stacks


class CloudFormation(Regions):
    _children = [
        (Stacks, 'stacks')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__('cloudformation', facade)


================================================
FILE: ScoutSuite/providers/aws/resources/cloudformation/stacks.py
================================================
import re

from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.utils import get_non_provider_id


class Stacks(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        raw_stacks = await self.facade.cloudformation.get_stacks(self.region)
        for raw_stack in raw_stacks:
            name, stack = self._parse_stack(raw_stack)
            self[name] = stack

    def _parse_stack(self, raw_stack):
        raw_stack['id'] = raw_stack.pop('StackId')
        raw_stack['name'] = raw_stack.pop('StackName')
        raw_stack['drifted'] = raw_stack.pop('DriftInformation')[
                                   'StackDriftStatus'] == 'DRIFTED'
        raw_stack['termination_protection'] = raw_stack.get('EnableTerminationProtection', False)
        raw_stack['arn'] = raw_stack['id']
        raw_stack['notificationARNs'] = raw_stack.get('NotificationARNs', [])
        template = raw_stack.pop('template')
        raw_stack['deletion_policy'] = self.has_deletion_policy(template)

        if hasattr(template, 'keys'):
            for group in template.keys():
                if 'DeletionPolicy' in template[group]:
                    raw_stack['deletion_policy'] = template[group]
                    break

        return get_non_provider_id(raw_stack['name']), raw_stack

    @staticmethod
    def has_deletion_policy(template):
        """
        Return region to be used for global calls such as list bucket and get bucket location
        :param template: The api response containing the stack's template
        :return:
        """
        has_dp = True
        # If a ressource is found to not have a deletion policy or have it to delete, the boolean is switched to
        # false to indicate that the ressource will be deleted once the stack is deleted
        if isinstance(template, dict):
            template = template['Resources']
            for group in template.keys():
                if 'DeletionPolicy' in template[group]:
                    if template[group]['DeletionPolicy'] == 'Delete':
                        has_dp = False
                else:
                    has_dp = False
        if isinstance(template, str):
            if re.match(r'\"DeletionPolicy\"\s*:\s*\"Delete\"', template):
                has_dp = False
            elif not re.match(r'\"DeletionPolicy\"', template):
                has_dp = False
        return has_dp


================================================
FILE: ScoutSuite/providers/aws/resources/cloudfront/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/cloudfront/base.py
================================================
from ScoutSuite.providers.aws.resources.base import AWSCompositeResources
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.cloudfront.distributions import Distributions

from .distributions import Distributions


class CloudFront(AWSCompositeResources):
    _children = [
        (Distributions, 'distributions')
    ]

    def __init__(self, facade: AWSFacade):
        super(CloudFront, self).__init__(facade)
        self.service = 'cloudfront'

    async def fetch_all(self, partition_name='aws', **kwargs):
        await self._fetch_children(self)


================================================
FILE: ScoutSuite/providers/aws/resources/cloudfront/distributions.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.utils import get_non_provider_id


class Distributions(AWSResources):
    async def fetch_all(self):
        list_distributions = await self.facade.cloudfront.get_distributions()
        for distribution in list_distributions:
            id, distro = self._parse_distributions(distribution)
            self[id] = distro

    def _parse_distributions(self, raw_distribution):
        distribution_dict = {}
        distribution_dict['id'] = distribution_dict['name'] = raw_distribution.get('Id')
        distribution_dict['arn'] = raw_distribution.get('ARN')
        distribution_dict['aliases'] = raw_distribution.get('Aliases')
        distribution_dict['status'] = raw_distribution.get('Status')
        distribution_dict['cache_behaviors'] = raw_distribution.get('CacheBehaviors')
        distribution_dict['restrictions'] = raw_distribution.get('Restrictions')
        distribution_dict['origins'] = raw_distribution.get('Origins')
        distribution_dict['domain_name'] = raw_distribution.get('DomainName')
        distribution_dict['web_acl_id'] = raw_distribution.get('WebACLId')
        distribution_dict['price_class'] = raw_distribution.get('PriceClass')
        distribution_dict['enabled'] = raw_distribution.get('Enabled')
        distribution_dict['default_cache_behavior'] = raw_distribution.get('DefaultCacheBehavior')
        distribution_dict['is_ipv6_enabled'] = raw_distribution.get('IsIPV6Enabled')
        distribution_dict['comment'] = raw_distribution.get('Comment')
        distribution_dict['http_version'] = raw_distribution.get('HttpVersion')
        distribution_dict['viewer_certificate'] = raw_distribution.get('ViewerCertificate')
        distribution_dict['custom_error_responses'] = raw_distribution.get('CustomErrorResponses')
        distribution_dict['last_modified_time'] = raw_distribution.get('LastModifiedTime')
        distribution_dict['origin_groups'] = raw_distribution.get('OriginGroups')
        return distribution_dict['id'], distribution_dict



================================================
FILE: ScoutSuite/providers/aws/resources/cloudtrail/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/cloudtrail/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.regions import Regions

from .trails import Trails


class CloudTrail(Regions):
    _children = [
        (Trails, 'trails')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__('cloudtrail', facade)

    async def finalize(self):
        global_events_logging = []

        for region in self['regions']:
            for trail_id, trail in self['regions'][region]['trails'].items():
                if 'HomeRegion' in trail and trail['HomeRegion'] != region:
                    # Part of a multi-region trail, skip until we find the whole object
                    continue
                if trail['IncludeGlobalServiceEvents'] and trail['IsLogging']:
                    global_events_logging.append((region, trail_id,))

        self['IncludeGlobalServiceEvents'] = len(global_events_logging) > 0
        self['DuplicatedGlobalServiceEvents'] = len(global_events_logging) > 1


================================================
FILE: ScoutSuite/providers/aws/resources/cloudtrail/trails.py
================================================
import time

from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.utils import get_non_provider_id


class Trails(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        raw_trails = await self.facade.cloudtrail.get_trails(self.region)
        for raw_trail in raw_trails:
            name, resource = self._parse_trail(raw_trail)
            self[name] = resource

    def _parse_trail(self, raw_trail):
        trail = {'name': raw_trail.pop('Name')}
        trail_id = get_non_provider_id(trail['name'])
        
        trail['arn'] = raw_trail.get('TrailARN')
        trail['is_organization_trail'] = raw_trail.get('IsOrganizationTrail')
        trail['home_region'] = raw_trail.get('HomeRegion')

        # Do not duplicate entries for multiregion trails
        if 'IsMultiRegionTrail' in raw_trail and raw_trail['IsMultiRegionTrail'] and \
                raw_trail['HomeRegion'] != self.region:
            for key in ['HomeRegion', 'TrailARN']:
                trail[key] = raw_trail[key]
            trail['scout_link'] = 'services.cloudtrail.regions.{}.trails.{}'.format(raw_trail['HomeRegion'], trail_id)
            return trail_id, trail

        for key in raw_trail:
            trail[key] = raw_trail[key]
        trail['bucket_id'] = get_non_provider_id(trail.pop('S3BucketName'))
        for key in ['IsMultiRegionTrail', 'LogFileValidationEnabled']:
            if key not in trail:
                trail[key] = False

        for key in ['KmsKeyId', 'IsLogging', 'LatestDeliveryTime', 'LatestDeliveryError', 'StartLoggingTime',
                    'StopLoggingTime', 'LatestNotificationTime', 'LatestNotificationError',
                    'LatestCloudWatchLogsDeliveryError', 'LatestCloudWatchLogsDeliveryTime']:
            trail[key] = trail[key] if key in trail else None

        # using trail ARN instead of name as with Organizations the trail would be located in another account
        trail['wildcard_data_logging'] = self.data_logging_status(trail)

        for event_selector in trail.get('EventSelectors', []):
            trail['DataEventsEnabled'] = len(event_selector['DataResources']) > 0
            trail['ManagementEventsEnabled'] = event_selector['IncludeManagementEvents']

        return trail_id, trail

    def data_logging_status(self, trail):
        for event_selector in trail.get('EventSelectors', []):
            has_wildcard = \
                {'Values': ['arn:aws:s3'], 'Type': 'AWS::S3::Object'} in event_selector['DataResources'] or \
                {'Values': ['arn:aws:lambda'], 'Type': 'AWS::Lambda::Function'} in event_selector['DataResources']
            is_logging = trail['IsLogging']
            if has_wildcard and is_logging and self.is_fresh(trail):
                return True
        return False

    @staticmethod
    def is_fresh(trail_details):
        if trail_details.get('LatestCloudWatchLogsDeliveryTime'):
            delivery_time = trail_details.get('LatestCloudWatchLogsDeliveryTime').strftime("%s")
            delivery_age = ((int(time.time()) - int(delivery_time)) / 1440)
            return delivery_age <= 24
        else:
            return False


================================================
FILE: ScoutSuite/providers/aws/resources/cloudwatch/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/cloudwatch/alarms.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.utils import get_non_provider_id


class Alarms(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        raw_alarms = await self.facade.cloudwatch.get_alarms(self.region)
        for raw_alarm in raw_alarms:
            name, resource = self._parse_alarm(raw_alarm)
            self[name] = resource

    def _parse_alarm(self, raw_alarm):
        raw_alarm['arn'] = raw_alarm.pop('AlarmArn')
        raw_alarm['name'] = raw_alarm.pop('AlarmName')

        # Drop some data
        for key in ['AlarmConfigurationUpdatedTimestamp', 'StateReason', 'StateReasonData', 'StateUpdatedTimestamp']:
            if key in raw_alarm:
                raw_alarm.pop(key)

        alarm_id = get_non_provider_id(raw_alarm['arn'])
        return alarm_id, raw_alarm


================================================
FILE: ScoutSuite/providers/aws/resources/cloudwatch/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.regions import Regions

from .alarms import Alarms
from .metric_filters import MetricFilters


class CloudWatch(Regions):
    _children = [
        (Alarms, 'alarms'),
        (MetricFilters, 'metric_filters')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__('cloudwatch', facade)

    async def finalize(self):

        # For each region, check if at least one metric filter covers the desired events
        for region in self['regions']:
            self['regions'][region]['metric_filters_pattern_checks'] = {}
            # Initialize results at "False"
            self['regions'][region]['metric_filters_pattern_checks']['unauthorized_api_calls'] = False
            self['regions'][region]['metric_filters_pattern_checks']['console_login_mfa'] = False
            self['regions'][region]['metric_filters_pattern_checks']['root_usage'] = False
            self['regions'][region]['metric_filters_pattern_checks']['iam_policy_changes'] = False
            self['regions'][region]['metric_filters_pattern_checks']['cloudtrail_configuration_changes'] = False
            self['regions'][region]['metric_filters_pattern_checks']['console_authentication_failures'] = False
            self['regions'][region]['metric_filters_pattern_checks']['cmk_deletion'] = False
            self['regions'][region]['metric_filters_pattern_checks']['s3_policy_changes'] = False
            self['regions'][region]['metric_filters_pattern_checks']['aws_configuration_changes'] = False
            self['regions'][region]['metric_filters_pattern_checks']['security_group_changes'] = False
            self['regions'][region]['metric_filters_pattern_checks']['nacl_changes'] = False
            self['regions'][region]['metric_filters_pattern_checks']['network_gateways_changes'] = False
            self['regions'][region]['metric_filters_pattern_checks']['route_table_changes'] = False
            self['regions'][region]['metric_filters_pattern_checks']['vpc_changes'] = False
            for metric_filter_id, metric_filter in self['regions'][region]['metric_filters'].items():
                # Check events
                if metric_filter['pattern'] == "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }":
                    self['regions'][region]['metric_filters_pattern_checks']['unauthorized_api_calls'] = True
                if metric_filter['pattern'] == "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }":
                    self['regions'][region]['metric_filters_pattern_checks']['console_login_mfa'] = True
                if metric_filter['pattern'] == "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }":
                    self['regions'][region]['metric_filters_pattern_checks']['root_usage'] = True
                if metric_filter['pattern'] == "{ ($.eventName=DeleteGroupPolicy) || ($.eventName=DeleteRolePolicy) || ($.eventName=DeleteUserPolicy) || ($.eventName=PutGroupPolicy) || ($.eventName=PutRolePolicy) || ($.eventName=PutUserPolicy) || ($.eventName=CreatePolicy) || ($.eventName=DeletePolicy) || ($.eventName=CreatePolicyVersion) || ($.eventName=DeletePolicyVersion) || ($.eventName=AttachRolePolicy) || ($.eventName=DetachRolePolicy) || ($.eventName=AttachUserPolicy) || ($.eventName=DetachUserPolicy) || ($.eventName=AttachGroupPolicy) || ($.eventName=DetachGroupPolicy) }":
                    self['regions'][region]['metric_filters_pattern_checks']['iam_policy_changes'] = True
                if metric_filter['pattern'] == "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }":
                    self['regions'][region]['metric_filters_pattern_checks']['cloudtrail_configuration_changes'] = True
                if metric_filter['pattern'] == "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }":
                    self['regions'][region]['metric_filters_pattern_checks']['console_authentication_failures'] = True
                if metric_filter['pattern'] == "{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }":
                    self['regions'][region]['metric_filters_pattern_checks']['cmk_deletion'] = True
                if metric_filter['pattern'] == "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketReplication)) }":
                    self['regions'][region]['metric_filters_pattern_checks']['s3_policy_changes'] = True
                if metric_filter['pattern'] == "{ ($.eventSource = config.amazonaws.com) && (($.eventName = StopConfigurationRecorder) || ($.eventName = DeleteDeliveryChannel) || ($.eventName = PutDeliveryChannel) || ($.eventName = PutConfigurationRecorder)) }":
                    self['regions'][region]['metric_filters_pattern_checks']['aws_configuration_changes'] = True
                if metric_filter['pattern'] == "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }":
                    self['regions'][region]['metric_filters_pattern_checks']['security_group_changes'] = True
                if metric_filter['pattern'] == "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }":
                    self['regions'][region]['metric_filters_pattern_checks']['nacl_changes'] = True
                if metric_filter['pattern'] == "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }":
                    self['regions'][region]['metric_filters_pattern_checks']['network_gateways_changes'] = True
                if metric_filter['pattern'] == "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }":
                    self['regions'][region]['metric_filters_pattern_checks']['route_table_changes'] = True
                if metric_filter['pattern'] == "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }":
                    self['regions'][region]['metric_filters_pattern_checks']['vpc_changes'] = True
                   

================================================
FILE: ScoutSuite/providers/aws/resources/cloudwatch/metric_filters.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.utils import get_non_provider_id
from ScoutSuite.providers.aws.utils import format_arn


class MetricFilters(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super(MetricFilters, self).__init__(facade)
        self.region = region
        self.partition = facade.partition
        self.service = 'cloudwatch'
        self.resource_type = 'metric-filter'

    async def fetch_all(self):
        for raw_metric_filter in await self.facade.cloudwatch.get_metric_filters(self.region):
            name, resource = self._parse_metric_filter(raw_metric_filter)
            self[name] = resource

    def _parse_metric_filter(self, raw_metric_filter):
        metric_filter_dict = {}
        metric_filter_dict['id'] = get_non_provider_id('{}{}'.format(raw_metric_filter.get('filterName'),
                                                                     raw_metric_filter.get('creationTime')))
        metric_filter_dict['name'] = raw_metric_filter.get('filterName')
        metric_filter_dict['creation_time'] = raw_metric_filter.get('creationTime')
        metric_filter_dict['pattern'] = raw_metric_filter.get('filterPattern')
        metric_filter_dict['metric_transformations'] = raw_metric_filter.get('metricTransformations')
        metric_filter_dict['log_group_name'] = raw_metric_filter.get('logGroupName')
        metric_filter_dict['arn'] = format_arn(self.partition, self.service, self.region, '', raw_metric_filter.get('filterName'), self.resource_type)
        return metric_filter_dict['id'], metric_filter_dict




================================================
FILE: ScoutSuite/providers/aws/resources/codebuild/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/codebuild/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.regions import Regions

from .build_projects import BuildProjects


class CodeBuild(Regions):
    _children = [
        (BuildProjects, 'build_projects')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__('codebuild', facade)


================================================
FILE: ScoutSuite/providers/aws/resources/codebuild/build_projects.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.utils import get_non_provider_id


class BuildProjects(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        raw_projects = await self.facade.codebuild.get_projects(self.region)
        for list_raw_project in raw_projects:
            for raw_project in list_raw_project.get('projects'):
                id, build_project = self._parse_build_projects(raw_project)
                self[id] = build_project

    def _parse_build_projects(self, raw_build_project):
        project_dict = {}
        project_dict['id'] = raw_build_project.get('arn')
        project_dict['arn'] = raw_build_project.get('arn')
        project_dict['name'] = raw_build_project.get('name')
        if 'vpcConfig' in raw_build_project:
            project_dict['vpc'] = raw_build_project.get('vpcConfig').get('vpcId')
            project_dict['subnets'] = raw_build_project.get('vpcConfig').get('subnets')
            project_dict['security_groups'] = raw_build_project.get('vpcConfig').get('securityGroupIds')
        return project_dict['id'], project_dict


================================================
FILE: ScoutSuite/providers/aws/resources/config/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/config/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.config.recorders import Recorders
from ScoutSuite.providers.aws.resources.config.rules import Rules
from ScoutSuite.providers.aws.resources.regions import Regions


class Config(Regions):
    _children = [
        (Recorders, 'recorders'),
        (Rules, 'rules')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__('config', facade)


================================================
FILE: ScoutSuite/providers/aws/resources/config/recorders.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.utils import get_non_provider_id


class Recorders(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        raw_recorders = await self.facade.config.get_recorders(self.region)
        for raw_recorder in raw_recorders:
            name, resource = self._parse_recorder(raw_recorder)
            self[name] = resource

    def _parse_recorder(self, raw_recorder):
        recorder = {}
        recorder['name'] = raw_recorder['name']
        recorder['region'] = self.region
        recorder['role_ARN'] = raw_recorder['roleARN']
        recorder['recording_group'] = raw_recorder['recordingGroup']
        recorder['enabled'] = raw_recorder['ConfigurationRecordersStatus']['recording']
        recorder['last_status'] = raw_recorder['ConfigurationRecordersStatus'].get('lastStatus')
        recorder['last_start_time'] = raw_recorder['ConfigurationRecordersStatus'].get('lastStartTime')
        recorder['last_status_change_time'] = raw_recorder['ConfigurationRecordersStatus'].get('lastStatusChangeTime')
        return get_non_provider_id(recorder['name']), recorder


================================================
FILE: ScoutSuite/providers/aws/resources/config/rules.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.utils import get_non_provider_id


class Rules(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        raw_rules = await self.facade.config.get_rules(self.region)
        for raw_rule in raw_rules:
            name, resource = self._parse_rule(raw_rule)
            self[name] = resource

    def _parse_rule(self, raw_rule):
        rule = {}
        rule['id'] = raw_rule.pop('ConfigRuleId', None)
        rule['arn'] = raw_rule.pop('ConfigRuleArn', None)
        rule['name'] = raw_rule.pop('ConfigRuleName', None)
        rule['description'] = raw_rule.pop('Description', None)
        rule['scope'] = raw_rule.pop('Scope', None)
        rule['source'] = raw_rule.pop('Source', None)
        rule['input_parameters'] = raw_rule.pop('InputParameters', None)
        rule['maximum_execution_frequency'] = raw_rule.pop('MaximumExecutionFrequency', None)
        rule['state'] = raw_rule.pop('ConfigRuleState', None)
        return get_non_provider_id(rule['name']), rule


================================================
FILE: ScoutSuite/providers/aws/resources/directconnect/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/directconnect/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.regions import Regions

from .connections import Connections


class DirectConnect(Regions):
    _children = [
        (Connections, 'connections')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__('directconnect', facade)


================================================
FILE: ScoutSuite/providers/aws/resources/directconnect/connections.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.aws.utils import format_arn


class Connections(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region
        self.partition = facade.partition
        self.service = 'directconnect'
        self.resource_type = 'connection'

    async def fetch_all(self):
        raw_connections = await self.facade.directconnect.get_connections(self.region)
        for raw_connection in raw_connections:
            name, resource = self._parse_connection(raw_connection)
            self[name] = resource

    def _parse_connection(self, raw_connection):
        raw_connection['id'] = raw_connection.pop('connectionId')
        raw_connection['name'] = raw_connection.pop('connectionName')
        raw_connection['arn'] = format_arn(self.partition, self.service, self.region, raw_connection.get('ownerAccount'), raw_connection.get('id'), self.resource_type)
        return raw_connection['id'], raw_connection


================================================
FILE: ScoutSuite/providers/aws/resources/dynamodb/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/dynamodb/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.regions import Regions
from .tables import Tables


class DynamoDB(Regions):
    _children = [
        (Tables, 'tables')
    ]

    def __init__(self, facade: AWSFacade):
        super(DynamoDB, self).__init__('dynamodb', facade)


================================================
FILE: ScoutSuite/providers/aws/resources/dynamodb/tables.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources


class Tables(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super(Tables, self).__init__(facade)
        self.region = region

    async def fetch_all(self):
        raw_tables = await self.facade.dynamodb.get_tables(self.region)
        for raw_table in raw_tables:
            name, resource = self._parse_table(raw_table)
            self[name] = resource

    def _parse_table(self, raw_table):
        table_dict = {}
        table_dict['name'] = raw_table.get('TableName')
        table_dict['id'] = raw_table.get('TableId')
        table_dict['arn'] = raw_table.get('TableArn')
        table_dict['attribute_definitions'] = raw_table.get('AttributeDefinitions')
        table_dict['key_schema'] = raw_table.get('KeySchema')
        table_dict['table_status'] = raw_table.get('TableStatus')
        table_dict['creation_date_time'] = raw_table.get('CreationDateTime')
        table_dict['provisioned_throughput'] = raw_table.get('ProvisionedThroughput')
        table_dict['table_size_bytes'] = raw_table.get('TableSizeBytes')
        table_dict['item_count'] = raw_table.get('ItemCount')
        table_dict['backup_summaries'] = raw_table.get('BackupSummaries')
        table_dict['continuous_backups'] = raw_table.get('ContinuousBackups')
        table_dict['tags'] = raw_table.get('tags')

        table_dict['automatic_backups_enabled'] = \
            raw_table['ContinuousBackups']['PointInTimeRecoveryDescription']['PointInTimeRecoveryStatus'] == 'ENABLED' \
                if 'ContinuousBackups' in raw_table else None

        if "SSEDescription" in raw_table:
            table_dict["sse_enabled"] = True
        else:
            table_dict["sse_enabled"] = False

        return table_dict['id'], table_dict


================================================
FILE: ScoutSuite/providers/aws/resources/ec2/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/ec2/ami.py
================================================
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.utils import format_arn


class AmazonMachineImages(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region
        self.partition = facade.partition
        self.service = 'ec2'
        self.resource_type = 'amazon-machine-image'

    async def fetch_all(self):
        raw_images = await self.facade.ec2.get_images(self.region)
        for raw_image in raw_images:
            name, resource = self._parse_image(raw_image)
            self[name] = resource

    def _parse_image(self, raw_image):
        raw_image['id'] = raw_image.get('ImageId')
        raw_image['name'] = raw_image.get('Name')
        raw_image['arn'] = format_arn(self.partition, self.service, self.region, raw_image.get('OwnerId'), raw_image.get('ImageId'), self.resource_type)
        return raw_image['id'], raw_image


================================================
FILE: ScoutSuite/providers/aws/resources/ec2/base.py
================================================
from ScoutSuite.providers.aws.resources.ec2.ami import AmazonMachineImages
from ScoutSuite.providers.aws.resources.ec2.snapshots import Snapshots
from ScoutSuite.providers.aws.resources.ec2.volumes import Volumes
from ScoutSuite.providers.aws.resources.ec2.vpcs import Ec2Vpcs
from ScoutSuite.providers.aws.resources.regions import Regions
from ScoutSuite.providers.aws.resources.ec2.regional_settings import RegionalSettings


class EC2(Regions):
    _children = [
        (Ec2Vpcs, 'vpcs'),
        (AmazonMachineImages, 'images'),
        (Snapshots, 'snapshots'),
        (Volumes, 'volumes'),
        (RegionalSettings, 'regional_settings')
    ]

    def __init__(self, facade):
        super().__init__('ec2', facade)

    async def fetch_all(self, regions=None, excluded_regions=None, partition_name='aws', **kwargs):
        await super().fetch_all(regions, excluded_regions, partition_name)

        for region in self['regions']:
            self['regions'][region]['instances_count'] =\
                sum([len(vpc['instances']) for vpc in self['regions'][region]['vpcs'].values()])
            self['regions'][region]['security_groups_count'] =\
                sum([len(vpc['security_groups']) for vpc in self['regions'][region]['vpcs'].values()])
            self['regions'][region]['network_interfaces_count'] =\
                sum([len(vpc['network_interfaces']) for vpc in self['regions'][region]['vpcs'].values()])

        self['instances_count'] =\
            sum([region['instances_count'] for region in self['regions'].values()])
        self['security_groups_count'] =\
            sum([region['security_groups_count'] for region in self['regions'].values()])
        self['network_interfaces_count'] =\
            sum([region['network_interfaces_count'] for region in self['regions'].values()])


================================================
FILE: ScoutSuite/providers/aws/resources/ec2/instances.py
================================================
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.utils import get_name, get_keys, format_arn

import re


class EC2Instances(AWSResources):
    def __init__(self, facade: AWSFacade, region: str, vpc: str):
        super().__init__(facade)
        self.region = region
        self.vpc = vpc
        self.partition = facade.partition
        self.service = 'ec2'
        self.resource_type = 'instance'

    async def fetch_all(self):
        raw_instances = await self.facade.ec2.get_instances(self.region, self.vpc)
        for raw_instance in raw_instances:
            name, resource = await self._parse_instance(raw_instance)
            self[name] = resource

    async def _parse_instance(self, raw_instance):
        instance = {}
        id = raw_instance['InstanceId']
        instance['id'] = id
        instance['arn'] = format_arn(self.partition, self.service, self.region, raw_instance['OwnerId'], raw_instance['InstanceId'], self.resource_type)
        instance['reservation_id'] = raw_instance['ReservationId']
        instance['availability_zone'] = raw_instance.get('Placement', {}).get('AvailabilityZone')
        instance['monitoring_enabled'] = raw_instance['Monitoring']['State'] == 'enabled'
        instance['user_data'] = await self.facade.ec2.get_instance_user_data(self.region, id)
        instance['user_data_secrets'] = self._identify_user_data_secrets(instance['user_data'])

        get_name(raw_instance, instance, 'InstanceId')
        get_keys(raw_instance, instance,
                 ['KeyName', 'LaunchTime', 'InstanceType', 'State', 'IamInstanceProfile', 'SubnetId', 'Tags'])

        if "IamInstanceProfile" in raw_instance:
            instance['iam_instance_profile_id'] = raw_instance['IamInstanceProfile']['Id']
            instance['iam_instance_profile_arn'] = raw_instance['IamInstanceProfile']['Arn']
        
        instance['network_interfaces'] = {}
        for eni in raw_instance['NetworkInterfaces']:
            nic = {}
            get_keys(eni, nic, ['Association', 'Groups', 'PrivateIpAddresses', 'SubnetId', 'Ipv6Addresses'])
            instance['network_interfaces'][eni['NetworkInterfaceId']] = nic

        instance['metadata_options'] = raw_instance.get('MetadataOptions', {})

        if 'IamInstanceProfile' in raw_instance:
            instance['iam_role'] = raw_instance['IamInstanceProfile']['Arn'].split('/')[-1]
        else:
            instance['iam_role'] = None

        return id, instance

    @staticmethod
    def _identify_user_data_secrets(user_data):
        """
        Parses EC2 user data in order to identify secrets and credentials..
        """
        secrets = {}

        if user_data:
            aws_access_key_regex = re.compile(r'(?:^|[^0-9A-Z])(AKIA[0-9A-Z]{16})(?:[^0-9A-Z]|$)')
            aws_secret_access_key_regex = re.compile(r'(?:^|[^0-9a-zA-Z/+])([0-9a-zA-Z/+]{40})(?:[^0-9a-zA-Z/+]|$)')
            rsa_private_key_regex = re.compile('(?s)(-----BEGIN RSA PRIVATE KEY-----.+?-----END .+?-----)')
            keywords = ['password', 'secret', 'aws_access_key_id', 'aws_secret_access_key', 'aws_session_token']

            aws_access_key_list = aws_access_key_regex.findall(user_data)
            if aws_access_key_list:
                secrets['AWS Access Key IDs'] = aws_access_key_list
            aws_secret_access_key_list = aws_secret_access_key_regex.findall(user_data)
            if aws_secret_access_key_list:
                secrets['AWS Secret Access Keys'] = aws_secret_access_key_list
            rsa_private_key_list = rsa_private_key_regex.findall(user_data)
            if rsa_private_key_list:
                secrets['Private Keys'] = rsa_private_key_list
            word_list = []
            for word in keywords:
                if word in user_data.lower():
                    word_list.append(word)
            if word_list:
                secrets['Flagged Words'] = word_list

        return secrets


================================================
FILE: ScoutSuite/providers/aws/resources/ec2/networkinterfaces.py
================================================
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.utils import format_arn


class NetworkInterfaces(AWSResources):
    def __init__(self, facade: AWSFacade, region: str, vpc: str):
        super().__init__(facade)
        self.region = region
        self.vpc = vpc
        self.partition = facade.partition
        self.service = 'ec2'
        self.resource_type = 'network-interface'

    async def fetch_all(self):
        raw_security_groups = await self.facade.ec2.get_network_interfaces(self.region, self.vpc)
        for raw_security_groups in raw_security_groups:
            name, resource = self._parse_network_interface(raw_security_groups)
            self[name] = resource

    def _parse_network_interface(self, raw_network_interface):
        raw_network_interface['name'] = raw_network_interface['NetworkInterfaceId']
        raw_network_interface['arn'] = format_arn(self.partition, self.service, self.region, raw_network_interface.get('OwnerId'), raw_network_interface.get('NetworkInterfaceId'), self.resource_type)
        return raw_network_interface['NetworkInterfaceId'], raw_network_interface


================================================
FILE: ScoutSuite/providers/aws/resources/ec2/regional_settings.py
================================================
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.utils import get_name, format_arn


class RegionalSettings(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region
        self.partition = facade.partition
        self.service = 'ec2'
        self.resource_type = 'regional_setting'

    async def fetch_all(self):
        # These settings are associated directly with the service+region, not with any resource.
        # However, ScoutSuite seems to assume that every setting is tied to a resource so we make 
        # up a fake resource to hold them.
        self[0] = {}
        self[0]['ebs_encryption_default'] = (await self.facade.ec2.get_ebs_encryption(self.region))['EbsEncryptionByDefault']
        self[0]['ebs_default_encryption_key_id'] = (await self.facade.ec2.get_ebs_default_encryption_key(self.region))['KmsKeyId']


================================================
FILE: ScoutSuite/providers/aws/resources/ec2/securitygroups.py
================================================
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.utils import format_arn
from ScoutSuite.utils import manage_dictionary
from ScoutSuite.core.fs import load_data


class SecurityGroups(AWSResources):
    icmp_message_types_dict = load_data('icmp_message_types.json', 'icmp_message_types')

    def __init__(self, facade: AWSFacade, region: str, vpc: str):
        super().__init__(facade)
        self.region = region
        self.vpc = vpc
        self.partition = facade.partition
        self.service = 'ec2'
        self.resource_type = 'security-group'

    async def fetch_all(self):
        raw_security_groups = await self.facade.ec2.get_security_groups(self.region, self.vpc)
        for raw_security_groups in raw_security_groups:
            name, resource = self._parse_security_group(raw_security_groups)
            self[name] = resource

    def _parse_security_group(self, raw_security_group):
        security_group = {}
        security_group['name'] = raw_security_group['GroupName']
        security_group['id'] = raw_security_group['GroupId']
        security_group['arn'] = format_arn(self.partition, self.service, self.region, raw_security_group.get('OwnerId'), raw_security_group.get('GroupId'), self.resource_type)
        security_group['description'] = raw_security_group['Description']
        security_group['owner_id'] = raw_security_group['OwnerId']

        if 'Tags' in raw_security_group:
            security_group['tags'] = {x['Key']: x['Value'] for x in raw_security_group['Tags']}

        security_group['rules'] = {'ingress': {}, 'egress': {}}
        ingress_protocols, ingress_rules_count = self._parse_security_group_rules(
            raw_security_group['IpPermissions'])
        security_group['rules']['ingress']['protocols'] = ingress_protocols
        security_group['rules']['ingress']['count'] = ingress_rules_count

        egress_protocols, egress_rules_count = self._parse_security_group_rules(
            raw_security_group['IpPermissionsEgress'])
        security_group['rules']['egress']['protocols'] = egress_protocols
        security_group['rules']['egress']['count'] = egress_rules_count

        security_group['is_default_configuration'] = \
            self._has_default_egress_rule(raw_security_group['IpPermissionsEgress']) and \
            self._has_default_ingress_rule(raw_security_group['IpPermissions'], raw_security_group['GroupId'])

        return security_group['id'], security_group

    def _has_default_egress_rule(self, rule_list):
        for rule in rule_list:
            if rule['IpProtocol'] == '-1':
                for ip_range in rule['IpRanges']:
                    if ip_range['CidrIp'] == '0.0.0.0/0':
                        return True
        return False

    def _has_default_ingress_rule(self, rule_list, group_id):
        for rule in rule_list:
            if rule['IpProtocol'] == '-1':
                for source_group in rule['UserIdGroupPairs']:
                    if source_group['GroupId'] == group_id:
                        return True
        return False

    def _parse_security_group_rules(self, rules):
        protocols = {}
        rules_count = 0
        for rule in rules:
            ip_protocol = rule['IpProtocol'].upper()
            if ip_protocol == '-1':
                ip_protocol = 'ALL'
            protocols = manage_dictionary(protocols, ip_protocol, {})
            protocols[ip_protocol] = manage_dictionary(
                protocols[ip_protocol], 'ports', {})

            # Save the port (single port or range)
            port_value = '1-65535'
            if 'FromPort' in rule and 'ToPort' in rule:
                if ip_protocol == 'ICMP':
                    # FromPort with ICMP is the type of message
                    port_value = self.icmp_message_types_dict[str(
                        rule['FromPort'])]
                elif rule['FromPort'] == rule['ToPort']:
                    port_value = str(rule['FromPort'])
                else:
                    port_value = '{}-{}'.format(rule['FromPort'], rule['ToPort'])
            manage_dictionary(protocols[ip_protocol]['ports'], port_value, {})

            # Save grants, values are either a CIDR or an EC2 security group
            for grant in rule['UserIdGroupPairs']:
                manage_dictionary(
                    protocols[ip_protocol]['ports'][port_value], 'security_groups', [])
                protocols[ip_protocol]['ports'][port_value]['security_groups'].append(
                    grant)
                rules_count = rules_count + 1
            for grant in rule['IpRanges']:
                manage_dictionary(
                    protocols[ip_protocol]['ports'][port_value], 'cidrs', [])
                protocols[ip_protocol]['ports'][port_value]['cidrs'].append(
                    {'CIDR': grant['CidrIp']})
                rules_count = rules_count + 1

            # IPv6
            for grant in rule['Ipv6Ranges']:
                manage_dictionary(
                    protocols[ip_protocol]['ports'][port_value], 'cidrs', [])
                protocols[ip_protocol]['ports'][port_value]['cidrs'].append(
                    {'CIDR': grant['CidrIpv6']})
                rules_count = rules_count + 1

        return protocols, rules_count


================================================
FILE: ScoutSuite/providers/aws/resources/ec2/snapshots.py
================================================
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.utils import get_name, format_arn


class Snapshots(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region
        self.partition = facade.partition
        self.service = 'ec2'
        self.resource_type = 'snapshot'

    async def fetch_all(self):
        raw_snapshots = await self.facade.ec2.get_snapshots(self.region)
        for raw_snapshot in raw_snapshots:
            name, resource = self._parse_snapshot(raw_snapshot)
            self[name] = resource

    def _parse_snapshot(self, raw_snapshot):
        snapshot_dict = {}
        snapshot_dict['id'] = raw_snapshot.get('SnapshotId')
        snapshot_dict['name'] = get_name(raw_snapshot, raw_snapshot, 'SnapshotId')
        snapshot_dict['description'] = raw_snapshot.get('Description')
        snapshot_dict['public'] = self._is_public(raw_snapshot)
        snapshot_dict['encrypted'] = raw_snapshot.get('Encrypted')
        snapshot_dict['kms_key_id'] = raw_snapshot.get('KmsKeyId')
        snapshot_dict['owner_id'] = raw_snapshot.get('OwnerId')
        snapshot_dict['progress'] = raw_snapshot.get('Progress')
        snapshot_dict['start_time'] = raw_snapshot.get('StartTime')
        snapshot_dict['state'] = raw_snapshot.get('State')
        snapshot_dict['volume_id'] = raw_snapshot.get('VolumeId')
        snapshot_dict['volume_size'] = raw_snapshot.get('VolumeSize')
        snapshot_dict['create_volume_permissions'] = raw_snapshot.get('CreateVolumePermissions')
        snapshot_dict['arn'] = format_arn(self.partition, self.service, self.region, raw_snapshot.get('OwnerId'), raw_snapshot.get('SnapshotId'), self.resource_type)
        return snapshot_dict['id'], snapshot_dict

    @staticmethod
    def _is_public(snapshot):
        return any([permission.get('Group') == 'all' for permission in snapshot['CreateVolumePermissions']])


================================================
FILE: ScoutSuite/providers/aws/resources/ec2/volumes.py
================================================
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.utils import get_name, format_arn


class Volumes(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region
        self.partition = facade.partition
        self.service = 'ec2'
        self.resource_type = 'volume'

    async def fetch_all(self):
        raw_volumes = await self.facade.ec2.get_volumes(self.region)
        for raw_volume in raw_volumes:
            name, resource = self._parse_volume(raw_volume)
            self[name] = resource

    def _parse_volume(self, raw_volume):
        raw_volume['id'] = raw_volume.pop('VolumeId')
        raw_volume['name'] = get_name(raw_volume, raw_volume, 'id')
        raw_volume['arn'] = format_arn(self.partition, self.service, self.region, self.facade.owner_id, raw_volume.get('id'), self.resource_type)
        return raw_volume['id'], raw_volume


================================================
FILE: ScoutSuite/providers/aws/resources/ec2/vpcs.py
================================================
from ScoutSuite.providers.aws.resources.vpcs import Vpcs
from ScoutSuite.providers.aws.resources.ec2.instances import EC2Instances
from ScoutSuite.providers.aws.resources.ec2.securitygroups import SecurityGroups
from ScoutSuite.providers.aws.resources.ec2.networkinterfaces import NetworkInterfaces


class Ec2Vpcs(Vpcs):
    _children = [
        (EC2Instances, 'instances'),
        (SecurityGroups, 'security_groups'),
        (NetworkInterfaces, 'network_interfaces')
    ]


================================================
FILE: ScoutSuite/providers/aws/resources/efs/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/efs/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.regions import Regions

from .filesystems import FileSystems


class EFS(Regions):
    _children = [
        (FileSystems, 'filesystems')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__('efs', facade)


================================================
FILE: ScoutSuite/providers/aws/resources/efs/filesystems.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.aws.utils import format_arn


class FileSystems(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region
        self.partition = facade.partition
        self.service = 'elasticfilesystem'
        self.resource_type = 'file-system'

    async def fetch_all(self):
        raw_file_systems = await self.facade.efs.get_file_systems(self.region)
        for raw_file_system in raw_file_systems:
            name, resource = self._parse_file_system(raw_file_system)
            self[name] = resource

    def _parse_file_system(self, raw_file_system):
        fs_id = raw_file_system.pop('FileSystemId')
        raw_file_system['name'] = raw_file_system.pop('Name') if 'Name' in raw_file_system else None
        raw_file_system['tags'] = raw_file_system.pop('Tags')
        raw_file_system['arn'] = format_arn(self.partition, self.service, self.region, raw_file_system.get('OwnerId'), fs_id, self.resource_type)
        return fs_id, raw_file_system


================================================
FILE: ScoutSuite/providers/aws/resources/elasticache/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/elasticache/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.elasticache.parametergroups import ParameterGroups
from ScoutSuite.providers.aws.resources.elasticache.securitygroups import SecurityGroups
from ScoutSuite.providers.aws.resources.elasticache.vpcs import ElastiCacheVpcs
from ScoutSuite.providers.aws.resources.regions import Regions


class ElastiCache(Regions):
    _children = [
        (ElastiCacheVpcs, 'vpcs'),
        (SecurityGroups, 'security_groups'),
        (ParameterGroups, 'parameter_groups')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__('elasticache', facade)

    async def fetch_all(self, regions=None, excluded_regions=None, partition_name='aws', **kwargs):
        await super().fetch_all(regions, excluded_regions, partition_name)

        for region in self['regions']:
            self['regions'][region]['clusters_count'] = \
                sum([len(vpc['clusters']) for vpc in self['regions'][region]['vpcs'].values()])
            self['regions'][region]['subnet_groups_count'] = \
                sum([len(vpc['subnet_groups']) for vpc in self['regions'][region]['vpcs'].values()])
        
        self['clusters_count'] = sum([region['clusters_count'] for region in self['regions'].values()])

        # We do not want the parameter groups to be part of the resources count, as it is usually in 
        # the three of four digits and would make the resources count confusing.
        self.pop('parameter_groups_count')


================================================
FILE: ScoutSuite/providers/aws/resources/elasticache/cluster.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.utils import get_non_provider_id


class Clusters(AWSResources):
    def __init__(self, facade: AWSFacade, region: str, vpc: str):
        super().__init__(facade)
        self.region = region
        self.vpc = vpc
        self.partition = facade.partition
        self.service = 'elasticache'
        self.resource_type = 'cluster'

    async def fetch_all(self):
        raw_clusters = await self.facade.elasticache.get_clusters(self.region, self.vpc)
        for raw_cluster in raw_clusters:
            name, resource = self._parse_cluster(raw_cluster)
            self[name] = resource

    def _parse_cluster(self, raw_cluster):
        raw_cluster['name'] = raw_cluster.pop('CacheClusterId')
        return get_non_provider_id(raw_cluster['name']), raw_cluster


================================================
FILE: ScoutSuite/providers/aws/resources/elasticache/parametergroups.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources

from ScoutSuite.providers.utils import get_non_provider_id

class ParameterGroups(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        raw_parameter_groups = await self.facade.elasticache.get_parameter_groups(self.region)
        for raw_parameter_group in raw_parameter_groups:
            name, resource = self._parse_parameter_group(raw_parameter_group)
            self[name] = resource

    def _parse_parameter_group(self, raw_parameter_group):
        raw_parameter_group['name'] = raw_parameter_group.pop('CacheParameterGroupName')
        raw_parameter_group['id'] = get_non_provider_id(raw_parameter_group['name'])
        return raw_parameter_group['id'], raw_parameter_group


================================================
FILE: ScoutSuite/providers/aws/resources/elasticache/securitygroups.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.utils import get_non_provider_id


class SecurityGroups(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        raw_security_groups = await self.facade.elasticache.get_security_groups(self.region)

        for raw_security_group in raw_security_groups:
            name, resource = self._parse_security_group(raw_security_group)
            self[name] = resource

    def _parse_security_group(self, raw_security_group):
        raw_security_group['name'] = raw_security_group.pop('CacheSecurityGroupName')
        return get_non_provider_id(raw_security_group['name']), raw_security_group


================================================
FILE: ScoutSuite/providers/aws/resources/elasticache/subnetgroups.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.utils import get_non_provider_id


class SubnetGroups(AWSResources):
    def __init__(self, facade: AWSFacade, region: str, vpc: str):
        super().__init__(facade)
        self.region = region
        self.vpc = vpc

    async def fetch_all(self):
        raw_subnet_groups = await self.facade.elasticache.get_subnet_groups(self.region, self.vpc)
        for raw_subnet_group in raw_subnet_groups:
            name, resource = self._parse_subnet_group(raw_subnet_group)
            self[name] = resource

    def _parse_subnet_group(self, raw_subnet_group):
        raw_subnet_group['name'] = raw_subnet_group.pop('CacheSubnetGroupName')
        return get_non_provider_id(raw_subnet_group['name']), raw_subnet_group


================================================
FILE: ScoutSuite/providers/aws/resources/elasticache/vpcs.py
================================================
from ScoutSuite.providers.aws.resources.vpcs import Vpcs
from ScoutSuite.providers.aws.resources.elasticache.cluster import Clusters
from ScoutSuite.providers.aws.resources.elasticache.subnetgroups import SubnetGroups


class ElastiCacheVpcs(Vpcs):
    _children = [
        (Clusters, 'clusters'),
        (SubnetGroups, 'subnet_groups')
    ]


================================================
FILE: ScoutSuite/providers/aws/resources/elb/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/elb/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.regions import Regions

from .vpcs import ELBVpcs
from .policies import Policies


class ELB(Regions):
    _children = [
        (ELBVpcs, 'vpcs'),
        (Policies, 'elb_policies')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__('elb', facade)


================================================
FILE: ScoutSuite/providers/aws/resources/elb/load_balancers.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.aws.utils import get_keys, format_arn
from ScoutSuite.providers.utils import get_non_provider_id


class LoadBalancers(AWSResources):
    def __init__(self, facade: AWSFacade, region: str, vpc: str):
        super().__init__(facade)
        self.region = region
        self.vpc = vpc
        self.partition = facade.partition
        self.service = 'elb'
        self.resource_type = 'load-balancer'

    async def fetch_all(self):
        raw_load_balancers = await self.facade.elb.get_load_balancers(self.region, self.vpc)
        for raw_load_balancer in raw_load_balancers:
            id, load_balancer = self._parse_load_balancer(raw_load_balancer)
            self[id] = load_balancer

    def _parse_load_balancer(self, raw_load_balancer):
        load_balancer = {'name': raw_load_balancer['LoadBalancerName']}
        get_keys(raw_load_balancer, load_balancer,
                 ['DNSName', 'CreatedTime', 'AvailabilityZones', 'Subnets', 'Scheme', 'attributes'])

        load_balancer['security_groups'] = []
        load_balancer['arn'] = format_arn(self.partition, self.service, self.region, self.facade.owner_id, raw_load_balancer.get('LoadBalancerName'), self.resource_type)
        
        for sg in raw_load_balancer['SecurityGroups']:
            load_balancer['security_groups'].append({'GroupId': sg})

        load_balancer['listeners'] = {}
        for l in raw_load_balancer['ListenerDescriptions']:
            listener = l['Listener']
            load_balancer['listeners'][l['Listener']
                                       ['LoadBalancerPort']] = listener

        load_balancer['instances'] = []
        for i in raw_load_balancer['Instances']:
            load_balancer['instances'].append(i['InstanceId'])

        if 'Tags' in raw_load_balancer and raw_load_balancer['Tags']:
            load_balancer['tags'] = {x['Key']: x['Value'] for x in raw_load_balancer['Tags']}

        return get_non_provider_id(load_balancer['name']), load_balancer


================================================
FILE: ScoutSuite/providers/aws/resources/elb/policies.py
================================================
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.utils import format_arn
from ScoutSuite.providers.utils import get_non_provider_id


class Policies(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region
        self.partition = facade.partition
        self.service = 'elb'
        self.resource_type = 'policy'

    async def fetch_all(self):
        raw_policies = await self.facade.elb.get_policies(self.region)
        for raw_policy in raw_policies:
            id, policy = self._parse_policy(raw_policy)
            self[id] = policy

    def _parse_policy(self, raw_policy):
        raw_policy['name'] = raw_policy.pop('PolicyName')
        policy_id = get_non_provider_id(raw_policy['name'])
        raw_policy['arn'] = format_arn(self.partition, self.service, self.region, '', raw_policy['name'], self.resource_type)
        return policy_id, raw_policy


================================================
FILE: ScoutSuite/providers/aws/resources/elb/vpcs.py
================================================
from ScoutSuite.providers.aws.resources.vpcs import Vpcs
from .load_balancers import LoadBalancers


class ELBVpcs(Vpcs):
    _children = [
        (LoadBalancers, 'elbs'),
    ]


================================================
FILE: ScoutSuite/providers/aws/resources/elbv2/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/elbv2/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.regions import Regions

from .vpcs import ELBv2Vpcs


class ELBv2(Regions):
    _children = [
        (ELBv2Vpcs, 'vpcs')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__('elbv2', facade)


================================================
FILE: ScoutSuite/providers/aws/resources/elbv2/listeners.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources


class Listeners(AWSResources):
    def __init__(self, facade: AWSFacade, region: str, load_balancer_arn: str):
        super().__init__(facade)
        self.region = region
        self.load_balancer_arn = load_balancer_arn

    async def fetch_all(self):
        listeners = await self.facade.elbv2.get_listeners(self.region, self.load_balancer_arn)
        for raw_listener in listeners:
            id, listener = self._parse_listener(raw_listener)
            self[id] = listener

    def _parse_listener(self, raw_listener):
            raw_listener.pop('ListenerArn')
            raw_listener.pop('LoadBalancerArn')
            port = raw_listener.pop('Port')
            return port, raw_listener


================================================
FILE: ScoutSuite/providers/aws/resources/elbv2/load_balancers.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSCompositeResources
from ScoutSuite.providers.utils import get_non_provider_id
from .listeners import Listeners


class LoadBalancers(AWSCompositeResources):
    _children = [
        (Listeners, 'listeners')
    ]

    def __init__(self, facade: AWSFacade, region: str, vpc: str):
        super().__init__(facade)
        self.region = region
        self.vpc = vpc

    async def fetch_all(self):
        raw_load_balancers = await self.facade.elbv2.get_load_balancers(self.region, self.vpc)
        for raw_load_balancer in raw_load_balancers:
            id, load_balancer = self._parse_load_balancer(raw_load_balancer)
            self[id] = load_balancer

        await self._fetch_children_of_all_resources(
            resources=self,
            scopes={load_balancer_id: {'region': self.region, 'load_balancer_arn': load_balancer['arn']}
                    for (load_balancer_id, load_balancer) in self.items()}
        )

        # After loading the listener information, map the protocols used in a new field for easier usage in rules
        for lb_id in self.keys():
            if lb_id is not None and len(self[lb_id]['listeners']) > 0:
                protocols = [x['Protocol'] for x in list(self[lb_id]['listeners'].values())]
                self[lb_id]['listener_protocols'] = protocols

    def _parse_load_balancer(self, load_balancer):
        load_balancer['arn'] = load_balancer.pop('LoadBalancerArn')
        load_balancer['name'] = load_balancer.pop('LoadBalancerName')
        load_balancer['security_groups'] = []
        load_balancer['listener_protocols'] = []
        load_balancer['isNetwork'] = load_balancer["Type"] == "network"

        if 'SecurityGroups' in load_balancer:
            for sg in load_balancer['SecurityGroups']:
                load_balancer['security_groups'].append({'GroupId': sg})
            load_balancer.pop('SecurityGroups')

        if 'Tags' in load_balancer and load_balancer['Tags']:
            load_balancer['tags'] = {x['Key']: x['Value'] for x in load_balancer['Tags']}
            load_balancer.pop('Tags')

        return get_non_provider_id(load_balancer['name']), load_balancer


================================================
FILE: ScoutSuite/providers/aws/resources/elbv2/vpcs.py
================================================
from ScoutSuite.providers.aws.resources.vpcs import Vpcs
from .load_balancers import LoadBalancers


class ELBv2Vpcs(Vpcs):
    _children = [
        (LoadBalancers, 'lbs'),
    ]


================================================
FILE: ScoutSuite/providers/aws/resources/emr/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/emr/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.regions import Regions

from .vpcs import EMRVpcs


class EMR(Regions):
    _children = [
        (EMRVpcs, 'vpcs')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__('emr', facade)

    async def fetch_all(self, regions=None, excluded_regions=None, partition_name='aws', **kwargs):
        await super().fetch_all(regions, excluded_regions, partition_name)

        for region in self['regions']:
            self['regions'][region]['clusters_count'] = sum(
                [len(vpc['clusters']) for vpc in self['regions'][region]['vpcs'].values()])

        self['clusters_count'] = sum(
            [region['clusters_count'] for region in self['regions'].values()])


================================================
FILE: ScoutSuite/providers/aws/resources/emr/clusters.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources


class EMRClusters(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        raw_clusters = await self.facade.emr.get_clusters(self.region)
        for raw_cluster in raw_clusters:
            name, resource = self._parse_cluster(raw_cluster)
            self[name] = resource

    def _parse_cluster(self, raw_cluster):
        raw_cluster['id'] = raw_cluster.pop('Id')
        raw_cluster['name'] = raw_cluster.pop('Name')
        raw_cluster['arn'] = raw_cluster.pop('ClusterArn')
        return raw_cluster['id'], raw_cluster


================================================
FILE: ScoutSuite/providers/aws/resources/emr/vpcs.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSCompositeResources

from .clusters import EMRClusters


class EMRVpcs(AWSCompositeResources):
    _children = [
        (EMRClusters, 'clusters')
    ]

    def __init__(self, facade: AWSFacade, region: str):
        self.region = region

        super().__init__(facade)

    async def fetch_all(self):
        # EMR won't disclose its VPC, so we put everything in a VPC named "EMR-UNKNOWN-VPC", and we
        # infer the VPC afterwards during the preprocessing.
        tmp_vpc = 'EMR-UNKNOWN-VPC'
        self[tmp_vpc] = {}
        await self._fetch_children(self[tmp_vpc], {'region': self.region})


================================================
FILE: ScoutSuite/providers/aws/resources/iam/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/iam/base.py
================================================
from ScoutSuite.providers.aws.resources.base import AWSCompositeResources
from ScoutSuite.providers.aws.resources.iam.credentialreports import CredentialReports
from ScoutSuite.providers.aws.resources.iam.groups import Groups
from ScoutSuite.providers.aws.resources.iam.policies import Policies
from ScoutSuite.providers.aws.resources.iam.users import Users
from ScoutSuite.providers.aws.resources.iam.roles import Roles
from ScoutSuite.providers.aws.resources.iam.passwordpolicy import PasswordPolicy
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.core.console import print_exception


class IAM(AWSCompositeResources):
    _children = [
        (CredentialReports, 'credential_reports'),
        (Groups, 'groups'),
        (Policies, 'policies'),
        (Users, 'users'),
        (Roles, 'roles'),
        (PasswordPolicy, 'password_policy')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__(facade)
        self.service = 'iam'

    async def fetch_all(self, partition_name='aws', **kwargs):
        await self._fetch_children(self)

        # We do not want the report to count the password policies as resources, they aren't really resources.
        self['password_policy_count'] = 0

    async def finalize(self):
        try:
            # Update permissions for managed policies
            self['permissions'] = {}
            policies = [policy for policy in self['policies'].values()]
            self._parse_inline_policies_permissions('groups')
            self._parse_inline_policies_permissions('users')
            self._parse_inline_policies_permissions('roles')

            for policy in policies:
                policy_id = policy['id']
                if 'attached_to' in policy and len(policy['attached_to']) > 0:
                    for entity_type in policy['attached_to']:
                        for entity in policy['attached_to'][entity_type]:
                            try:
                                entity['id'] = self._get_id_for_resource(entity_type, entity['name'])
                                entities = self[entity_type]
                                if entity['id'] is not None:
                                    entities[entity['id']].setdefault('policies', [])
                                    entities[entity['id']].setdefault('policies_counts', 0)
                                    entities[entity['id']]['policies'].append(policy_id)
                                    entities[entity['id']]['policies_counts'] += 1
                                    self._parse_permissions(
                                        policy_id, policy['PolicyDocument'], 'policies', entity_type, entity['id'])
                            except Exception as e:
                                print_exception(f'Error setting entity for ID {entity["id"]}: {e}')
                else:
                    self._parse_permissions(
                        policy_id, policy['PolicyDocument'], 'policies', None, None)
        except Exception as e:
            print_exception(f'Error finalizing IAM service: {e}')

    def _parse_inline_policies_permissions(self, resource_type):
        for resource_id in self[resource_type]:
            resource = self[resource_type][resource_id]
            if 'inline_policies' not in resource:
                continue

            for policy_id in resource['inline_policies']:
                policy = resource['inline_policies'][policy_id]
                self._parse_permissions(
                    policy_id, policy['PolicyDocument'], 'inline_policies', resource_type, resource_id)

    def _get_id_for_resource(self, iam_resource_type, resource_name):
        for resource_id in self[iam_resource_type]:
            if self[iam_resource_type][resource_id]['name'] == resource_name:
                return resource_id

    def _parse_permissions(self, policy_name, policy_document, policy_type, iam_resource_type, resource_name):
        # Enforce list of statements (Github issue #99)
        if type(policy_document['Statement']) != list:
            policy_document['Statement'] = [policy_document['Statement']]
        for statement in policy_document['Statement']:
            self._parse_statement(policy_name, statement,
                                  policy_type, iam_resource_type, resource_name)

    def _parse_statement(self, policy_name, statement, policy_type, iam_resource_type, resource_name):
        # Effect
        effect = str(statement['Effect'])
        # Action or NotAction
        action_string = 'Action' if 'Action' in statement else 'NotAction'
        if type(statement[action_string]) != list:
            statement[action_string] = [statement[action_string]]
        # Resource or NotResource
        resource_string = 'Resource' if 'Resource' in statement else 'NotResource'
        if type(statement[resource_string]) != list:
            statement[resource_string] = [statement[resource_string]]
        # Condition
        condition = statement['Condition'] if 'Condition' in statement else None
        self['permissions'].setdefault(action_string, {})
        if iam_resource_type is None:
            return
        self._parse_actions(effect, action_string, statement[action_string], resource_string,
                            statement[resource_string], iam_resource_type, resource_name, policy_name, policy_type,
                            condition)

    def _parse_actions(self, effect, action_string, actions, resource_string, resources, iam_resource_type,
                       iam_resource_name, policy_name, policy_type, condition):
        for action in actions:
            self['permissions'][action_string].setdefault(action, {})
            self['permissions'][action_string][action].setdefault(
                iam_resource_type, {})
            self['permissions'][action_string][action][iam_resource_type].setdefault(
                effect, {})
            self['permissions'][action_string][action][iam_resource_type][effect].setdefault(
                iam_resource_name, {})
            self._parse_action(effect, action_string, action, resource_string, resources, iam_resource_type,
                               iam_resource_name, policy_name, policy_type, condition)

    def _parse_action(self, effect, action_string, action, resource_string, resources, iam_resource_type,
                      iam_resource_name, policy_name, policy_type, condition):
        for resource in resources:
            self._parse_resource(effect, action_string, action, resource_string, resource, iam_resource_type,
                                 iam_resource_name, policy_name, policy_type, condition)

    def _parse_resource(self, effect, action_string, action, resource_string, resource, iam_resource_type,
                        iam_resource_name, policy_name, policy_type, condition):
        self['permissions'][action_string][action][iam_resource_type][effect][iam_resource_name].setdefault(
            resource_string, {})
        self['permissions'][action_string][action][iam_resource_type][effect][iam_resource_name][resource_string].\
            setdefault(resource, {})
        self['permissions'][action_string][action][iam_resource_type][effect][iam_resource_name][resource_string][
            resource].setdefault(policy_type, {})
        self['permissions'][action_string][action][iam_resource_type][effect][iam_resource_name][resource_string][
            resource][policy_type].setdefault(policy_name, {})
        self['permissions'][action_string][action][iam_resource_type][effect][iam_resource_name][resource_string][
            resource][policy_type][policy_name].setdefault('condition', condition)


================================================
FILE: ScoutSuite/providers/aws/resources/iam/credentialreports.py
================================================
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.utils import get_non_provider_id
from ScoutSuite.core.console import print_exception


class CredentialReports(AWSResources):
    async def fetch_all(self):
        raw_credential_reports = await self.facade.iam.get_credential_reports()
        for raw_credential_report in raw_credential_reports:
            name, resource = await self._parse_credential_reports(raw_credential_report)
            self[name] = resource

    async def _parse_credential_reports(self, raw_credential_report):
        raw_credential_report['id'] = get_non_provider_id(raw_credential_report['user'])
        raw_credential_report['name'] = raw_credential_report['user']
        raw_credential_report['password_enabled'] = raw_credential_report['password_enabled']
        raw_credential_report['password_last_used'] = self._sanitize_date(raw_credential_report['password_last_used'])
        raw_credential_report['password_last_changed'] =\
            self._sanitize_date(raw_credential_report['password_last_changed'])
        raw_credential_report['access_key_1_active'] = raw_credential_report['access_key_1_active']
        raw_credential_report['access_key_1_last_used_date'] =\
            self._sanitize_date(raw_credential_report['access_key_1_last_used_date'])
        raw_credential_report['access_key_1_last_rotated'] = \
            self._sanitize_date(raw_credential_report['access_key_1_last_rotated'])
        raw_credential_report['access_key_2_active'] = raw_credential_report['access_key_2_active']
        raw_credential_report['access_key_2_last_used_date'] =\
            self._sanitize_date(raw_credential_report['access_key_2_last_used_date'])
        raw_credential_report['access_key_2_last_rotated'] = \
            self._sanitize_date(raw_credential_report['access_key_2_last_rotated'])
        raw_credential_report['last_used'] = self._compute_last_used(raw_credential_report)
        raw_credential_report['cert_1_active'] = raw_credential_report['cert_1_active']
        raw_credential_report['cert_2_active'] = raw_credential_report['cert_2_active']

        if raw_credential_report['mfa_active'] == 'true':
            raw_credential_report['mfa_active_hardware'] = await \
                self._user_has_hardware_mfa_devices(raw_credential_report['name'])
        else:
            raw_credential_report['mfa_active_hardware'] = False

        raw_credential_report['partition'] = self.facade.partition

        return raw_credential_report['id'], raw_credential_report

    async def _user_has_hardware_mfa_devices(self, username):
        """
        For a given user, returns whether a hardware MFA device is configured.

        For normal users, virtual devices have serial numbers starting with "arn", so it's easy to validate.

        For the root user, it's not possible to list all the devices, so instead we check all the virtual devices
        to confirm if one is for the root user. If this is not the case, we can infer a hardware device is configured
        (since we know MFA is active for the root user but cannot find a virtual device).
        """
        try:
            if username == '':
                devices = await self.facade.iam.get_virtual_mfa_devices()
                for device in devices:
                    # If no EnableDate the device has been disabled
                    if device.get('EnableDate') and device['User']['Arn'][-5:] == ':root':
                        return False
                return True
            else:
                devices = await self.facade.iam.get_user_mfa_devices(username)
                if devices:
                    for device in devices:
                        if device['SerialNumber'][0:4] == 'arn:':
                            return False
                    return True
                else:
                    return False
        except Exception as e:
            print_exception(f'Failed to infer hardware MFA configuration for user {username}: {e}')

    @staticmethod
    def _sanitize_date(date):
        """
        Returns the date if it is not equal to 'N/A' or 'no_information', else returns None
        """
        return date if date != 'no_information' and date != 'N/A' else None

    @staticmethod
    def _compute_last_used(credential_report):
        dates = [credential_report['password_last_used'],
                 credential_report['access_key_1_last_used_date'],
                 credential_report['access_key_2_last_used_date']]

        dates = [date for date in dates if date is not None]
        return max(dates) if len(dates) > 0 else None


================================================
FILE: ScoutSuite/providers/aws/resources/iam/groups.py
================================================
from ScoutSuite.providers.aws.resources.base import AWSResources


class Groups(AWSResources):
    async def fetch_all(self):
        raw_groups = await self.facade.iam.get_groups()
        for raw_group in raw_groups:
            name, resource = self._parse_group(raw_group)
            self[name] = resource

    def _parse_group(self, raw_group):
        if raw_group['GroupName'] in self:
            return

        raw_group['id'] = raw_group.pop('GroupId')
        raw_group['name'] = raw_group.pop('GroupName')
        raw_group['arn'] = raw_group.pop('Arn')
        raw_group['users'] = raw_group.pop('Users')
        return raw_group['id'], raw_group


================================================
FILE: ScoutSuite/providers/aws/resources/iam/passwordpolicy.py
================================================
from ScoutSuite.providers.aws.resources.base import AWSResources


class PasswordPolicy(AWSResources):
    async def fetch_all(self):
        raw_password_policy = await self.facade.iam.get_password_policy()
        password_policy = self._parse_password_policy(raw_password_policy)
        self.update(password_policy)

    def _parse_password_policy(self, raw_password_policy):
        if raw_password_policy is None:
            return {
                    'MinimumPasswordLength': '1',
                    'RequireUppercaseCharacters': False,
                    'RequireLowercaseCharacters': False, 
                    'RequireNumbers': False,
                    'RequireSymbols': False, 
                    'PasswordReusePrevention': False,
                    'ExpirePasswords': False
            }

        if 'PasswordReusePrevention' not in raw_password_policy:
            raw_password_policy['PasswordReusePrevention'] = False
        else:
            raw_password_policy['PreviousPasswordPrevented'] = raw_password_policy['PasswordReusePrevention']
            raw_password_policy['PasswordReusePrevention'] = True
        # There is a bug in the API: ExpirePasswords always returns false
        if 'MaxPasswordAge' in raw_password_policy:
            raw_password_policy['ExpirePasswords'] = True

        return raw_password_policy


================================================
FILE: ScoutSuite/providers/aws/resources/iam/policies.py
================================================
from ScoutSuite.providers.aws.resources.base import AWSResources


class Policies(AWSResources):
    async def fetch_all(self):
        raw_policies = await self.facade.iam.get_policies()
        for raw_policy in raw_policies:
            name, resource = self._parse_policy(raw_policy)
            self[name] = resource

    def _parse_policy(self, raw_policy):
        policy = {}
        policy['id'] = raw_policy.pop('PolicyId')
        policy['name'] = raw_policy.pop('PolicyName')
        policy['arn'] = raw_policy.pop('Arn')
        policy['PolicyDocument'] = raw_policy.pop('PolicyDocument')
        policy['attached_to'] = raw_policy.pop('attached_to')
        policy['management'] = 'AWS' if policy['arn'].startswith(f"arn:{self.facade.partition}:iam::aws:") else 'Customer'

        return policy['id'], policy


================================================
FILE: ScoutSuite/providers/aws/resources/iam/roles.py
================================================
from ScoutSuite.providers.aws.resources.base import AWSResources


class Roles(AWSResources):
    async def fetch_all(self):
        raw_roles = await self.facade.iam.get_roles()
        for raw_role in raw_roles:
            name, resource = self._parse_role(raw_role)
            self[name] = resource

    def _parse_role(self, raw_role):
        role_dict = {}
        role_dict['id'] = raw_role.get('RoleId')
        role_dict['name'] = raw_role.get('RoleName')
        role_dict['arn'] = raw_role.get('Arn')
        role_dict['description'] = raw_role.get('Description')
        role_dict['path'] = raw_role.get('Path')
        role_dict['create_date'] = raw_role.get('CreateDate')
        role_dict['max_session_duration'] = raw_role.get('MaxSessionDuration')
        role_dict['instance_profiles'] = raw_role.get('instance_profiles')
        role_dict['instances_count'] = raw_role.get('instances_count')
        role_dict['inline_policies'] = raw_role.get('inline_policies')
        role_dict['inline_policies_count'] = raw_role.get('inline_policies_count')
        role_dict['assume_role_policy'] = raw_role.get('assume_role_policy')
        if len(raw_role.get('tags', {}).get('Tags')) > 0:
            role_dict['Tags'] = raw_role.get('tags').get('Tags')
        return role_dict['id'], role_dict


================================================
FILE: ScoutSuite/providers/aws/resources/iam/users.py
================================================
from ScoutSuite.providers.aws.resources.base import AWSResources


class Users(AWSResources):
    async def fetch_all(self):
        raw_users = await self.facade.iam.get_users()
        for raw_user in raw_users:
            name, resource = self._parse_user(raw_user)
              
            if name in self:
                continue

            self[name] = resource

    def _parse_user(self, raw_user):
        raw_user['id'] = raw_user.pop('UserId')
        raw_user['name'] = raw_user.pop('UserName')
        raw_user['arn'] = raw_user.pop('Arn')
        if (len(raw_user['tags']['Tags']) > 0):
            raw_user['Tags'] = raw_user['tags']['Tags']
        return raw_user['id'], raw_user


================================================
FILE: ScoutSuite/providers/aws/resources/kms/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/kms/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.regions import Regions

from .keys import Keys


class KMS(Regions):
    _children = [
        (Keys, 'keys'),
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__('kms', facade)


================================================
FILE: ScoutSuite/providers/aws/resources/kms/grants.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.aws.utils import format_arn


class Grants(AWSResources):
    def __init__(self, facade: AWSFacade, region: str, key_id: str):
        super().__init__(facade)
        self.region = region
        self.key_id = key_id
        self.partition = facade.partition
        self.service = 'kms'
        self.resource_type = 'grant'

    async def fetch_all(self):
        raw_grants = await self.facade.kms.get_grants(self.region, self.key_id)
        for raw_grant in raw_grants:
            id, grant = self._parse_grant(raw_grant)
            self[id] = grant

    def _parse_grant(self, raw_grant):
        grant_dict = {
            'key_id': raw_grant.get('KeyId'),
            'grant_id': raw_grant.get('GrantId'),
            'name': raw_grant.get('Name'),
            'create_date': raw_grant.get('CreationDate'),
            'grantee_principal': raw_grant.get('GranteePrincipal'),
            'retiring_principal': raw_grant.get('ReitirngPrincipal'),
            'issuing_account': raw_grant.get('IssuingAccount'),
            'operations': raw_grant.get('Operations'),
            'constraints': raw_grant.get('Constraints'),
            'arn': format_arn(self.partition, self.service, self.region, raw_grant.get('IssuingAccount').split(':')[4], raw_grant.get('GrantId'), self.resource_type) if ':' in raw_grant.get('IssuingAccount') else format_arn(self.partition, self.service, self.region, raw_grant.get('IssuingAccount'), raw_grant.get('GrantId'), self.resource_type)
        }
        return grant_dict['grant_id'], grant_dict


================================================
FILE: ScoutSuite/providers/aws/resources/kms/keys.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSCompositeResources
from ScoutSuite.providers.utils import get_non_provider_id
from .grants import Grants


class Keys(AWSCompositeResources):
    _children = [
        (Grants, 'grants'),
    ]

    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        raw_keys = await self.facade.kms.get_keys(self.region)
        for raw_key in raw_keys:
            key_id, key = await self._parse_key(raw_key)
            self[key_id] = key

        await self._fetch_children_of_all_resources(
            resources=self,
            scopes={key_id: {'region': self.region, 'key_id': key['id']}
                    for (key_id, key) in self.items()}
        )

    async def _parse_key(self, raw_key):
        key_dict = {}
        key_dict['id'] = key_dict['name'] = raw_key.get('KeyId')
        key_dict['arn'] = raw_key.get('KeyArn')
        key_dict['policy'] = raw_key.get('policy')

        if 'metadata' in raw_key:
            key_dict['creation_date'] = raw_key['metadata']['KeyMetadata']['CreationDate'] if \
                raw_key['metadata']['KeyMetadata']['CreationDate'] else None
            key_dict['key_enabled'] = False if raw_key['metadata']['KeyMetadata']['KeyState'] in \
                ['Disabled', 'PendingDeletion'] else True
            key_dict['description'] = raw_key['metadata']['KeyMetadata']['Description'] if len(
                raw_key['metadata']['KeyMetadata']['Description'].strip()) > 0 else None
            key_dict['origin'] = raw_key['metadata']['KeyMetadata']['Origin'] if len(
                raw_key['metadata']['KeyMetadata']['Origin'].strip()) > 0 else None
            key_dict['key_manager'] = raw_key['metadata']['KeyMetadata']['KeyManager'] if len(
                raw_key['metadata']['KeyMetadata']['KeyManager'].strip()) > 0 else None

        # Handle keys who don't have these keys - seen in the wild, unsure why
        if 'origin' not in key_dict.keys() or 'key_manager' not in key_dict.keys():
            key_dict['rotation_enabled'] = None
        # Only call this on customer managed CMKs, otherwise the AWS set policies might disallow access and it's always
        # enabled anyway
        elif key_dict['origin'] == 'AWS_KMS' and key_dict['key_manager'] == 'CUSTOMER':
            rotation_status = await self.facade.kms.get_key_rotation_status(self.region, key_dict['id'])
            if rotation_status:
                key_dict['rotation_enabled'] = rotation_status.get('KeyRotationEnabled', None)
            else:
                key_dict['rotation_enabled'] = None
        else:
            key_dict['rotation_enabled'] = True

        key_dict['aliases'] = []
        for raw_alias in raw_key.get('aliases', []):
            key_dict['aliases'].append(self._parse_alias(raw_alias))

        return key_dict['id'], key_dict

    def _parse_alias(self, raw_alias):
        alias_dict = {
            # all KMS Aliases are prefixed with alias/, so we'll strip that off
            'id': get_non_provider_id(raw_alias.get('AliasArn')),
            'name': raw_alias.get('AliasName').split('alias/', 1)[-1],
            'arn': raw_alias.get('AliasArn'),
            'key_id': raw_alias.get('TargetKeyId')}
        return alias_dict


================================================
FILE: ScoutSuite/providers/aws/resources/rds/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/rds/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.rds.parametergroups import ParameterGroups
from ScoutSuite.providers.aws.resources.rds.securitygroups import SecurityGroups
from ScoutSuite.providers.aws.resources.rds.vpcs import RDSVpcs
from ScoutSuite.providers.aws.resources.regions import Regions


class RDS(Regions):
    _children = [
        (RDSVpcs, 'vpcs'),
        (ParameterGroups, 'parameter_groups'),
        (SecurityGroups, 'security_groups')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__('rds', facade)

    async def fetch_all(self, regions=None, excluded_regions=None, partition_name='aws', **kwargs):
        await super().fetch_all(regions, excluded_regions, partition_name)

        for region in self['regions']:
            self['regions'][region]['instances_count'] =\
                sum([len(vpc['instances']) for vpc in self['regions'][region]['vpcs'].values()])
            self['regions'][region]['snapshots_count'] =\
                sum([len(vpc['snapshots']) for vpc in self['regions'][region]['vpcs'].values()])
            self['regions'][region]['subnet_groups_count'] =\
                sum([len(vpc['subnet_groups']) for vpc in self['regions'][region]['vpcs'].values()])
        
        self['instances_count'] = sum([region['instances_count'] for region in self['regions'].values()])
        self['snapshots_count'] = sum([region['snapshots_count'] for region in self['regions'].values()])
        self['subnet_groups_count'] = sum([region['subnet_groups_count'] for region in self['regions'].values()])


================================================
FILE: ScoutSuite/providers/aws/resources/rds/instances.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.utils import get_non_provider_id


class RDSInstances(AWSResources):
    def __init__(self, facade: AWSFacade, region: str, vpc: str):
        super().__init__(facade)
        self.region = region
        self.vpc = vpc

    async def fetch_all(self):
        raw_instances = await self.facade.rds.get_instances(self.region, self.vpc)
        for raw_instance in raw_instances:
            name, resource = self._parse_instance(raw_instance)
            self[name] = resource

    def _parse_instance(self, raw_instance):
        instance = {}
        instance['name'] = raw_instance.pop('DBInstanceIdentifier')
        for key in ['InstanceCreateTime', 'Engine', 'DBInstanceStatus', 'AutoMinorVersionUpgrade',
                    'DBInstanceClass', 'MultiAZ', 'Endpoint', 'BackupRetentionPeriod', 'PubliclyAccessible',
                    'StorageEncrypted', 'VpcSecurityGroups', 'DBSecurityGroups', 'DBParameterGroups',
                    'EnhancedMonitoringResourceArn', 'StorageEncrypted', 'CACertificateIdentifier', 'Tags']:
            instance[key] = raw_instance[key] if key in raw_instance else None

        instance['is_read_replica'] = self._is_read_replica(raw_instance)
        instance['arn'] = raw_instance.get('DBInstanceArn')
        return get_non_provider_id(instance['name']), instance

    @staticmethod
    def _is_read_replica(instance):
        # The ReadReplicaSourceDBInstanceIdentifier attribute is only defined for read replicas. Ref.: https://bit.ly/2UhKPqP
        return instance.get('ReadReplicaSourceDBInstanceIdentifier') is not None


================================================
FILE: ScoutSuite/providers/aws/resources/rds/parametergroups.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.utils import get_non_provider_id


class ParameterGroups(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        raw_parameter_groups = await self.facade.rds.get_parameter_groups(self.region)
        for raw_parameter_group in raw_parameter_groups:
            name, resource = self._parse_parameter_group(raw_parameter_group)
            self[name] = resource

    def _parse_parameter_group(self, raw_parameter_group):
        raw_parameter_group['arn'] = raw_parameter_group.pop('DBParameterGroupArn')
        raw_parameter_group['name'] = raw_parameter_group.pop('DBParameterGroupName')
        raw_parameter_group['parameters'] = raw_parameter_group.pop('Parameters')
        parameter_group_id = get_non_provider_id(raw_parameter_group['name'])
        return parameter_group_id, raw_parameter_group


================================================
FILE: ScoutSuite/providers/aws/resources/rds/securitygroups.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.utils import get_non_provider_id


class SecurityGroups(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        raw_security_groups = await self.facade.rds.get_security_groups(self.region)
        for raw_security_group in raw_security_groups:
            name, resource = self._parse_security_group(raw_security_group)
            self[name] = resource

    def _parse_security_group(self, raw_security_group):
        raw_security_group['arn'] = raw_security_group.pop('DBSecurityGroupArn')
        raw_security_group['name'] = raw_security_group.pop('DBSecurityGroupName')
        return get_non_provider_id(raw_security_group['name']), raw_security_group


================================================
FILE: ScoutSuite/providers/aws/resources/rds/snapshots.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources


class Snapshots(AWSResources):
    def __init__(self, facade: AWSFacade, region: str, vpc: str):
        super().__init__(facade)
        self.region = region
        self.vpc = vpc

    async def fetch_all(self):
        raw_snapshots = await self.facade.rds.get_snapshots(self.region, self.vpc)
        for raw_snapshot in raw_snapshots:
            name, resource = self._parse_snapshot(raw_snapshot)
            self[name] = resource

    def _parse_snapshot(self, raw_snapshot):
        is_cluster = 'DBClusterIdentifier' in raw_snapshot

        snapshot_id = raw_snapshot.pop('DBClusterSnapshotIdentifier') if is_cluster \
            else raw_snapshot.pop('DBSnapshotIdentifier')

        snapshot = {}
        snapshot['arn'] = raw_snapshot.pop('DBClusterSnapshotArn') if is_cluster else raw_snapshot.pop('DBSnapshotArn')
        snapshot['id'] = snapshot_id,
        snapshot['name'] = snapshot_id,
        snapshot['vpc_id'] = raw_snapshot['VpcId']
        snapshot['attributes'] = raw_snapshot['Attributes']
        snapshot['is_cluster'] = is_cluster

        attributes = [
            'DBInstanceIdentifier',
            'SnapshotCreateTime',
            'Encrypted',
            'OptionGroupName'
        ]
        for attribute in attributes:
            snapshot[attribute] = raw_snapshot[attribute] if attribute in raw_snapshot else None

        if snapshot['is_cluster']:  # Map some fields to do more generic and simple rules
            snapshot['DBClusterIdentifier'] = raw_snapshot['DBClusterIdentifier']
            snapshot['Encrypted'] = raw_snapshot['StorageEncrypted']

        return snapshot_id, snapshot


================================================
FILE: ScoutSuite/providers/aws/resources/rds/subnetgroups.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.utils import get_non_provider_id


class SubnetGroups(AWSResources):
    def __init__(self, facade: AWSFacade, region: str, vpc: str):
        super().__init__(facade)
        self.region = region
        self.vpc = vpc

    async def fetch_all(self):
        raw_subnet_groups = await self.facade.rds.get_subnet_groups(self.region, self.vpc)
        for raw_subnet_group in raw_subnet_groups:
            name, resource = self._parse_subnet_group(raw_subnet_group)
            self[name] = resource

    def _parse_subnet_group(self, raw_subnet_group):
        raw_subnet_group['name'] = raw_subnet_group['DBSubnetGroupName']
        raw_subnet_group['ARN'] = raw_subnet_group.pop('DBSubnetGroupArn')
        return get_non_provider_id(raw_subnet_group['name']), raw_subnet_group


================================================
FILE: ScoutSuite/providers/aws/resources/rds/vpcs.py
================================================
from ScoutSuite.providers.aws.resources.vpcs import Vpcs
from ScoutSuite.providers.aws.resources.rds.instances import RDSInstances
from ScoutSuite.providers.aws.resources.rds.snapshots import Snapshots
from ScoutSuite.providers.aws.resources.rds.subnetgroups import SubnetGroups


class RDSVpcs(Vpcs):
    _children = [
        (RDSInstances, 'instances'),
        (Snapshots, 'snapshots'),
        (SubnetGroups, 'subnet_groups'),
    ]


================================================
FILE: ScoutSuite/providers/aws/resources/redshift/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/redshift/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.regions import Regions

from .cluster_parameter_groups import ClusterParameterGroups
from .cluster_security_groups import ClusterSecurityGroups
from .vpcs import RedshiftVpcs


class Redshift(Regions):
    _children = [
        (RedshiftVpcs, 'vpcs'),
        (ClusterParameterGroups, 'parameter_groups'),
        (ClusterSecurityGroups, 'security_groups')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__('redshift', facade)


================================================
FILE: ScoutSuite/providers/aws/resources/redshift/cluster_parameter_groups.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSCompositeResources
from ScoutSuite.providers.utils import get_non_provider_id
from ScoutSuite.providers.aws.utils import format_arn

from .cluster_parameters import ClusterParameters


class ClusterParameterGroups(AWSCompositeResources):
    _children = [
        (ClusterParameters, 'parameters')
    ]

    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region
        self.partition = facade.partition
        self.service = 'redshift'
        self.resource_type = 'parametergroup'

    async def fetch_all(self):
        raw_parameter_groups = await self.facade.redshift.get_cluster_parameter_groups(self.region)
        for raw_parameter_group in raw_parameter_groups:
            id, parameter_group = self._parse_parameter_group(raw_parameter_group)
            self[id] = parameter_group

        await self._fetch_children_of_all_resources(
            resources=self,
            scopes={parameter_group_id: {'region': self.region,
                                         'parameter_group_name': parameter_group['name']}
                    for (parameter_group_id, parameter_group) in self.items()}
        )

    def _parse_parameter_group(self, raw_parameter_group):
        parameter_group = {}
        parameter_group['name'] = raw_parameter_group.get('ParameterGroupName')
        parameter_group['id'] = get_non_provider_id(parameter_group['name'])
        parameter_group['arn'] = format_arn(self.partition, self.service, self.region, self.facade.owner_id, raw_parameter_group.get('ParameterGroupName'), self.resource_type)
        parameter_group['family'] = raw_parameter_group.get('ParameterGroupFamily')
        parameter_group['description'] = raw_parameter_group.get('Description')
        parameter_group['is_default'] = self._is_default(raw_parameter_group)
        parameter_group['tags'] = raw_parameter_group.get('Tags')
        return parameter_group['id'], parameter_group

    def _is_default(self, raw_parameter_group):
        if 'Default parameter group for' in raw_parameter_group.get('Description') and \
                'default.' in raw_parameter_group.get('ParameterGroupName'):
            return True
        else:
            return False


================================================
FILE: ScoutSuite/providers/aws/resources/redshift/cluster_parameters.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.aws.utils import format_arn


class ClusterParameters(AWSResources):
    def __init__(self, facade: AWSFacade, region: str, parameter_group_name: str):
        super().__init__(facade)
        self.region = region
        self.parameter_group_name = parameter_group_name
        self.partition = facade.partition
        self.service = 'redshift'
        self.resource_type = 'cluster-parameter'

    async def fetch_all(self):
        raw_parameters = await self.facade.redshift.get_cluster_parameters(
            self.region, self.parameter_group_name)
        for raw_parameter in raw_parameters:
            id, parameter = self._parse_parameter(raw_parameter)
            self[id] = parameter

    def _parse_parameter(self, raw_parameter):
        parameter = {'value': raw_parameter['ParameterValue'],
                     'source': raw_parameter['Source']}
        raw_parameter['arn'] = format_arn(self.partition, self.service, self.region, '', raw_parameter.get('ParameterName'), self.resource_type)
        return raw_parameter['ParameterName'], parameter


================================================
FILE: ScoutSuite/providers/aws/resources/redshift/cluster_security_groups.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources


class ClusterSecurityGroups(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        raw_security_groups = await self.facade.redshift.get_cluster_security_groups(self.region)
        for raw_security_group in raw_security_groups:
            id, security_group = self._parse_security_group(raw_security_group)
            self[id] = security_group

    def _parse_security_group(self, raw_security_group):
        name = raw_security_group.pop('ClusterSecurityGroupName')
        raw_security_group['name'] = name
        return name, raw_security_group


================================================
FILE: ScoutSuite/providers/aws/resources/redshift/clusters.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.aws.utils import format_arn


class Clusters(AWSResources):
    def __init__(self, facade: AWSFacade, region: str, vpc: str):
        super().__init__(facade)
        self.region = region
        self.vpc = vpc
        self.partition = facade.partition
        self.service = 'redshift'
        self.resource_type = 'cluster'

    async def fetch_all(self):
        raw_clusters = await self.facade.redshift.get_clusters(self.region, self.vpc)
        for raw_cluster in raw_clusters:
            id, cluster = self._parse_cluster(raw_cluster)
            self[id] = cluster

    def _parse_cluster(self, raw_cluster):
        name = raw_cluster.pop('ClusterIdentifier')
        raw_cluster['name'] = name
        raw_cluster['arn'] = format_arn(self.partition, self.service, self.region, self.facade.owner_id, name, self.resource_type)
        return name, raw_cluster


================================================
FILE: ScoutSuite/providers/aws/resources/redshift/vpcs.py
================================================
from ScoutSuite.providers.aws.resources.vpcs import Vpcs

from .clusters import Clusters


class RedshiftVpcs(Vpcs):
    _children = [
        (Clusters, 'clusters'),
    ]


================================================
FILE: ScoutSuite/providers/aws/resources/regions.py
================================================
import abc

from ScoutSuite.providers.aws.resources.base import AWSCompositeResources
from ScoutSuite.providers.aws.facade.base import AWSFacade


class Regions(AWSCompositeResources, metaclass=abc.ABCMeta):
    def __init__(self, service: str, facade: AWSFacade):
        super().__init__(facade)
        self.service = service

    async def fetch_all(self, regions=None, excluded_regions=None, partition_name='aws', **kwargs):
        self['regions'] = {}
        for region in await self.facade.build_region_list(self.service, regions, excluded_regions, partition_name):
            self['regions'][region] = {
                'id': region,
                'region': region,
                'name': region
            }

        await self._fetch_children_of_all_resources(
            resources=self['regions'],
            scopes={region: {'region': region} for region in self['regions']}
        )

        self._set_counts()

    def _set_counts(self):
        self['regions_count'] = len(self['regions'])
        for _, key in self._children:
            # VPCs should not be counted as resources. They exist whether you have resources or not, so
            # counting them would make the report confusing.
            if key == 'vpcs':
                continue
            self[key + '_count'] = sum([region[key + '_count'] for region in self['regions'].values()])


================================================
FILE: ScoutSuite/providers/aws/resources/route53/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/route53/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.regions import Regions

from .domains import Domains
from .hosted_zones import HostedZones


class Route53(Regions):
    _children = [
        (Domains, 'domains'),
        (HostedZones, 'hosted_zones')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__('route53domains', facade)


================================================
FILE: ScoutSuite/providers/aws/resources/route53/domains.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.utils import get_non_provider_id
from ScoutSuite.providers.aws.utils import format_arn


class Domains(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region
        self.partition = facade.partition
        self.service = 'route53'
        self.resource_type = 'domain'

    async def fetch_all(self):
        raw_domains = await self.facade.route53.get_domains(self.region)
        for raw_domain in raw_domains:
            id, domain = self._parse_domain(raw_domain)
            self[id] = domain

    def _parse_domain(self, raw_domain):
        domain_dict = {}
        domain_dict['id'] = get_non_provider_id(raw_domain.get('DomainName'))
        domain_dict['name'] = raw_domain.get('DomainName')
        domain_dict['auto_renew'] = raw_domain.get('AutoRenew')
        domain_dict['transfer_lock'] = raw_domain.get('TransferLock')
        domain_dict['expiry'] = raw_domain.get('Expiry')
        domain_dict['arn'] = format_arn(self.partition, self.service, self.region, self.facade.owner_id, domain_dict.get('id'), self.resource_type)
        return domain_dict['id'], domain_dict


================================================
FILE: ScoutSuite/providers/aws/resources/route53/hosted_zones.py
================================================
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.utils import format_arn


class HostedZones(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region
        self.partition = facade.partition
        self.service = 'route53'
        self.resource_type = 'hosted-zone'

    async def fetch_all(self):
        raw_hosted_zones = await self.facade.route53.get_hosted_zones()
        for raw_hosted_zone in raw_hosted_zones:
            hosted_zone_id, hosted_zone = await self._parse_hosted_zone(raw_hosted_zone)
            self[hosted_zone_id] = hosted_zone

    async def _parse_hosted_zone(self, raw_hosted_zone):
        hosted_zone_dict = {}
        hosted_zone_dict['id'] = raw_hosted_zone.get('Id')
        hosted_zone_dict['name'] = raw_hosted_zone.get('Name')
        hosted_zone_dict['caller_reference'] = raw_hosted_zone.get('CallerReference')
        hosted_zone_dict['config'] = raw_hosted_zone.get('Config')
        hosted_zone_dict['resource_record_sets'] = await self.facade.route53.get_resource_records(hosted_zone_dict['id'])
        hosted_zone_dict['resource_record_set_count'] = raw_hosted_zone.get('ResourceRecordSetCount')
        hosted_zone_dict['arn'] = format_arn(self.partition,  self.service, self.region, '', raw_hosted_zone.get('Id'), self.resource_type)
        return hosted_zone_dict['id'], hosted_zone_dict


================================================
FILE: ScoutSuite/providers/aws/resources/s3/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/s3/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSCompositeResources
from .buckets import Buckets


class S3(AWSCompositeResources):
    _children = [
        (Buckets, 'buckets')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__(facade)
        self.service = 's3'

    async def fetch_all(self, partition_name='aws', **kwargs):
        # Keep track of regions as S3 is both a global and regional service
        self.facade.s3.regions = kwargs.get('regions')
        self['public_access_block_configuration'] = self.facade.s3.get_s3_public_access_block(self.facade.owner_id)
        await self._fetch_children(self)

    async def finalize(self):
        for bucket_id in self['buckets']:
            if "public_access_block_configuration" in self['buckets'][bucket_id]:
                # The resulting configuration will be the most restrictive
                self['buckets'][bucket_id]["public_access_block_configuration"]["BlockPublicAcls"] = \
                self['buckets'][bucket_id]["public_access_block_configuration"]["BlockPublicAcls"] or \
                self['public_access_block_configuration']["BlockPublicAcls"]
                self['buckets'][bucket_id]["public_access_block_configuration"]["IgnorePublicAcls"] = \
                self['buckets'][bucket_id]["public_access_block_configuration"]["IgnorePublicAcls"] or \
                self['public_access_block_configuration']["IgnorePublicAcls"]
                self['buckets'][bucket_id]["public_access_block_configuration"]["BlockPublicPolicy"] = \
                self['buckets'][bucket_id]["public_access_block_configuration"]["BlockPublicPolicy"] or \
                self['public_access_block_configuration']["BlockPublicPolicy"]
                self['buckets'][bucket_id]["public_access_block_configuration"]["RestrictPublicBuckets"] = \
                self['buckets'][bucket_id]["public_access_block_configuration"]["RestrictPublicBuckets"] or \
                self['public_access_block_configuration']["RestrictPublicBuckets"]
            else:
                # No bucket-level configuration, use account level configuration
                self['buckets'][bucket_id]["public_access_block_configuration"] = self['public_access_block_configuration']


================================================
FILE: ScoutSuite/providers/aws/resources/s3/buckets.py
================================================
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.aws.utils import format_arn, get_partition_name
from ScoutSuite.providers.utils import get_non_provider_id


class Buckets(AWSResources):
    async def fetch_all(self):
        self.partition = get_partition_name(self.facade.session)
        self.service = 's3'
        
        raw_buckets = await self.facade.s3.get_buckets()
        for raw_bucket in raw_buckets:
            name, resource = self._parse_bucket(raw_bucket)
            self[name] = resource

    def _parse_bucket(self, raw_bucket):
        """
        Parse a single S3 bucket

        TODO:
        - CORS
        - Lifecycle
        - Notification ?
        - Get bucket's policy

        :param bucket:
        :param params:
        :return:
        """
        raw_bucket['name'] = raw_bucket.pop('Name')
        raw_bucket['CreationDate'] = str(raw_bucket['CreationDate'])

        raw_bucket['id'] = get_non_provider_id(raw_bucket['name'])
        # Passing empty strings for 'region' and 'account-id' since S3 bucket ARNs omit them
        raw_bucket['arn'] = format_arn(self.partition, self.service, '', '', '*', raw_bucket['name'])
        return raw_bucket['id'], raw_bucket


================================================
FILE: ScoutSuite/providers/aws/resources/secretsmanager/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/secretsmanager/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.regions import Regions

from .secrets import Secrets


class SecretsManager(Regions):
    _children = [
        (Secrets, 'secrets')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__('secretsmanager', facade)


================================================
FILE: ScoutSuite/providers/aws/resources/secretsmanager/secrets.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.utils import get_non_provider_id


class Secrets(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        for raw_secret in await self.facade.secretsmanager.get_secrets(self.region):
            id, secret = self._parse_secret(raw_secret)
            self[id] = secret

    def _parse_secret(self, raw_secret):
        secret_dict = {}
        secret_dict['id'] = get_non_provider_id(raw_secret.get('ARN'))
        secret_dict['arn'] = raw_secret.get('ARN')
        secret_dict['name'] = raw_secret.get('Name')
        secret_dict['description'] = raw_secret.get('Description')
        secret_dict['last_changed_date'] = raw_secret.get('LastChangedDate')
        secret_dict['last_accessed_date'] = raw_secret.get('LastAccessedDate')
        secret_dict['tags'] = raw_secret.get('Tags')
        secret_dict['secret_versions_to_stages'] = raw_secret.get('SecretVersionsToStages')
        secret_dict['kms'] = raw_secret.get('KmsKeyId')
        secret_dict['policy'] = raw_secret.get('policy')
        secret_dict['rotation'] = raw_secret.get('RotationEnabled', False)
        secret_dict['rotation_lambda_arn'] = raw_secret.get('RotationLambdaARN')
        secret_dict['rotation_interval'] = raw_secret.get('RotationRules', {}).get('AutomaticallyAfterDays')
        return secret_dict['id'], secret_dict


================================================
FILE: ScoutSuite/providers/aws/resources/ses/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/ses/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.regions import Regions

from .identities import Identities


class SES(Regions):
    _children = [
        (Identities, 'identities')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__('ses', facade)


================================================
FILE: ScoutSuite/providers/aws/resources/ses/identities.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSCompositeResources
from ScoutSuite.providers.utils import get_non_provider_id
from ScoutSuite.providers.aws.utils import format_arn

from .identity_policies import IdentityPolicies


class Identities(AWSCompositeResources):
    _children = [
        (IdentityPolicies, 'policies')
    ]

    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region
        self.partition = facade.partition
        self.service = 'ses'
        self.resource_type = 'identity'

    async def fetch_all(self):
        raw_identities = await self.facade.ses.get_identities(self.region)
        for raw_identity in raw_identities:
            id, identity = self._parse_identity(raw_identity)
            self[id] = identity

        await self._fetch_children_of_all_resources(
            resources=self,
            scopes={identity_id: {'region': self.region, 'identity_name': identity['name']}
                    for (identity_id, identity) in self.items()}
        )

    def _parse_identity(self, raw_identity):
        identity_name, dkim_attributes = raw_identity
        identity = {}
        identity['name'] = identity_name
        identity['DkimEnabled'] = dkim_attributes['DkimEnabled']
        identity['DkimVerificationStatus'] = dkim_attributes['DkimVerificationStatus']
        identity['arn'] = format_arn(self.partition, self.service, self.region, self.facade.owner_id, identity_name, self.resource_type)
        return get_non_provider_id(identity_name), identity


================================================
FILE: ScoutSuite/providers/aws/resources/ses/identity_policies.py
================================================
import json

from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.aws.utils import format_arn


class IdentityPolicies(AWSResources):

    def __init__(self, facade: AWSFacade, region: str, identity_name: str):
        super().__init__(facade)
        self.region = region
        self.identity_name = identity_name
        self.partition = facade.partition
        self.service = 'ses'
        self.resource_type = 'identity-policy'

    async def fetch_all(self):
        raw_policies = await self.facade.ses.get_identity_policies(self.region, self.identity_name)
        for policy_name, raw_policy in raw_policies.items():
            self[policy_name] = json.loads(raw_policy)
            self[policy_name]['arn'] = format_arn(self.partition, self.service, self.region, '', policy_name, self.resource_type)


================================================
FILE: ScoutSuite/providers/aws/resources/sns/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/sns/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.regions import Regions

from .topics import Topics


class SNS(Regions):
    _children = [
        (Topics, 'topics')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__('sns', facade)


================================================
FILE: ScoutSuite/providers/aws/resources/sns/subscriptions.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources


class Subscriptions(AWSResources):
    def __init__(self, facade: AWSFacade, region: str, topic_name: str):
        super().__init__(facade)
        self.region = region
        self.topic_name = topic_name

    async def fetch_all(self):
        raw_subscriptions = await self.facade.sns.get_subscriptions(self.region, self.topic_name)
        self['protocol'] = {}
        self['subscriptions_count'] = 0
        for raw_subscription in raw_subscriptions:
            protocol, subscription = self._parse_subscription(raw_subscription)
            if protocol in self['protocol']:
                self['protocol'][protocol].append(subscription)
            else:
                self['protocol'][protocol] = [subscription]
            self['subscriptions_count'] += 1

    def _parse_subscription(self, raw_subscription):
        protocol = raw_subscription.pop('Protocol')
        raw_subscription['arn'] = raw_subscription.pop('SubscriptionArn')
        return protocol, raw_subscription


================================================
FILE: ScoutSuite/providers/aws/resources/sns/topics.py
================================================
import json

from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSCompositeResources
from ScoutSuite.providers.utils import get_non_provider_id

from .subscriptions import Subscriptions


class Topics(AWSCompositeResources):
    _children = [
        (Subscriptions, 'subscriptions')
    ]

    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        raw_topics = await self.facade.sns.get_topics(self.region)
        for raw_topic in raw_topics:
            topic_name, topic = self._parse_topic(raw_topic)
            self[topic_name] = topic

        await self._fetch_children_of_all_resources(
            resources=self,
            scopes={topic_id: {'region': self.region, 'topic_name': topic['name']}
                    for (topic_id, topic) in self.items()}
        )

        # Fix subscriptions count:
        for topic in self.values():
            topic['subscriptions_count'] = topic['subscriptions'].pop('subscriptions_count')

    def _parse_topic(self, raw_topic):
        raw_topic['arn'] = raw_topic.pop('TopicArn')
        raw_topic['name'] = raw_topic['arn'].split(':')[-1]

        attributes = raw_topic.pop('attributes')
        for k in ['Owner', 'DisplayName']:
            raw_topic[k] = attributes[k] if k in attributes else None
        for k in ['Policy', 'DeliveryPolicy', 'EffectiveDeliveryPolicy']:
            raw_topic[k] = json.loads(attributes[k]) if k in attributes else None

        if "KmsMasterKeyId" in attributes:
            raw_topic["KmsMasterKeyId"] = attributes["KmsMasterKeyId"]

        return get_non_provider_id(raw_topic['name']), raw_topic


================================================
FILE: ScoutSuite/providers/aws/resources/sqs/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/sqs/base.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.regions import Regions

from .queues import Queues


class SQS(Regions):
    _children = [
        (Queues, 'queues')
    ]

    def __init__(self, facade: AWSFacade):
        super().__init__('sqs', facade)


================================================
FILE: ScoutSuite/providers/aws/resources/sqs/queues.py
================================================
import json

from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.utils import get_non_provider_id


class Queues(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.region = region

    async def fetch_all(self):
        queues = await self.facade.sqs.get_queues(self.region,
                                                  ['CreatedTimestamp', 'Policy', 'QueueArn', 'KmsMasterKeyId', 'SqsManagedSseEnabled'])
        for queue_url, queue_attributes in queues:
            id, queue = self._parse_queue(queue_url, queue_attributes)
            self[id] = queue

    def _parse_queue(self, queue_url, queue_attributes):
        queue = {}
        queue['arn'] = queue_attributes.get('QueueArn')
        queue['name'] = queue['arn'].split(':')[-1]
        queue['QueueUrl'] = queue_url
        queue['kms_master_key_id'] = queue_attributes.get('KmsMasterKeyId', None)
        queue['sqs_managed_sse_enabled'] = queue_attributes.pop('SqsManagedSseEnabled', None)
        queue['CreatedTimestamp'] = queue_attributes.get('CreatedTimestamp', None)

        if 'Policy' in queue_attributes:
            queue['Policy'] = json.loads(queue_attributes['Policy'])
        else:
            queue['Policy'] = {'Statement': []}

        return get_non_provider_id(queue['name']), queue


================================================
FILE: ScoutSuite/providers/aws/resources/vpc/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/aws/resources/vpc/base.py
================================================
import netaddr

from ScoutSuite.core.fs import read_ip_ranges
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.regions import Regions

from .flow_logs import FlowLogs
from .vpcs import RegionalVpcs
from .peering_connections import PeeringConnections

known_cidrs = {'0.0.0.0/0': 'All'}
aws_ip_ranges = {}


class VPC(Regions):
    _children = [
        (RegionalVpcs, 'vpcs'),
        (FlowLogs, 'flow_logs'),
        (PeeringConnections, 'peering_connections')
    ]

    def __init__(self, facade: AWSFacade):
        # VPC is not a real service but a subset of ec2:
        super().__init__('ec2', facade)


# TODO: move these helpers elsewhere:


def put_cidr_name(current_config, path, current_path, resource_id, callback_args):
    """Add a display name for all known CIDRs."""

    if 'cidrs' in current_config:
        cidr_list = []
        for cidr in current_config['cidrs']:
            if type(cidr) == dict:
                cidr = cidr['CIDR']
            if cidr in known_cidrs:
                cidr_name = known_cidrs[cidr]
            else:
                cidr_name = get_cidr_name(
                    cidr, callback_args['ip_ranges'], callback_args['ip_ranges_name_key'])
                known_cidrs[cidr] = cidr_name
            cidr_list.append({'CIDR': cidr, 'CIDRName': cidr_name})
        current_config['cidrs'] = cidr_list


def get_cidr_name(cidr, ip_ranges_files, ip_ranges_name_key):
    """Read display name for CIDRs from ip-ranges files."""

    for filename in ip_ranges_files:
        ip_ranges = read_ip_ranges(filename, local_file=True)
        for ip_range in ip_ranges:
            ip_prefix = netaddr.IPNetwork(ip_range['ip_prefix'])
            cidr = netaddr.IPNetwork(cidr)
            if cidr in ip_prefix:
                return ip_range[ip_ranges_name_key].strip()
    for ip_range in aws_ip_ranges:
        ip_prefix = netaddr.IPNetwork(ip_range['ip_prefix'])
        cidr = netaddr.IPNetwork(cidr)
        if cidr in ip_prefix:
            return 'Unknown CIDR in {} {}'.format(ip_range['service'], ip_range['region'])
    return 'Unknown CIDR'


================================================
FILE: ScoutSuite/providers/aws/resources/vpc/flow_logs.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.aws.utils import get_name, format_arn


class FlowLogs(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.facade = facade
        self.region = region
        self.partition = facade.partition
        self.service = 'vpc'
        self.resource_type = 'flow-log'

    async def fetch_all(self):
        raw_logs = await self.facade.ec2.get_flow_logs(self.region)

        for raw_log in raw_logs:
            id, log = self._parse_log(raw_log)
            self[id] = log

    def _parse_log(self, raw_flow_log):
        flow_log_dict = {}
        flow_log_dict['name'] = flow_log_dict['id'] = raw_flow_log.get('FlowLogId')
        flow_log_dict['creation_time'] = raw_flow_log.get('CreationTime')
        flow_log_dict['deliver_logs_error_message'] = raw_flow_log.get('DeliverLogsErrorMessage')
        flow_log_dict['deliver_logs_status'] = raw_flow_log.get('DeliverLogsStatus')
        flow_log_dict['flow_log_status'] = raw_flow_log.get('FlowLogStatus')
        flow_log_dict['resource_id'] = raw_flow_log.get('ResourceId')
        flow_log_dict['traffic_type'] = raw_flow_log.get('TrafficType')
        flow_log_dict['log_destination_type'] = raw_flow_log.get('LogDestinationType')
        flow_log_dict['log_destination'] = raw_flow_log.get('LogDestination')
        flow_log_dict['log_format'] = raw_flow_log.get('LogFormat')
        flow_log_dict['tags'] = raw_flow_log.get('Tags')
        flow_log_dict['max_aggregation_interval'] = raw_flow_log.get('MaxAggregationInterval')
        flow_log_dict['arn'] = format_arn(self.partition, self.service, self.region, '', raw_flow_log.get('FlowLogId'), self.resource_type)
        return flow_log_dict['id'], flow_log_dict



================================================
FILE: ScoutSuite/providers/aws/resources/vpc/network_acls.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.aws.utils import get_name, format_arn
from ScoutSuite.core.fs import load_data

protocols_dict = load_data('protocols.json', 'protocols')


class NetworkACLs(AWSResources):
    def __init__(self, facade: AWSFacade, region: str, vpc: str):
        self.region = region
        self.vpc = vpc
        self.partition = facade.partition
        self.service = 'vpc'
        self.resource_type = 'network-acl'

        super().__init__(facade)

    async def fetch_all(self):
        raw_network_acls = await self.facade.ec2.get_network_acls(self.region, self.vpc)
        for raw_network_acl in raw_network_acls:
            id, network_acl = self._parse_network_acl(raw_network_acl)
            self[id] = network_acl

    def _parse_network_acl(self, raw_network_acl):
        raw_network_acl['id'] = raw_network_acl.pop('NetworkAclId')
        get_name(raw_network_acl, raw_network_acl, 'id')
        raw_network_acl['rules'] = {}
        raw_network_acl['rules']['ingress'] = self._parse_network_acl_entries(raw_network_acl['Entries'], False)
        raw_network_acl['rules']['egress'] = self._parse_network_acl_entries(raw_network_acl['Entries'], True)
        raw_network_acl.pop('Entries')
        raw_network_acl['arn'] = format_arn(self.partition, self.service, self.region, raw_network_acl.get('OwnerId'), raw_network_acl.get('id'), self.resource_type)
        return raw_network_acl['id'], raw_network_acl

    @staticmethod
    def _parse_network_acl_entries(entries, egress):
        acl_dict = {}
        for entry in entries:
            if entry['Egress'] == egress:
                acl = {}
                for key in ['RuleAction', 'RuleNumber']:
                    acl[key] = entry[key]
                acl['CidrBlock'] = entry['CidrBlock'] if 'CidrBlock' in entry else entry['Ipv6CidrBlock']
                acl['protocol'] = protocols_dict[entry['Protocol']]
                if 'PortRange' in entry:
                    from_port = entry['PortRange']['From'] if entry['PortRange']['From'] else 1
                    to_port = entry['PortRange']['To'] if entry['PortRange']['To'] else 65535
                    acl['port_range'] = from_port if from_port == to_port else str(from_port) + '-' + str(to_port)
                else:
                    acl['port_range'] = '1-65535'

                acl_dict[acl.pop('RuleNumber')] = acl
        return acl_dict


================================================
FILE: ScoutSuite/providers/aws/resources/vpc/peering_connections.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.aws.utils import format_arn


class PeeringConnections(AWSResources):
    def __init__(self, facade: AWSFacade, region: str):
        super().__init__(facade)
        self.facade = facade
        self.region = region
        self.partition = facade.partition
        self.service = 'vpc'
        self.resource_type = 'peering-connection'

    async def fetch_all(self):
        raw_peering_connections = await self.facade.ec2.get_peering_connections(self.region)

        for raw_peering_connection in raw_peering_connections:
            id, peering_connection = self._parse_peering_connections(raw_peering_connection)
            self[id] = peering_connection

    def _parse_peering_connections(self, raw_peering_connection):
        raw_peering_connection['id'] = raw_peering_connection['name'] = raw_peering_connection['VpcPeeringConnectionId']
        raw_peering_connection['arn'] = format_arn(self.partition, self.service, self.region, '', raw_peering_connection['VpcPeeringConnectionId'], self.resource_type)
        return raw_peering_connection['id'], raw_peering_connection


================================================
FILE: ScoutSuite/providers/aws/resources/vpc/subnets.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.base import AWSResources
from ScoutSuite.providers.aws.utils import get_name


class Subnets(AWSResources):
    def __init__(self, facade: AWSFacade, region: str, vpc: str):
        self.region = region
        self.vpc = vpc

        super().__init__(facade)

    async def fetch_all(self):
        raw_subnets = await self.facade.ec2.get_subnets(self.region, self.vpc)
        for raw_subnet in raw_subnets:
            id, subnet = self._parse_subnet(raw_subnet)
            self[id] = subnet

    def _parse_subnet(self, raw_subnet):
        raw_subnet['id'] = raw_subnet['SubnetId']
        get_name(raw_subnet, raw_subnet, 'SubnetId')
        raw_subnet.pop('SubnetId')
        raw_subnet['arn'] = raw_subnet.pop('SubnetArn')

        if raw_subnet['Ipv6CidrBlockAssociationSet']:
            raw_subnet['CidrBlockv6'] = raw_subnet['Ipv6CidrBlockAssociationSet'][0]['Ipv6CidrBlock']
        else:
            raw_subnet['CidrBlockv6'] = None

        return raw_subnet['id'], raw_subnet


================================================
FILE: ScoutSuite/providers/aws/resources/vpc/vpcs.py
================================================
from ScoutSuite.providers.aws.resources.vpcs import Vpcs

from .network_acls import NetworkACLs
from .subnets import Subnets


class RegionalVpcs(Vpcs):
    _children = [
        (NetworkACLs, 'network_acls'),
        (Subnets, 'subnets'),
    ]


================================================
FILE: ScoutSuite/providers/aws/resources/vpcs.py
================================================
from ScoutSuite.providers.aws.resources.base import AWSCompositeResources
from ScoutSuite.providers.aws.utils import format_arn

class Vpcs(AWSCompositeResources):
    """
    Fetches resources inside the virtual private clouds (VPCs) defined in a region. 
    :param add_ec2_classic: Setting this parameter to True will add 'EC2-Classic' to the list of VPCs.
    """

    def __init__(self, facade, region: str, add_ec2_classic=False):
        super().__init__(facade)
        self.region = region
        self.add_ec2_classic = add_ec2_classic
        self.partition = facade.partition
        self.service = 'vpc'
        self.resource_type = 'virtual-private-cloud'

    async def fetch_all(self):
        raw_vpcs = await self.facade.ec2.get_vpcs(self.region)

        for raw_vpc in raw_vpcs:
            vpc_id, vpc = self._parse_vpc(raw_vpc)
            self[vpc_id] = vpc

        await self._fetch_children_of_all_resources(
            resources=self,
            scopes={vpc_id: {'region': self.region, 'vpc': vpc_id}
                    for vpc_id in self}
        )

    def _parse_vpc(self, raw_vpc):
        vpc = {}
        vpc['id'] = raw_vpc['VpcId']
        vpc['cidr_block'] = raw_vpc['CidrBlock']
        vpc['default'] = raw_vpc['IsDefault']
        vpc['state'] = raw_vpc['State']
        vpc['arn'] = format_arn(self.partition, self.service, self.region, raw_vpc.get('OwnerId'), raw_vpc.get('VpcId'), self.resource_type)
        
        # Pull the name from tags
        name_tag = next((d for i, d in enumerate(raw_vpc.get('Tags', [])) if d.get('Key') == 'Name'), None)
        if name_tag:
            vpc['name'] = name_tag.get('Value')
        else:
            vpc['name'] = raw_vpc['VpcId']

        return vpc['id'], vpc


================================================
FILE: ScoutSuite/providers/aws/rules/conditions/cidr-is-all.json
================================================
{
    "conditions": [ "or",
        [ "this", "equal", "0.0.0.0/0" ],
        [ "this", "equal", "::/0" ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/conditions/ec2-security-group-in-use.json
================================================
{
    "conditions": [ "ec2.regions.id.vpcs.id.security_groups.id.", "withKey", "used_by" ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/conditions/ec2-security-group-not-used.json
================================================
{
    "conditions": [ "ec2.regions.id.vpcs.id.security_groups.id.", "withoutKey", "used_by" ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/conditions/instance-with-open-nacls.json
================================================
{
    "conditions": [
        "and",
        [
            "ec2.regions.id.vpcs.id.instances.id.network_interfaces.id",
            "withKey",
            "SubnetId"
        ],
        [
            "vpc.regions.id.vpcs.id.network_acls._GET_VALUE_AT_(vpc.regions.id.vpcs.id.subnets._GET_VALUE_AT_(ec2.regions.id.vpcs.id.instances.id.network_interfaces.id.SubnetId).network_acl).allow_all_ingress_traffic",
            "notEqual",
            "0"
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/conditions/instance-with-public-ip.json
================================================
{
    "conditions": [ "and",
        [ "ec2.regions.id.vpcs.id.instances.id.network_interfaces.id.", "withKey", "Association" ],
        [ "ec2.regions.id.vpcs.id.instances.id.network_interfaces.id.Association", "notNull", "" ],
        [ "ec2.regions.id.vpcs.id.instances.id.network_interfaces.id.Association.PublicIp", "notNull", "" ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/conditions/ip-not-in-private-space.json
================================================
{
    "conditions": [ "this", "notInSubnets", [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ] ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/conditions/policy-statement-any-principal.json
================================================
{
    "conditions": [ "or",
        [ "_STATEMENT_.Principal", "containAtLeastOneOf", "*" ],
        [ "and",
            [ "_STATEMENT_.Principal", "withKeyCaseInsensitive", "AWS" ],
            [ "_STATEMENT_.Principal.AWS", "containAtLeastOneOf", "*" ]
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/conditions/policy-statement-any-resource.json
================================================
{
    "conditions": [
        "and",
        [
            "_STATEMENT_.",
            "withKey",
            "Resource"
        ],
        [
            "or",
            [
                "_STATEMENT_.Resource",
                "containAtLeastOneOf",
                "*"
            ],
            [
                "_STATEMENT_.Resource",
                "containAtLeastOneMatching",
                ".*\/[*]$"
            ]
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/conditions/policy-statement-poor-condition.json
================================================
{
  "conditions": [ "or",
    [ "_STATEMENT_.", "withoutKey", "Condition" ],
    [ "and",
      [ "and",
        [ "_STATEMENT_.Condition.", "withoutKey", "ArnEquals" ],
        [ "_STATEMENT_.Condition.", "withoutKey", "ForAnyValue:ArnEquals" ]
      ],
      [ "and",
        [ "_STATEMENT_.Condition.", "withoutKey", "ArnLike" ],
        [ "_STATEMENT_.Condition.", "withoutKey", "ForAnyValue:ArnLike" ]
      ],
      [ "or",
        [ "_STATEMENT_.Condition.", "withoutKey", "StringEquals" ],
        [ "and",
          [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:CalledVia" ],
          [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:CalledViaFirst" ],
          [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:CalledViaLast" ],
          [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalAccount" ],
          [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalArn" ],
          [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgPaths" ],
          [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgID" ],
          [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceName" ],
          [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceNamesList" ],
          [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:ResourceTag" ],
          [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:SourceAccount" ],
          [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:SourceArn" ],
          [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:SourceIdentity" ],
          [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:SourceOwner" ],
          [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "aws:ViaAWSService" ],
          [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "iam:PassedToService" ],
          [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "kms:CallerAccount" ],
          [ "_STATEMENT_.Condition.StringEquals.", "withoutKeyCaseInsensitive", "kms:ViaService" ]
        ]
      ],
      [ "or",
        [ "_STATEMENT_.Condition.", "withoutKey", "StringEqualsIgnoreCase" ],
        [ "and",
          [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:CalledVia" ],
          [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:CalledViaFirst" ],
          [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:CalledViaLast" ],
          [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalAccount" ],
          [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalArn" ],
          [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgPaths" ],
          [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgID" ],
          [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceName" ],
          [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceNamesList" ],
          [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:ResourceTag" ],
          [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:SourceAccount" ],
          [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:SourceArn" ],
          [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:SourceIdentity" ],
          [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:SourceOwner" ],
          [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:ViaAWSService" ],
          [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "iam:PassedToService" ],
          [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "kms:CallerAccount" ],
          [ "_STATEMENT_.Condition.StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "kms:ViaService" ]
        ]
      ],
      [ "or",
        [ "_STATEMENT_.Condition.", "withoutKey", "StringLike" ],
        [ "and",
          [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:CalledVia" ],
          [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:CalledViaFirst" ],
          [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:CalledViaLast" ],
          [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalAccount" ],
          [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalArn" ],
          [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgPaths" ],
          [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgID" ],
          [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceName" ],
          [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceNamesList" ],
          [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:ResourceTag" ],
          [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:SourceAccount" ],
          [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:SourceArn" ],
          [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:SourceIdentity" ],
          [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:SourceOwner" ],
          [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "aws:ViaAWSService" ],
          [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "iam:PassedToService" ],
          [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "kms:CallerAccount" ],
          [ "_STATEMENT_.Condition.StringLike.", "withoutKeyCaseInsensitive", "kms:ViaService" ]
        ]
      ],
      [ "or",
        [ "_STATEMENT_.Condition.", "withoutKey", "ForAnyValue:StringEquals" ],
        [ "and",
          [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:CalledVia" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:CalledViaFirst" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:CalledViaLast" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalAccount" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalArn" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgPaths" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgID" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceName" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceNamesList" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:ResourceTag" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:SourceAccount" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:SourceArn" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:SourceIdentity" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:SourceOwner" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "aws:ViaAWSService" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "iam:PassedToService" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "kms:CallerAccount" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEquals.", "withoutKeyCaseInsensitive", "kms:ViaService" ]
        ]
      ],
      [ "or",
        [ "_STATEMENT_.Condition.", "withoutKey", "ForAnyValue:StringEqualsIgnoreCase" ],
        [ "and",
          [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:CalledVia" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:CalledViaFirst" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:CalledViaLast" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalAccount" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalArn" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgPaths" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgID" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceName" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceNamesList" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:ResourceTag" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:SourceAccount" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:SourceArn" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:SourceIdentity" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:SourceOwner" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "aws:ViaAWSService" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "iam:PassedToService" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "kms:CallerAccount" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringEqualsIgnoreCase.", "withoutKeyCaseInsensitive", "kms:ViaService" ]
        ]
      ],
      [ "or",
        [ "_STATEMENT_.Condition.", "withoutKey", "ForAnyValue:StringLike" ],
        [ "and",
          [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:CalledVia" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:CalledViaFirst" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:CalledViaLast" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalAccount" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalArn" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgPaths" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalOrgID" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceName" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:PrincipalServiceNamesList" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:ResourceTag" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:SourceAccount" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:SourceArn" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:SourceIdentity" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:SourceOwner" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "aws:ViaAWSService" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "iam:PassedToService" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "kms:CallerAccount" ],
          [ "_STATEMENT_.Condition.ForAnyValue:StringLike.", "withoutKeyCaseInsensitive", "kms:ViaService" ]

        ]
      ]
    ]
  ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/conditions/security-group-opens-all-ports.json
================================================
{
    "conditions": [ "and",
        [ "or",
            [ "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id", "equal", "0-65535" ],
            [ "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id", "equal", "1-65535" ],
            [ "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id", "equal", "ALL" ]
        ],
        [ "ec2.regions.id.vpcs.id.security_groups.id.rules.id", "equal", "ingress"] 
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/filters/ec2-instance-with-open-nacls.json
================================================
{
    "description": "Public instance with open NACLs",
    "rationale": "",
    "path": "ec2.regions.id.vpcs.id.instances.id.network_interfaces.id",
    "dashboard_name": "ENIs",
    "display_path": "ec2.regions.id.vpcs.id.instances.id",
    "conditions": [ "and",
        [ "_INCLUDE_(conditions/instance-with-public-ip.json)", "", "" ],
        [ "_INCLUDE_(conditions/instance-with-open-nacls.json)", "", "" ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/filters/ec2-security-group-with-public-cidr-grant.json
================================================
{
    "description": "Security group whitelists public CIDRs",
    "path": "ec2.regions.id.vpcs.id.security_groups.id.rules.ingress.protocols.id.ports.id.cidrs.id.CIDR",
    "display_path": "ec2.regions.id.vpcs.id.security_groups.id",
    "dashboard_name": "Rules",
    "conditions": [ "and",
        [ "this", "notInSubnets", [ "10.0.0.0/8", "172.16.0.0/16", "192.168.0.0/24" ] ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/filters/iam-role-for-aws-account.json
================================================
{
    "description": "Role for _ARG_0_ account",
    "key": "iam-role-for-_ARG_0_-account",
    "path": "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id",
    "display_path": "iam.roles.id",
    "dashboard_name": "Roles",
    "conditions": [ "and",
        [ "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Effect", "equal", "Allow" ],
        [ "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.", "containAction", "sts:AssumeRole" ],
        [ "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Principal", "withKey", "AWS" ],
        [ "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Principal.AWS", "_ARG_1_", "_ACCOUNT_ID_" ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/filters/iam-role-for-service.json
================================================
{
    "description": "Role for _ARG_0_",
    "key": "iam-role-for-_ARG_0_",
    "path": "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id",
    "display_path": "iam.roles.id",
    "dashboard_name": "Roles",
    "conditions": [ "and",
        [ "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Effect", "equal", "Allow" ],
        [ "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.", "containAction", "sts:AssumeRole" ],
        [ "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Principal", "withKey", "Service" ],
        [ "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Principal.Service", "equal", "_ARG_1_" ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/filters/s3-bucket-website-enabled.json
================================================
{
    "dashboard_name": "Buckets",
    "description": "Bucket with static website enabled",
    "path": "s3.buckets.id",
    "display_path": "s3.buckets.id",
    "conditions": [ "and",
        [ "s3.buckets.id", "withKey", "web_hosting_enabled" ],
        [ "s3.buckets.id.web_hosting_enabled", "true", "" ]
    ],
    "id_suffix": "web_hosting_enabled"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/acm-certificate-with-close-expiration-date.json
================================================
{
    "description": "ACM Certificate Expiring in Less Than _ARG_0_ Days",
    "rationale": "Ensure that certificates which are in use are not about to expire.",
    "dashboard_name": "Certificates",
    "path": "acm.regions.id.certificates.id",
    "conditions": [
        "and",
        [
            "acm.regions.id.certificates.id",
            "withKey",
            "NotAfter"
        ],
        [
            "acm.regions.id.certificates.id.NotAfter",
            "newerThan",
            [
                "_ARG_0_",
                "days"
            ]
        ]
    ],
    "id_suffix": "NotAfter"
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/acm-certificate-with-transparency-logging-disabled.json
================================================
{
    "description": "ACM Certificate with Transparency Logging Set to Disabled",
    "rationale": "Disabling Transparency Logging may result in browsers not trusting your certificate. As of April 30 2018, Google Chrome no longer trusts public SSL/TLS certificates that are not recorded in a certificate transparency log. Transparency Logging should be enabled as a best practice.",
    "references": [
        "https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/"
    ],
    "dashboard_name": "Certificates",
    "path": "acm.regions.id.certificates.id",
    "conditions": [
        "and",
        [
            "acm.regions.id.certificates.id.Options.CertificateTransparencyLoggingPreference",
            "equal",
            "DISABLED"
        ]
    ],
    "id_suffix": "CertificateTransparencyLoggingPreference"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/cloudformation-stack-with-role.json
================================================
{
    "description": "Role Passed to Stack",
    "rationale": "Passing a role to CloudFormation stacks may result in privilege escalation because IAM users with privileges within the CloudFormation scope implicitly inherit the stack's role's permissions. Consequently, it should be ensured that the IAM privileges assigned to the stack's role follow the principle of least privilege.",
    "references": [
        "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html"
    ],
    "dashboard_name": "Stacks",
    "path": "cloudformation.regions.id.stacks.id",
    "conditions": [
        "and",
        [
            "this",
            "withKey",
            "iam_role"
        ],
        [
            "this.iam_role.id",
            "notEmpty",
            ""
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/cloudfront-distribution-cleartext-origin.json
================================================
{
    "description": "Content Distribution with Clear-Text Origin TLS Policy",
    "rationale": "Distributing content between AWS CloudFront distributions and their custom origins over clear-text HTTP, without using AWS encryption solutions, can potentially expose sensitive data.",
    "references": [
        "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-customoriginconfig.html"
    ],
    "dashboard_name": "Distributions",
    "path": "cloudfront.distributions.id",
    "conditions": [
        "or",
        [
            "cloudfront.distributions.id.origins",
            "containString",
            "http-only"
        ],
        [
            "cloudfront.distributions.id.origins",
            "containString",
            "match-viewer"
        ]
    ],
    "class_suffix": "config_policy"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/cloudfront-distribution-insecure-origin.json
================================================
{
    "description": "Content Distribution with Insecure Origin TLS Policy",
    "rationale": "Distributing content between AWS CloudFront distributions and their custom origins over HTTPS using older SSL/TLS protocols can potentially expose sensitive data.",
    "references": [
        "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-customoriginconfig.html"
    ],
    "dashboard_name": "Distributions",
    "path": "cloudfront.distributions.id",
    "conditions": [
        "and",
        [
            "cloudfront.distributions.id.viewer_certificate.MinimumProtocolVersion.",
            "containNoneOf",
            [
                "TLSv1.1",
                "TLSv1.1_2016",
                "TLSv1.2_2018",
                "TLSv1.2_2019",
                "TLSv1.2_2021"
            ]
        ]
    ],
    "id_suffix": "minimum_ssl_version"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/cloudfront-distribution-insufficient-viewer-security.json
================================================
{
    "description": "Content Distribution with Insufficient Viewer Security Policy",
    "rationale": "Distributing content between AWS CloudFront distributions and their custom origins without the use of a valid certificate, can potentially expose sensitive data.",
    "references": [
        "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-viewercertificate.html"
    ],
    "dashboard_name": "Distributions",
    "path": "cloudfront.distributions.id",
    "conditions": [
        "or",
        [
            "this",
            "withoutKey",
            "viewer_certificate"
        ]
    ],
    "id_suffix": "viewer_certificate"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/cloudtrail-duplicated-global-services-logging.json
================================================
{
    "description": "Global Service Logging Duplicated",
    "rationale": "Global service logging is enabled in multiple Trails. While this does not jeopardize the security of the environment, duplicated entries in logs increase the difficulty to investigate potential incidents.",
    "references": [
        "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events"
    ],
    "dashboard_name": "Configurations",
    "path": "cloudtrail.regions.id.trails.id",
    "conditions": [
        "and",
        [
            "cloudtrail.DuplicatedGlobalServiceEvents",
            "true",
            ""
        ],
        [
            "this",
            "withKey",
            "IncludeGlobalServiceEvents"
        ],
        [
            "IncludeGlobalServiceEvents",
            "true",
            ""
        ],
        [
            "IsLogging",
            "true",
            ""
        ]
    ],
    "id_suffix": "IncludeGlobalServiceEvents"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/cloudtrail-no-cloudwatch-integration.json
================================================
{
    "description": "Trail Is Not Integrated with CloudWatch",
    "rationale": "The lack of integration with CloudWatch hinders real-time and historic activity logging as well as not allowing the configuration of alarms and notifications for anomalous account activity.",
    "remediation": "Configure each Trail to have a CloudWatch Logs group attached",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "2.4"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "2.4"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "2.4"
        }
    ],
    "dashboard_name": "Configurations",
    "display_path": "cloudtrail.regions.id.trails.id",
    "path": "cloudtrail.regions.id.trails.id",
    "conditions": [
        "and",
        [
            "cloudtrail.regions.id.trails.id.",
            "withKey",
            "LatestCloudWatchLogsDeliveryTime"
        ],
        [
            "or",
            [
                "cloudtrail.regions.id.trails.id.LatestCloudWatchLogsDeliveryTime",
                "null",
                ""
            ],
            [
                "cloudtrail.regions.id.trails.id.LatestCloudWatchLogsDeliveryTime",
                "olderThan",
                [
                    "1",
                    "days"
                ]
            ]
        ]
    ],
    "id_suffix": "TrailCloudwatchNoIntegration"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/cloudtrail-no-data-logging.json
================================================
{
    "description": "Data Events Logging Not Configured",
    "rationale": "CloudTrail Data Logging is not configured, which means that S3 access and Lambda invocations are not logged. 

Note: S3 bucket logging can be used in place of CloudTrail data events for S3. If that is the case, logs for Lambda invocations may still be missing.",
    "references": [
        "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html"
    ],
    "dashboard_name": "Configurations",
    "display_path": "cloudtrail.regions.id.trails.id",
    "path": "cloudtrail.regions.id.trails.id",
    "conditions": [
        "and",
        [
            "this",
            "withKey",
            "DataEventsEnabled"
        ],
        [
            "DataEventsEnabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "cloudtrail-data-events-disabled"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/cloudtrail-no-encryption-with-kms.json
================================================
{
    "description": "CloudTrail Logs Not Encrypted with KMS Customer Master Keys (CMKs)",
    "rationale": "Not encrypting CloudTrail logs with SSE-KMS affects the confidentiality of the log data.",
    "remediation": "Ensure each Trail is encrypted with a KMS key",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "2.7"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "2.7"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "2.7"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html"
    ],
    "dashboard_name": "Configurations",
    "display_path": "cloudtrail.regions.id.trails.id",
    "path": "cloudtrail.regions.id.trails.id",
    "conditions": [
        "and",
        [
            "cloudtrail.regions.id.trails.id.",
            "withoutKey",
            "scout_link"
        ],
        [
            "or",
            [
                "cloudtrail.regions.id.trails.id.",
                "withoutKey",
                "KmsKeyId"
            ],
            [
                "and",
                [
                    "cloudtrail.regions.id.trails.id.",
                    "withKey",
                    "KmsKeyId"
                ],
                [
                    "cloudtrail.regions.id.trails.id.KmsKeyId",
                    "null",
                    ""
                ]
            ]
        ]
    ],
    "id_suffix": "cloudtrail-kms-key-unused"
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/cloudtrail-no-global-services-logging.json
================================================
{
    "description": "Global Service Logging Disabled",
    "rationale": "API activity for global services such as IAM and STS is not logged. Investigation of incidents will be incomplete due to the lack of information.",
    "references": [
        "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events"
    ],
    "dashboard_name": "Configurations",
    "path": "cloudtrail.regions.id.trails.id",
    "conditions": [
        "and",
        [
            "cloudtrail.IncludeGlobalServiceEvents",
            "false",
            ""
        ],
        [
            "this",
            "withKey",
            "IncludeGlobalServiceEvents"
        ]
    ],
    "id_suffix": "IncludeGlobalServiceEvents"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/cloudtrail-no-log-file-validation.json
================================================
{
    "description": "Log File Validation Is Disabled",
    "rationale": "The lack of log file validation prevents from verifying the integrity of CloudTrail log files.",
    "remediation": "Ensure that each Trail has Enable log file validation set to Yes",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "2.2"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "2.2"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "2.2"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html"
    ],
    "dashboard_name": "Configurations",
    "display_path": "cloudtrail.regions.id.trails.id",
    "path": "cloudtrail.regions.id.trails.id",
    "conditions": [
        "and",
        [
            "cloudtrail.regions.id.trails.id.",
            "withKey",
            "LogFileValidationEnabled"
        ],
        [
            "cloudtrail.regions.id.trails.id.LogFileValidationEnabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "LogFileValidationDisabled"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/cloudtrail-no-logging.json
================================================
{
    "description": "Disabled Trails",
    "rationale": "Logging is disabled for a given Trail. Depending on the configuration, logs for important API activity may be missing.",
    "remediation": "Configure all Trails to enable Logging, set Apply trail to all regions and ensure that Read/Write Events are set to ALL",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "2.1"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "2.1"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "2.1"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html"
    ],
    "dashboard_name": "Configurations",
    "path": "cloudtrail.regions.id.trails.id",
    "conditions": [
        "and",
        [
            "cloudtrail.regions.id.trails.id.",
            "withKey",
            "IsLogging"
        ],
        [
            "cloudtrail.regions.id.trails.id.IsLogging",
            "false",
            ""
        ]
    ],
    "class_suffix": "IsLogging"
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/cloudtrail-not-configured.json
================================================
{
    "description": "CloudTrail Service Not Configured",
    "rationale": "CloudTrail is not configured, which means that API activity is not logged.",
    "references": [
        "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html"
    ],
    "dashboard_name": "Regions",
    "path": "cloudtrail.regions.id",
    "conditions": [
        "and",
        [
            "trails_count",
            "equal",
            "0"
        ]
    ],
    "id_suffix": "NotConfigured"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/cloudtrail-partial-data-logging.json
================================================
{
    "description": "Data Logging Configuration Not Covering All Resources",
    "rationale": "CloudTrail Data Logging is not configured to cover all S3 or Lambda resources, which means that all S3 access and Lambda invocations are not logged. 

Note: S3 bucket logging can be used in place of CloudTrail data events for S3. If that is the case, logs for Lambda invocations may still be missing.",
    "references": [
        "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html"
    ],
    "dashboard_name": "Configurations",
    "display_path": "cloudtrail.regions.id.trails.id",
    "path": "cloudtrail.regions.id.trails.id",
    "conditions": [
        "and",
        [
            "this",
            "withKey",
            "wildcard_data_logging"
        ],
        [
            "wildcard_data_logging",
            "false",
            ""
        ]
    ],
    "id_suffix": "cloudtrail-data-events-disabled"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/cloudwatch-alarm-without-actions.json
================================================
{
    "description": "Alarm without Action",
    "rationale": "Each alarm should have at least one action",
    "references": [
        "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html"
    ],
    "dashboard_name": "Alarms",
    "path": "cloudwatch.regions.id.alarms.id",
    "conditions": [
        "and",
        [
            "cloudwatch.regions.id.alarms.id.AlarmActions",
            "empty",
            ""
        ]
    ],
    "id_suffix": "NoActions"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/config-recorder-not-configured.json
================================================
{
    "description": "AWS Config Not Enabled",
    "rationale": "No AWS Config recorders are configured, which means that changes in AWS resource configuration are not logged. This hinders security analysis, resource change tracking and compliance auditing.",
    "remediation": "Enable AWS Config in all regions, define the resources you want to record in each region and include global resources (IAM resources)",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "2.5"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "2.5"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "2.5"
        }
    ],
    "references": [
        "https://aws.amazon.com/blogs/mt/aws-config-best-practices/"
    ],
    "dashboard_name": "Regions",
    "path": "config.regions.id",
    "conditions": [
        "and",
        [
            "recorders_count",
            "equal",
            "0"
        ]
    ],
    "id_suffix": "NotConfigured"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-ami-public.json
================================================
{
    "description": "Publicly Accessible AMI",
    "rationale": "AMIs should never intentionally be made public. If they need to be shared this can be done with specific AWS accounts.",
    "references": [
        "https://aws.amazon.com/security/security-bulletins/reminder-about-safely-sharing-and-using-public-amis/"
    ],
    "dashboard_name": "Images",
    "path": "ec2.regions.id.images.id",
    "conditions": [
        "and",
        [
            "Public",
            "true",
            ""
        ]
    ],
    "id_suffix": "image_is_public"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-default-security-group-in-use.json
================================================
{
    "description": "Default Security Groups in Use",
    "rationale": "The use of default security groups can indicate a lack of intentional enforcement of the principle of least privilege. Use custom security groups to ensure you are properly minimizing privilege and access.",
    "remediation": "Ensure resources are not within default security groups. Instead, create a custom security group tailored to each resource needs.",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "4.4"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "4.4"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "4.3"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.3"
    ],
    "dashboard_name": "Security groups",
    "path": "ec2.regions.id.vpcs.id.security_groups.id",
    "conditions": [
        "and",
        [
            "ec2.regions.id.vpcs.id.security_groups.id.name",
            "equal",
            "default"
        ],
        [
            "ec2.regions.id.vpcs.id.security_groups.id.",
            "withKey",
            "used_by"
        ],
        [
            "ec2.regions.id.vpcs.id.security_groups.id.is_default_configuration",
            "true",
            ""
        ]
    ],
    "id_suffix": "default_in_use"
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-default-security-group-with-rules.json
================================================
{
    "description": "Non-empty Rulesets for Default Security Groups",
    "rationale": "The default security group created in each VPC comes with rules allowing all inbound traffic from instances assigned to the same security group, as well as all outbound traffic. In order to improve system hardening, you should remove all rules from the default security groups so that they restricts all traffic. Should an instance be created without custom security groups, it will inherit the default security group and be unable to communicate with other instances within the VPC until the required custom security groups are assigned.",
    "remediation": "Ensure the default security group of every VPC restricts all traffic",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "4.4"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "4.4"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "4.3"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.3"
    ],
    "dashboard_name": "Rulesets",
    "display_path": "ec2.regions.id.vpcs.id.security_groups.id",
    "path": "ec2.regions.id.vpcs.id.security_groups.id.rules.id",
    "conditions": [
        "and",
        [
            "ec2.regions.id.vpcs.id.security_groups.id.name",
            "equal",
            "default"
        ],
        [
            "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols",
            "notEmpty",
            ""
        ],
        [
            "ec2.regions.id.vpcs.id.security_groups.id.is_default_configuration",
            "true",
            ""
        ]
    ],
    "id_suffix": "default_with_rules"
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-ebs-default-encryption-disabled.json
================================================
{
    "description": "EBS Encryption By Default Is Disabled",
    "rationale": "Enabling EBS encryption by default ensures that all EBS Volumes created in the region are encrypted even if the operator neglects to opt into encryption when creating a Volume.",
    "remediation": "Enable encryption by default for EBS volumes in all regions.",
    "references": [
        "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default"
    ],
    "dashboard_name": "Regions",
    "path": "ec2.regions.id.regional_settings.id",
    "conditions": [
        "and",
        [
            "ebs_encryption_default",
            "false",
            ""
        ]
    ],
    "id_suffix": "NoDefaultEBSEncryption"
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-ebs-snapshot-not-encrypted.json
================================================
{
    "description": "EBS Snapshot Not Encrypted",
    "rationale": "Data-at-rest should be encrypted.",
    "references": [
        "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html"
    ],
    "dashboard_name": "Snapshots",
    "path": "ec2.regions.id.snapshots.id",
    "conditions": [
        "and",
        [
            "encrypted",
            "false",
            ""
        ]
    ],
    "id_suffix": "encrypted"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-ebs-snapshot-public.json
================================================
{
    "description": "Public EBS Snapshot",
    "rationale": "Snapshots should never be public, as this risks exposing sensitive data.",
    "references": [
        "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html"
    ],
    "dashboard_name": "Snapshots",
    "path": "ec2.regions.id.snapshots.id",
    "conditions": [
        "and",
        [
            "public",
            "true",
            ""
        ]
    ],
    "id_suffix": "public"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-ebs-volume-not-encrypted.json
================================================
{
    "description": "EBS Volume Not Encrypted",
    "rationale": "Enabling encryption of EBS volumes ensures that data is encrypted both at-rest and in-transit (between an instance and its attached EBS storage).",
    "references": [
        "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html"
    ],
    "dashboard_name": "Volumes",
    "path": "ec2.regions.id.volumes.id",
    "conditions": [
        "and",
        [
            "Encrypted",
            "false",
            ""
        ]
    ],
    "id_suffix": "encrypted"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-instance-in-security-group.json
================================================
{
    "description": "EC2 Instance Belongs to Specific Security Group",
    "rationale": "This configuration goes against organizational policies.",
    "dashboard_name": "Instances",
    "path": "ec2.regions.id.vpcs.id.instances.id",
    "conditions": [
        "and",
        [
            "ec2.regions.id.vpcs.id.instances.id.security_groups",
            "match",
            ".*_ARG_0_.*"
        ]
    ],
    "arg_names": [
        "ID of the security group EC2 instances may not belong to."
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-instance-type.json
================================================
{
    "description": "Use of _ARG_0_ Instances",
    "rationale": "Policies dictate EC2 instances of type _ARG_0_ should not be used in this environment",
    "references": [
        "https://aws.amazon.com/ec2/instance-types/"
    ],
    "dashboard_name": "Instances",
    "path": "ec2.regions.id.vpcs.id.instances.id",
    "conditions": [
        "and",
        [
            "InstanceType",
            "equal",
            "_ARG_0_"
        ]
    ],
    "key": "ec2-instance-type-_STRIPDOTS_(_ARG_0_)",
    "arg_names": [
        "Type of EC2 instance (e.g. t2.micro)"
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-instance-types.json
================================================
{
    "description": "Use of _ARG_0_ Instances",
    "rationale": "Policies dictate _ARG_0_ EC2 instances should not be used in this environment",
    "references": [
        "https://aws.amazon.com/ec2/instance-types/"
    ],
    "dashboard_name": "Instances",
    "path": "ec2.regions.id.vpcs.id.instances.id",
    "conditions": [
        "and",
        [
            "InstanceType",
            "containAtLeastOneOf",
            "_ARG_1_"
        ]
    ],
    "key": "ec2-instance-type-_STRIPDOTS_(_ARG_0_)",
    "arg_names": [
        "Display name of types of instances",
        "Type of EC2 instances that may not be used."
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-instance-with-public-ip.json
================================================
{
    "description": "Instance with a Public IP Address",
    "rationale": "It is good practice to maintain a list of known, publicly accessible instances and flag all other instances that meet this criteria.",
    "references": [
        "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html"
    ],
    "dashboard_name": "Network interfaces",
    "display_path": "ec2.regions.id.vpcs.id.instances.id",
    "path": "ec2.regions.id.vpcs.id.instances.id.network_interfaces.id",
    "conditions": [
        "and",
        [
            "Association",
            "notNull",
            ""
        ],
        [
            "ec2.regions.id.vpcs.id.instances.id.network_interfaces.id.Association.PublicIp",
            "notNull",
            ""
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-instance-with-user-data-secrets.json
================================================
{
    "description": "Potential Secret in Instance User Data",
    "rationale": "It was detected that the EC2 instance was configured with user data, which could potentially include secrets. Although user data can only be accessed from within the instance itself, the data is not protected by cryptographic methods. Anyone who can access the instance can view its metadata. It should therefore be ensured that sensitive data, such as passwords and SSH keys, are not stored as user data.",
    "references": [
        "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html"
    ],
    "dashboard_name": "Instances",
    "path": "ec2.regions.id.vpcs.id.instances.id",
    "conditions": [
        "and",
        [
            "ec2.regions.id.vpcs.id.instances.id.user_data_secrets",
            "notEmpty",
            ""
        ]
    ],
    "id_suffix": "potential_secrets"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-security-group-opens-all-ports-to-all.json
================================================
{
    "description": "Security Group Opens All Ports to All",
    "rationale": "It was detected that all ports in the security group are open, and any source IP address could send traffic to these ports, which creates a wider attack surface for resources assigned to it. Open ports should be reduced to the minimum needed to correctly operate and, when possible, source address restrictions should be implemented.",
    "dashboard_name": "Rules",
    "display_path": "ec2.regions.id.vpcs.id.security_groups.id",
    "path": "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id.cidrs.id.CIDR",
    "conditions": [
        "and",
        [
            "_INCLUDE_(conditions/cidr-is-all.json)",
            "",
            ""
        ],
        [
            "_INCLUDE_(conditions/security-group-opens-all-ports.json)",
            "",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-security-group-opens-all-ports-to-self.json
================================================
{
    "description": "Unrestricted Network Traffic within Security Group",
    "rationale": "This configuration goes against organizational policies.",
    "dashboard_name": "Rules",
    "display_path": "ec2.regions.id.vpcs.id.security_groups.id",
    "path": "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id.security_groups.id",
    "conditions": [
        "and",
        [
            "_INCLUDE_(conditions/security-group-opens-all-ports.json)",
            "",
            ""
        ],
        [
            "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id.security_groups.id.GroupId",
            "equal",
            "_GET_VALUE_AT_(ec2.regions.id.vpcs.id.security_groups.id)"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-security-group-opens-all-ports.json
================================================
{
    "description": "Security Group Opens All Ports",
    "rationale": "It was detected that all ports in the security group are open, which creates a wider attack surface for resources assigned to it. Open ports should be reduced to the minimum needed to correctly operate.",
    "dashboard_name": "Rules",
    "display_path": "ec2.regions.id.vpcs.id.security_groups.id",
    "path": "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id",
    "conditions": [
        "and",
        [
            "_INCLUDE_(conditions/security-group-opens-all-ports.json)",
            "",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-security-group-opens-icmp-to-all.json
================================================
{
    "description": "Security Group Allows ICMP Traffic to All",
    "rationale": "ICMP traffic was allowed to the resources assigned to this security group without restriction of the source address. This could potentially be leveraged by an attacker trying to perform an attack or gather information about the deployed infrastructure.",
    "dashboard_name": "Rules",
    "display_path": "ec2.regions.id.vpcs.id.security_groups.id",
    "path": "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id.cidrs.id.CIDR",
    "conditions": [
        "and",
        [
            "_INCLUDE_(conditions/cidr-is-all.json)",
            "",
            ""
        ],
        [
            "ec2.regions.id.vpcs.id.security_groups.id.rules.id",
            "equal",
            "ingress"
        ],
        [
            "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id",
            "equal",
            "ICMP"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-security-group-opens-known-port-to-all.json
================================================
{
    "description": "Security Group Opens _ARG_0_ Port to All",
    "rationale": "The security group was found to be exposing a well-known port to all source addresses. Well-known ports are commonly probed by automated scanning tools, and could be an indicator of sensitive services exposed to Internet. If such services need to be exposed, a restriction on the source address could help to reduce the attack surface of the infrastructure.",
    "remediation": "Remove the inbound rules that expose open ports",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "4.1"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "4.2"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "4.1"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "4.2"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "4.1"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "4.2"
        }
    ],
    "dashboard_name": "Rules",
    "display_path": "ec2.regions.id.vpcs.id.security_groups.id",
    "path": "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id.cidrs.id.CIDR",
    "conditions": [
        "and",
        [
            "_INCLUDE_(conditions/cidr-is-all.json)",
            "",
            ""
        ],
        [
            "ec2.regions.id.vpcs.id.security_groups.id.rules.id",
            "equal",
            "ingress"
        ],
        [
            "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id",
            "equal",
            "_ARG_1_"
        ],
        [
            "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id",
            "equal",
            "_ARG_2_"
        ]
    ],
    "key": "ec2-security-group-opens-_ARG_0_-port-to-all",
    "arg_names": [
        "Network protocol name",
        "Transport protocol name",
        "Port number"
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-security-group-opens-plaintext-port.json
================================================
{
    "description": "Security Group Opens _ARG_0_ Port",
    "rationale": "Ports associated with plaintext protocols have been found to be open in this security group. Plaintext protocols should be replaced with more secure alternatives, as the data in transit may be monitored and could, potentially, be subject to tampering.",
    "dashboard_name": "Rules",
    "display_path": "ec2.regions.id.vpcs.id.security_groups.id",
    "path": "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id",
    "conditions": [
        "and",
        [
            "ec2.regions.id.vpcs.id.security_groups.id.rules.id",
            "equal",
            "ingress"
        ],
        [
            "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id",
            "equal",
            "_ARG_1_"
        ],
        [
            "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id",
            "equal",
            "_ARG_2_"
        ]
    ],
    "key": "ec2-security-group-opens-plaintext-port-_ARG_0_",
    "arg_names": [
        "Network protocol name",
        "Transport protocol name",
        "Port number"
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-security-group-opens-port-range.json
================================================
{
    "description": "Security Group Uses Port Range",
    "rationale": "It was found that the security group was using port ranges. Sometimes, ranges could include unintended ports that should not be exposed. As a result, when possible, explicit port lists should be used instead",
    "dashboard_name": "Rules",
    "display_path": "ec2.regions.id.vpcs.id.security_groups.id",
    "path": "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id",
    "conditions": [
        "and",
        [
            "ec2.regions.id.vpcs.id.security_groups.id.rules.id",
            "equal",
            "ingress"
        ],
        [
            "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id",
            "containAtLeastOneOf",
            [
                "ALL",
                "UDP",
                "TCP"
            ]
        ],
        [
            "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id",
            "match",
            "[0-9]+-[0-9]+"
        ],
        [
            "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id",
            "notEqual",
            "0-65535"
        ],
        [
            "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id",
            "notEqual",
            "1-65535"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-security-group-opens-port-to-all.json
================================================
{
    "description": "Security Group Opens _ARG_0_ Port to All",
    "rationale": "The security group was found to be exposing a port to all source addresses. Ports are commonly probed by automated scanning tools, and could be an indicator of sensitive services exposed to Internet. If such services need to be exposed, a restriction on the source address could help to reduce the attack surface of the infrastructure.",
    "dashboard_name": "Rules",
    "display_path": "ec2.regions.id.vpcs.id.security_groups.id",
    "path": "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id.cidrs.id.CIDR",
    "conditions": [
        "and",
        [
            "_INCLUDE_(conditions/cidr-is-all.json)",
            "",
            ""
        ],
        [
            "ec2.regions.id.vpcs.id.security_groups.id.rules.id",
            "equal",
            "ingress"
        ],
        [
            "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id",
            "equal",
            "_ARG_0_"
        ],
        [
            "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id",
            "containNoneOf",
            [
                "22",
                "25",
                "80",
                "443",
                "1433",
                "1521",
                "3306",
                "3389",
                "5432",
                "27017"
            ]
        ]
    ],
    "key": "ec2-security-group-opens-_ARG_0_-port-to-all",
    "arg_names": [
        "Network transport protocol"
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-security-group-whitelists-aws-ip-from-banned-region.json
================================================
{
    "description": "Security Group Whitelists AWS IPs Outside the USA",
    "rationale": "This configuration goes against organizational policies.",
    "dashboard_name": "Rules",
    "path": "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id.cidrs.id.CIDR",
    "conditions": [
        "and",
        [
            "this",
            "inSubnets",
            "_IP_RANGES_FROM_FILE_(aws/ip-ranges/aws.json, [])"
        ],
        [
            "this",
            "notInSubnets",
            "_IP_RANGES_FROM_FILE_(aws/ip-ranges/aws-in-us.json, [])"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-security-group-whitelists-aws.json
================================================
{
    "description": "Security Group Whitelists AWS CIDRs",
    "rationale": "The AWS IP ranges contain addresses which can be assigned to EC2 instances in any AWS account, as well as services which can be used to interact with any AWS account. Consequently, allowing these ranges potentially exposes your AWS account to external interactions.",
    "dashboard_name": "Rules",
    "display_path": "ec2.regions.id.vpcs.id.security_groups.id",
    "path": "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id.cidrs.id.CIDR",
    "conditions": [
        "and",
        [
            "this",
            "inSubnets",
            "_IP_RANGES_FROM_FILE_(aws/ip-ranges/aws.json, [])"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-security-group-whitelists-non-elastic-ips.json
================================================
{
    "description": "Security Group Whitelists Non-Elastic IP Addresses",
    "rationale": "This configuration goes against organizational policies.",
    "dashboard_name": "Rules",
    "path": "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id.cidrs.id",
    "conditions": [
        "and",
        [
            "this",
            "inSubnets",
            "_IP_RANGES_FROM_FILE_(ip-ranges-from-args, [])"
        ],
        [
            "this",
            "inSubnets",
            "_IP_RANGES_FROM_FILE_(ip-ranges-from-args, [[\"is_elastic\", \"false\", \"\"]])"
        ]
    ],
    "keys": [
        "ec2.regions.id.vpcs.id.security_groups.id",
        "this"
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-security-group-whitelists-unknown-aws.json
================================================
{
    "description": "Security Group Whitelists Unknown AWS CIDRs",
    "rationale": "This configuration goes against organizational policies.",
    "dashboard_name": "Rules",
    "display_path": "ec2.regions.id.vpcs.id.security_groups.id",
    "path": "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id.cidrs.id.CIDR",
    "conditions": [
        "and",
        [
            "this",
            "inSubnets",
            "_IP_RANGES_FROM_FILE_(aws/ip-ranges/aws.json, [])"
        ],
        [
            "this",
            "notInSubnets",
            "_IP_RANGES_FROM_FILE_(ip-ranges-from-args, [])"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-security-group-whitelists-unknown-cidrs.json
================================================
{
    "description": "Security Group Whitelists Unknown CIDRs",
    "rationale": "This configuration goes against organizational policies.",
    "dashboard_name": "Rules",
    "display_path": "ec2.regions.id.vpcs.id.security_groups.id",
    "path": "ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id.cidrs.id.CIDR",
    "conditions": [
        "and",
        [
            "this",
            "notEqual",
            "0.0.0.0/0"
        ],
        [
            "this",
            "notEqual",
            "::/0"
        ],
        [
            "this",
            "notInSubnets",
            "_IP_RANGES_FROM_FILE_(aws/ip-ranges/aws.json, [])"
        ],
        [
            "this",
            "notInSubnets",
            "_IP_RANGES_FROM_FILE_(ip-ranges-from-args, [])"
        ],
        [
            "_INCLUDE_(conditions/ip-not-in-private-space.json)",
            "",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/ec2-unused-security-group.json
================================================
{
    "description": "Unused Security Group",
    "rationale": " Non-default security groups were defined which were unused and may not be required. This being the case, their existence in the configuration increases the risk that they may be inappropriately assigned. The unused security groups should be reviewed and removed if no longer required.",
    "references": [
        "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
    ],
    "dashboard_name": "Security groups",
    "path": "ec2.regions.id.vpcs.id.security_groups.id",
    "conditions": [
        "and",
        [
            "ec2.regions.id.vpcs.id.security_groups.id.",
            "withoutKey",
            "used_by"
        ],
        [
            "ec2.regions.id.vpcs.id.security_groups.id.name",
            "notEqual",
            "default"
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/elb-listener-allowing-cleartext.json
================================================
{
    "description": "Load Balancer Allowing Clear Text (HTTP) Communication",
    "rationale": "Use of a secure protocol (HTTPS or SSL) is best practice for encrypted communication. A load balancer without a listener using an encrypted protocol can be vulnerable to eavesdropping and man-in-the-middle attacks.",
    "references": [
        "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-listener-config.html"
    ],
    "dashboard_name": "Load Balancer Listeners",
    "display_path": "elb.regions.id.vpcs.id.elbs.id",
    "path": "elb.regions.id.vpcs.id.elbs.id.listeners.id",
    "conditions": [
        "and",
        [
            "elb.regions.id.vpcs.id.elbs.id.listeners.id.Protocol",
            "containNoneOf",
            [
                "HTTPS",
                "SSL"
            ]
        ],
        [
            "elb.regions.id.vpcs.id.elbs.id.listeners.id.LoadBalancerPort",
            "containNoneOf",
            [
                443
            ]
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/elb-no-access-logs.json
================================================
{
    "description": "Lack of ELB Access Logs",
    "rationale": "Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and identify security issues.",
    "references": [
        "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html"
    ],
    "dashboard_name": "Load Balancers",
    "path": "elb.regions.id.vpcs.id.elbs.id",
    "conditions": [
        "and",
        [
            "elb.regions.id.vpcs.id.elbs.id.attributes.AccessLog.Enabled",
            "false",
            ""
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/elb-older-ssl-policy.json
================================================
{
    "description": "Older SSL/TLS Policy",
    "rationale": "Use of the latest TLS policies is best practice. The recommended predefined security policies are:
  • ELBSecurityPolicy-2016-08
  • ELBSecurityPolicy-FS-2018-06
  • ELBSecurityPolicy-TLS-1-1-2017-01
  • ELBSecurityPolicy-TLS-1-2-2017-01
  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06
  • ELBSecurityPolicy-FS-1-1-2019-08
  • ELBSecurityPolicy-FS-1-2-2019-08
  • ELBSecurityPolicy-FS-1-2-Res-2019-08
  • ELBSecurityPolicy-FS-1-2-Res-2020-10
",
    "references": [
        "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html"
    ],
    "dashboard_name": "Load Balancer Listeners Security Policy",
    "display_path": "elb.regions.id.elb_policies.id.reference_security_policy",
    "path": "elb.regions.id.elb_policies.id.reference_security_policy",
    "conditions": [
        "and",
        [
            "this",
            "containNoneOf",
            [
                "ELBSecurityPolicy-2016-08",
                "ELBSecurityPolicy-TLS-1-1-2017-01",
                "ELBSecurityPolicy-TLS-1-2-2017-01",
                "ELBSecurityPolicy-TLS-1-2-Ext-2018-06",
                "ELBSecurityPolicy-FS-2018-06",
                "ELBSecurityPolicy-FS-1-1-2019-08",
                "ELBSecurityPolicy-FS-1-2-2019-08",
                "ELBSecurityPolicy-FS-1-2-Res-2019-08",
                "ELBSecurityPolicy-FS-1-2-Res-2020-10",
                "ELBSecurityPolicy-TLS13-1-2-2021-06",
                "ELBSecurityPolicy-TLS13-1-2-Res-2021-06",
                "ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06",
                "ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06",
                "ELBSecurityPolicy-TLS13-1-1-2021-06",
                "ELBSecurityPolicy-TLS13-1-0-2021-06",
                "ELBSecurityPolicy-TLS13-1-3-2021-06"
            ]
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/elbv2-http-request-smuggling.json
================================================
{
    "description": "Drop Invalid Header Fields Disabled",
    "rationale": "Dropping invalid header fields should be enabled in order to mitigate the risk of request smuggling attacks.",
    "references": [
        "https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_LoadBalancerAttribute.html",
        "https://medium.com/@emilefugulin/http-desync-attacks-with-python-and-aws-1ba07d2c860f",
        "https://99designs.com/blog/engineering/request-smuggling/",
        "https://portswigger.net/web-security/request-smuggling"
    ],
    "dashboard_name": "Load Balancer Attributes",
    "display_path": "elbv2.regions.id.vpcs.id.lbs.id",
    "path": "elbv2.regions.id.vpcs.id.lbs.id.attributes.id",
    "conditions": [
        "and",
        [
            "Key",
            "equal",
            "routing.http.drop_invalid_header_fields.enabled"
        ],
        [
            "Value",
            "equal",
            "false"
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/elbv2-listener-allowing-cleartext.json
================================================
{
    "description": "Load Balancer Allowing Clear Text (HTTP) Communication",
    "rationale": "Use of a secure protocol (HTTPS or SSL) is best practice for encrypted communication. A load balancer without a listener using an encrypted protocol can be vulnerable to eavesdropping and man-in-the-middle attacks.",
    "references": [
        "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-https-load-balancers.html",
        "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html",
        "https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html"
    ],
    "dashboard_name": "Load Balancer Listeners",
    "display_path": "elbv2.regions.id.vpcs.id.lbs.id",
    "path": "elbv2.regions.id.vpcs.id.lbs.id.listeners.id",
    "conditions": [
        "and",
        [
            "elbv2.regions.id.vpcs.id.lbs.id.listeners.id.Protocol",
            "equal",
            "HTTP"
        ],
        ["or",
            [
                "elbv2.regions.id.vpcs.id.lbs.id.listeners.id.DefaultActions",
                "notContainString",
                "'Type': 'redirect'"
            ],
            [
                "elbv2.regions.id.vpcs.id.lbs.id.listeners.id.DefaultActions",
                "notContainString",
                "'Protocol': 'HTTPS'"
            ]
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/elbv2-no-access-logs.json
================================================
{
    "description": "Lack of ELBv2 Access Logs",
    "rationale": "Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and identify security issues.

Note that for Network Load Balancers, access logs are created only if the load balancer has a TLS listener.",
    "references": [
        "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html",
        "https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html"
    ],
    "dashboard_name": "Load Balancer Attributes",
    "display_path": "elbv2.regions.id.vpcs.id.lbs.id",
    "path": "elbv2.regions.id.vpcs.id.lbs.id.attributes.id",
    "conditions": [
        "and",
        [
            "Key",
            "equal",
            "access_logs.s3.enabled"
        ],
        [
            "Value",
            "equal",
            "false"
        ],
        [
            "or",
            [
                "elbv2.regions.id.vpcs.id.lbs.id.Type",
                "equal",
                "application"
            ],
            [
                "and",
                [
                    "elbv2.regions.id.vpcs.id.lbs.id.Type",
                    "equal",
                    "network"
                ],
                [
                    "elbv2.regions.id.vpcs.id.lbs._GET_VALUE_AT_(elbv2.regions.id.vpcs.id.lbs.id).listener_protocols",
                    "containAtLeastOneOf",
                    [
                        "TLS"
                    ]
                ]
            ]
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/elbv2-no-deletion-protection.json
================================================
{
    "description": "Lack of Deletion Protection",
    "rationale": "Enabling deletion protection on load balancers mitigates risks of accidental deletion.",
    "references": [
        "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#deletion-protection"
    ],
    "dashboard_name": "Load Balancer Attributes",
    "display_path": "elbv2.regions.id.vpcs.id.lbs.id",
    "path": "elbv2.regions.id.vpcs.id.lbs.id.attributes.id",
    "conditions": [
        "and",
        [
            "Key",
            "equal",
            "deletion_protection.enabled"
        ],
        [
            "Value",
            "equal",
            "false"
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/elbv2-older-ssl-policy.json
================================================
{
    "description": "Older SSL/TLS Policy",
    "rationale": "Use of the latest TLS policies is best practice. The recommended predefined security policies are:
  • ELBSecurityPolicy-2016-08
  • ELBSecurityPolicy-FS-2018-06
  • ELBSecurityPolicy-TLS-1-1-2017-01
  • ELBSecurityPolicy-TLS-1-2-2017-01
  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06
  • ELBSecurityPolicy-FS-1-1-2019-08
  • ELBSecurityPolicy-FS-1-2-2019-08
  • ELBSecurityPolicy-FS-1-2-Res-2019-08
  • ELBSecurityPolicy-FS-1-2-Res-2020-10
",
    "references": [
        "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies"
    ],
    "dashboard_name": "Load Balancer Listeners",
    "display_path": "elbv2.regions.id.vpcs.id.lbs.id",
    "path": "elbv2.regions.id.vpcs.id.lbs.id.listeners.id.SslPolicy",
    "conditions": [
        "and",
        [
            "this",
            "containNoneOf",
            [
                "ELBSecurityPolicy-2016-08",
                "ELBSecurityPolicy-TLS-1-1-2017-01",
                "ELBSecurityPolicy-TLS-1-2-2017-01",
                "ELBSecurityPolicy-TLS-1-2-Ext-2018-06",
                "ELBSecurityPolicy-FS-2018-06",
                "ELBSecurityPolicy-FS-1-1-2019-08",
                "ELBSecurityPolicy-FS-1-2-2019-08",
                "ELBSecurityPolicy-FS-1-2-Res-2019-08",
                "ELBSecurityPolicy-FS-1-2-Res-2020-10",
                "ELBSecurityPolicy-TLS13-1-2-2021-06",
                "ELBSecurityPolicy-TLS13-1-2-Res-2021-06",
                "ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06",
                "ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06",
                "ELBSecurityPolicy-TLS13-1-1-2021-06",
                "ELBSecurityPolicy-TLS13-1-0-2021-06",
                "ELBSecurityPolicy-TLS13-1-3-2021-06"
            ]
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-assume-role-lacks-external-id-and-mfa.json
================================================
{
    "description": "Cross-Account AssumeRole Policy Lacks External ID and MFA",
    "rationale": "When authorizing cross-account role assumption, either an External ID or MFA should be required. If the role is intended for use by a service, an External ID can prevent \"confused deputy\" attacks. If the role is intended for use by an external user, then MFA will strengthen the authentication by requiring a second factor.",
    "references": [
        "https://research.nccgroup.com/2019/12/18/demystifying-aws-assumerole-and-stsexternalid/",
        "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html"
    ],
    "dashboard_name": "Roles",
    "display_path": "iam.roles.id",
    "path": "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id",
    "conditions": [
        "and",
        [
            "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Effect",
            "equal",
            "Allow"
        ],
        [
            "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.",
            "containAction",
            "sts:AssumeRole"
        ],
        [
            "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Principal",
            "withKeyCaseInsensitive",
            "AWS"
        ],
        [
            "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Principal.AWS",
            "isCrossAccount",
            "_ACCOUNT_ID_"
        ],
        [
            "or",
            [
                "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.",
                "withoutKey",
                "Condition"
            ],
            [
                "and",
                [
                    "or",
                    [
                        "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition",
                        "withoutKey",
                        "Bool"
                    ],
                    [
                        "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition.Bool.",
                        "withoutKey",
                        "aws:MultiFactorAuthPresent"
                    ],
                    [
                        "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition.Bool.aws:MultiFactorAuthPresent",
                        "notTrue",
                        ""
                    ]
                ],
                [
                    "or",
                    [
                        "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition",
                        "withoutKey",
                        "BoolIfExists"
                    ],
                    [
                        "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition.BoolIfExists.",
                        "withoutKey",
                        "aws:MultiFactorAuthPresent"
                    ],
                    [
                        "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition.BoolIfExists.aws:MultiFactorAuthPresent",
                        "notTrue",
                        ""
                    ]
                ]
            ]
        ],
        [
            "or",
            [
                "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.",
                "withoutKey",
                "Condition"
            ],
            [
                "and",
                [
                    "or",
                    [
                        "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition",
                        "withoutKey",
                        "StringEquals"
                    ],
                    [
                        "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition.StringEquals.",
                        "withoutKey",
                        "sts:ExternalId"
                    ],
                    [
                        "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition.StringEquals.sts:ExternalId",
                        "empty",
                        ""
                    ]
                ],
                [
                    "or",
                    [
                        "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition",
                        "withoutKey",
                        "StringLike"
                    ],
                    [
                        "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition.StringLike.",
                        "withoutKey",
                        "sts:ExternalId"
                    ],
                    [
                        "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition.StringLike.sts:ExternalId",
                        "empty",
                        ""
                    ]
                ]
            ]
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-assume-role-no-mfa.json
================================================
{
    "description": "AssumeRole Policy Lacks MFA",
    "rationale": "When authorizing assumption, MFA should be required.",
    "references": [
        "https://research.nccgroup.com/2019/12/18/demystifying-aws-assumerole-and-stsexternalid/"
    ],
    "dashboard_name": "Roles",
    "display_path": "iam.roles.id",
    "path": "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id",
    "conditions": [
        "and",
        [
            "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Effect",
            "equal",
            "Allow"
        ],
        [
            "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.",
            "containAction",
            "sts:AssumeRole"
        ],
        [
            "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Principal",
            "withKeyCaseInsensitive",
            "AWS"
        ],
        [
            "or",
            [
                "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.",
                "withoutKey",
                "Condition"
            ],
            [
                "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition",
                "withoutKey",
                "Bool"
            ],
            [
                "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition.Bool.",
                "withoutKey",
                "aws:MultiFactorAuthPresent"
            ],
            [
                "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition.Bool.aws:MultiFactorAuthPresent",
                "notTrue",
                ""
            ]
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-assume-role-policy-allows-all.json
================================================
{
    "description": "AssumeRole Policy Allows All Principals",
    "rationale": "Setting the AssumeRole policy's principal attribute to \"AWS:*\" means that anyone is authorized to assume the role and access the AWS account.",
    "references": [
        "https://research.nccgroup.com/2019/12/18/demystifying-aws-assumerole-and-stsexternalid/"
    ],
    "dashboard_name": "Roles",
    "display_path": "iam.roles.id",
    "path": "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id",
    "conditions": [
        "and",
        [
            "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Effect",
            "equal",
            "Allow"
        ],
        [
            "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.",
            "containAction",
            "sts:AssumeRole"
        ],
        [
            "_INCLUDE_(conditions/policy-statement-any-principal.json)",
            [
                "_STATEMENT_"
            ],
            [
                "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id"
            ]
        ],
        [
            "_INCLUDE_(conditions/policy-statement-poor-condition.json)",
            [
                "_STATEMENT_"
            ],
            [
                "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id"
            ]
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-ec2-role-without-instances.json
================================================
{
    "description": "Unused Role for EC2 Service",
    "rationale": "An EC2 role is defined which is unused and may not be required. This being the case, its existence in the configuration increases the risk that it may be inappropriately assigned. The unused role should be reviewed and removed if no longer required.",
    "references": [
        "https://aws.amazon.com/about-aws/whats-new/2019/11/identify-unused-iam-roles-easily-and-remove-them-confidently-by-using-the-last-used-timestamp/"
    ],
    "dashboard_name": "Roles",
    "display_path": "iam.roles.id",
    "path": "iam.roles.id.assume_role_policy.Statement.id.Principal",
    "conditions": [
        "and",
        [
            "iam.roles.id.instances_count",
            "equal",
            "0"
        ],
        [
            "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Principal.",
            "withKey",
            "Service"
        ],
        [
            "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Principal.Service",
            "equal",
            "ec2.amazonaws.com"
        ]
    ],
    "keys": [
        "iam.roles.id.name",
        "this"
    ],
    "id_suffix": "instances"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-group-with-inline-policies.json
================================================
{
    "description": "Group with Inline Policies",
    "rationale": "An inline policy is a policy that's embedded in an IAM identity (a user, group, or role). These policies are harder to audit and manage, and should be deprecated in favor of managed policies.",
    "references": [
        "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#best-practice-managed-vs-inline",
        "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html"
    ],
    "dashboard_name": "Groups",
    "path": "iam.groups.id",
    "conditions": [
        "and",
        [
            "iam.groups.id.",
            "withKey",
            "inline_policies"
        ],
        [
            "iam.groups.id.inline_policies",
            "notEmpty",
            ""
        ]
    ],
    "id_suffix": "inline_policies"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-group-with-no-users.json
================================================
{
    "description": "Group with No Users",
    "rationale": "Groups with no users should be reviewed and deleted if not necessary.",
    "references": [
        "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-groups-for-permissions"
    ],
    "dashboard_name": "groups",
    "path": "iam.groups.id",
    "conditions": [
        "and",
        [
            "iam.groups.id.users",
            "empty",
            ""
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-human-user-with-policies.json
================================================
{
    "description": "Human User with _ARG_1_ Policies",
    "rationale": "This configuration goes against organizational policies.",
    "dashboard_name": "Users",
    "path": "iam.users.id",
    "conditions": [
        "and",
        [
            "iam.users.id.groups",
            "containAtLeastOneOf",
            "_ARG_0_"
        ],
        [
            "iam.users.id.",
            "withKey",
            "_ARG_2_"
        ],
        [
            "iam.users.id._ARG_2_",
            "notEmpty",
            ""
        ]
    ],
    "key": "iam-human-user-with-_ARG_1_-policies",
    "arg_names": [
        "Name of IAM group",
        "Type of policy",
        "Path to policies"
    ],
    "id_suffix": "_ARG_1_"
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-inline-policy-allows-NotActions.json
================================================
{
    "description": "Inline _ARG_0_ Policy Allows \"NotActions\"",
    "rationale": "The combination of \"effect = allow\" and \"NotAction\" results in the policy allowing every action except those listed in the statement. The target policy does not follow the principle of least privilege because thousands of actions exist in AWS and because this policy automatically authorizes users to perform new actions created, regardless of their nature.",
    "references": [
        "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
        "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html",
        "https://aws.amazon.com/blogs/security/back-to-school-understanding-the-iam-policy-grammar/"
    ],
    "dashboard_name": "Statements",
    "display_path": "iam._ARG_0_s.id",
    "path": "iam._ARG_0_s.id.inline_policies.id.PolicyDocument.Statement.id",
    "conditions": [
        "and",
        [
            "iam._ARG_0_s.id.inline_policies.id.PolicyDocument.Statement.id.Effect",
            "equal",
            "Allow"
        ],
        [
            "iam._ARG_0_s.id.inline_policies.id.PolicyDocument.Statement.id.",
            "withKey",
            "NotAction"
        ]
    ],
    "key": "iam-inline-_ARG_0_-policy-allows-NotActions",
    "arg_names": [
        "IAM entity type"
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-inline-policy-allows-non-sts-action.json
================================================
{
    "description": "Inline _ARG_0_ Policy Allows Non STS Action",
    "rationale": "When the principle of least privilege is implemented by exclusively using roles for privilege management, users should only be granted permissions to assume roles. This policy may violate that organizational standard.",
    "references": [
        "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
    ],
    "dashboard_name": "Statements",
    "display_path": "iam._ARG_0_s.id",
    "path": "iam._ARG_0_s.id.inline_policies.id.PolicyDocument.Statement.id",
    "conditions": [
        "and",
        [
            "iam._ARG_0_s.id.inline_policies.id.PolicyDocument.Statement.id.Effect",
            "equal",
            "Allow"
        ],
        [
            "or",
            [
                "iam._ARG_0_s.id.inline_policies.id.PolicyDocument.Statement.id.",
                "withoutKey",
                "Action"
            ],
            [
                "iam._ARG_0_s.id.inline_policies.id.PolicyDocument.Statement.id.Action",
                "containAtLeastOneDifferentFrom",
                "sts:AssumeRole"
            ]
        ]
    ],
    "key": "iam-inline-_ARG_0_-policy-allows-non-sts-action",
    "arg_names": [
        "IAM entity type",
        "Service",
        "Action"
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-inline-policy-for-role.json
================================================
{
    "description": "Inline _ARG_0_ Policy Allows \"_ARG_1_:_ARG_2_\" For All Resources",
    "rationale": "Using \"*\" for the resource field might grant permissions to more resources than necessary, potentially introducing privilege escalation scenarios.",
    "references": [
        "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
    ],
    "dashboard_name": "Policies",
    "display_path": "iam._ARG_0_s.id",
    "path": "iam._ARG_0_s.id.inline_policies.id.PolicyDocument.Statement.id",
    "conditions": [
        "and",
        [
            "iam._ARG_0_s.id.inline_policies.id.PolicyDocument.Statement.id.Effect",
            "equal",
            "Allow"
        ],
        [
            "or",
            [
                "and",
                [
                    "iam._ARG_0_s.id.inline_policies.id.PolicyDocument.Statement.id.",
                    "withKey",
                    "Action"
                ],
                [
                    "iam._ARG_0_s.id.inline_policies.id.PolicyDocument.Statement.id.Action",
                    "containNoneOf",
                    [
                        "*",
                        "*:*"
                    ]
                ]
            ],
            [
                "iam._ARG_0_s.id.inline_policies.id.PolicyDocument.Statement.id.",
                "withKey",
                "NotAction"
            ]
        ],
        [
            "iam._ARG_0_s.id.inline_policies.id.PolicyDocument.Statement.id.",
            "containAction",
            "_ARG_1_:_ARG_2_"
        ],
        [
            "_INCLUDE_(conditions/policy-statement-any-resource.json)",
            [
                "_STATEMENT_"
            ],
            [
                "iam._ARG_0_s.id.inline_policies.id.PolicyDocument.Statement.id"
            ]
        ],
        [
            "_INCLUDE_(conditions/policy-statement-poor-condition.json)",
            [
                "_STATEMENT_"
            ],
            [
                "iam._ARG_0_s.id.inline_policies.id.PolicyDocument.Statement.id"
            ]
        ]
    ],
    "key": "iam-inline-_ARG_0_-policy-allows-_ARG_1_-_ARG_2_",
    "keys": [
        "iam._ARG_0_s.id.inline_policies.id.name"
    ],
    "arg_names": [
        "IAM entity type",
        "Service",
        "Action"
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-lightspin-user-action-denied-for-group.json
================================================
{
    "description": "Policy with Denied User Actions for Group Objects",
    "rationale": "When a deny policy is specified for User object actions on a group resource, this will only affect the specific IAM group but not the group members. This could lead to privilege escalation if the user can perform other privileged actions targeting the specific members of the group.",
    "remediation": "Define all relevant users in the resource field of the affected policies to avoid ineffective IAM actions and deny all group actions. The alternative would be to use the condition \"iam:ResourceTag\" in the policy.",
    "references": [
        "https://blog.lightspin.io/aws-iam-groups-authorization-bypass",
        "https://github.com/lightspin-tech/red-shadow"
    ],
    "dashboard_name": "Policies",
    "display_path": "iam.policies.id",
    "path": "iam.policies.id.PolicyDocument.Statement.id",
    "conditions": [
        "and",
        [
            "iam.policies.id.PolicyDocument.Statement.id.Effect",
            "equal",
            "Deny"
        ],
        [
            "iam.policies.id.PolicyDocument.Statement.id.",
            "withKey",
            "Resource"
        ],
        [
            "iam.policies.id.PolicyDocument.Statement.id.Resource",
            "matchInList",
            "arn:aws:iam::[0-9]+:group/.*"
        ],
        [
            "and",
            [
                "iam.policies.id.PolicyDocument.Statement.id.",
                "withKey",
                "Action"
            ],
            [
                "iam.policies.id.PolicyDocument.Statement.id.Action",
                "containAtLeastOneOf",
                [
                    "*",
                    "iam:CreateUser",
                    "iam:GetUser",
                    "iam:UpdateUser",
                    "iam:DeleteUser",
                    "iam:GetUserPolicy",
                    "iam:PutUserPolicy",
                    "iam:DeleteUserPolicy",
                    "iam:ListUserPolicies",
                    "iam:AttachUserPolicy",
                    "iam:DetachUserPolicy",
                    "iam:ListAttachedUserPolicies",
                    "iam:SimulatePrincipalPolicy",
                    "iam:GetContextKeysForPrincipalPolicy",
                    "iam:TagUser",
                    "iam:UpdateSSHPublicKey",
                    "iam:UntagUser",
                    "iam:GetSSHPublicKey",
                    "iam:ListUserTags",
                    "iam:DeleteSSHPublicKey",
                    "iam:GetLoginProfile",
                    "iam:GetAccessKeyLastUsed",
                    "iam:UpdateLoginProfile",
                    "iam:UploadSigningCertificate",
                    "iam:DeleteLoginProfile",
                    "iam:ListSigningCertificates",
                    "iam:CreateLoginProfile",
                    "iam:UpdateSigningCertificate",
                    "iam:EnableMFADevice",
                    "iam:DeleteSigningCertificate",
                    "iam:ResyncMFADevice",
                    "iam:ListServiceSpecificCredentials",
                    "iam:ListMFADevices",
                    "iam:ResetServiceSpecificCredential",
                    "iam:DeactivateMFADevice",
                    "iam:CreateServiceSpecificCredential",
                    "iam:ChangePassword",
                    "iam:UpdateServiceSpecificCredential",
                    "iam:CreateAccessKey",
                    "iam:DeleteServiceSpecificCredential",
                    "iam:ListAccessKeys",
                    "iam:PutUserPermissionsBoundary",
                    "iam:UpdateAccessKey",
                    "iam:DeleteUserPermissionsBoundary",
                    "iam:DeleteAccessKey",
                    "iam:ListGroupsForUser",
                    "iam:ListSSHPublicKeys",
                    "iam:UploadSSHPublicKey"
                ]
            ]
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-managed-policy-allows-NotActions.json
================================================
{
    "description": "Managed Policy Allows \"NotActions\"",
    "rationale": "The combination of \"effect = allow\" and \"NotAction\" results in the policy allowing every action except those listed in the statement. The target policy does not follow the principle of least privilege because thousands of actions exist in AWS and because this policy automatically authorizes users to perform new actions created, regardless of their nature.",
    "references": [
        "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html",
        "https://aws.amazon.com/blogs/security/back-to-school-understanding-the-iam-policy-grammar/"
    ],
    "dashboard_name": "Statements",
    "display_path": "iam.policies.id",
    "path": "iam.policies.id.PolicyDocument.Statement.id",
    "conditions": [
        "and",
        [
            "iam.policies.id.arn",
            "notContainString",
            "arn:aws:iam::aws:policy/aws-service-role"
        ],
        [
            "iam.policies.id.PolicyDocument.Statement.id.Effect",
            "equal",
            "Allow"
        ],
        [
            "iam.policies.id.PolicyDocument.Statement.id.",
            "withKey",
            "NotAction"
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-managed-policy-allows-full-privileges.json
================================================
{
    "description": "Managed Policy Allows All Actions",
    "rationale": "Providing full privileges instead of restricting to the minimum set of permissions that the principal requires exposes the resources to potentially unwanted actions.",
    "remediation": "Ensure no managed policies are configured with Effect: Allow, Action: * and Resource: *",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "1.24"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "1.22"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
        "https://aws.amazon.com/blogs/security/back-to-school-understanding-the-iam-policy-grammar/"
    ],
    "dashboard_name": "Statements",
    "display_path": "iam.policies.id",
    "path": "iam.policies.id.PolicyDocument.Statement.id",
    "conditions": [
        "and",
        [
            "iam.policies.id.arn",
            "notContainString",
            "arn:aws:iam::aws:policy/aws-service-role"
        ],
        [
            "iam.policies.id.PolicyDocument.Statement.id.Effect",
            "equal",
            "Allow"
        ],
        [
            "and",
            [
                "iam.policies.id.PolicyDocument.Statement.id.",
                "withKey",
                "Action"
            ],
            [
                "iam.policies.id.PolicyDocument.Statement.id.Action",
                "containAtLeastOneOf",
                [
                    "*",
                    "*:*"
                ]
            ]
        ],
        [
            "_INCLUDE_(conditions/policy-statement-poor-condition.json)",
            [
                "_STATEMENT_"
            ],
            [
                "iam.policies.id.PolicyDocument.Statement.id"
            ]
        ],
        [
            "iam.policies.id.PolicyDocument.Statement.id.Resource",
            "containAtLeastOneOf",
            [
                "*"
            ]
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-managed-policy-allows-non-sts-action.json
================================================
{
    "description": "Managed Policy Allows Non STS Action",
    "rationale": "When the principle of least privilege is implemented by exclusively using roles for privilege management, users should only be granted permissions to assume roles. This policy may violate that organizational standard.",
    "references": [
        "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
    ],
    "dashboard_name": "Statements",
    "display_path": "iam.policies.id",
    "path": "iam.policies.id.PolicyDocument.Statement.id",
    "conditions": [
        "and",
        [
            "iam.policies.id.arn",
            "notContainString",
            "arn:aws:iam::aws:policy/aws-service-role"
        ],
        [
            "iam.policies.id.PolicyDocument.Statement.id.Effect",
            "equal",
            "Allow"
        ],
        [
            "or",
            [
                "iam.policies.id.PolicyDocument.Statement.id.",
                "withoutKey",
                "Action"
            ],
            [
                "iam.policies.id.PolicyDocument.Statement.id.Action",
                "containAtLeastOneDifferentFrom",
                "sts:AssumeRole"
            ]
        ]
    ],
    "arg_names": [
        "Service",
        "Action"
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-managed-policy-for-role.json
================================================
{
    "description": "Managed Policy Allows \"_ARG_0_:_ARG_1_\" For All Resources",
    "rationale": "Using \"*\" for the resource field might grant permissions to more resources than necessary, potentially introducing privilege escalation scenarios.",
    "references": [
        "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
    ],
    "dashboard_name": "Statements",
    "display_path": "iam.policies.id",
    "path": "iam.policies.id.PolicyDocument.Statement.id",
    "conditions": [
        "and",
        [
            "iam.policies.id.arn",
            "notContainString",
            "arn:aws:iam::aws:policy/aws-service-role"
        ],
        [
            "iam.policies.id.PolicyDocument.Statement.id.Effect",
            "equal",
            "Allow"
        ],
        [
            "or",
            [
                "and",
                [
                    "iam.policies.id.PolicyDocument.Statement.id.",
                    "withKey",
                    "Action"
                ],
                [
                    "iam.policies.id.PolicyDocument.Statement.id.Action",
                    "containNoneOf",
                    [
                        "*",
                        "*:*"
                    ]
                ]
            ],
            [
                "iam.policies.id.PolicyDocument.Statement.id.",
                "withKey",
                "NotAction"
            ]
        ],
        [
            "iam.policies.id.PolicyDocument.Statement.id.",
            "containAction",
            "_ARG_0_:_ARG_1_"
        ],
        [
            "_INCLUDE_(conditions/policy-statement-any-resource.json)",
            [
                "_STATEMENT_"
            ],
            [
                "iam.policies.id.PolicyDocument.Statement.id"
            ]
        ],
        [
            "_INCLUDE_(conditions/policy-statement-poor-condition.json)",
            [
                "_STATEMENT_"
            ],
            [
                "iam.policies.id.PolicyDocument.Statement.id"
            ]
        ]
    ],
    "key": "iam-managed-policy-allows-_ARG_0_-_ARG_1_",
    "keys": [
        "iam.policies.id.name"
    ],
    "arg_names": [
        "Service",
        "Action"
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-managed-policy-no-attachments.json
================================================
{
    "description": "Managed Policy Not Attached to Any Entity",
    "rationale": "Customer Managed policies should be reviewed and deleted if not necessary.",
    "references": [
        "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies"
    ],
    "dashboard_name": "Policies",
    "display_path": "iam.policies.id",
    "path": "iam.policies.id",
    "conditions": [
        "and",
        [
            "iam.policies.id.attached_to",
            "empty",
            ""
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-no-support-role.json
================================================
{
    "description": "No Authorized User to Manage Incidents with AWS Support",
    "rationale": "The arn:aws:iam::aws:policy/AWSSupportAccess AWS Managed Policy was not found to be attached to any principal. There should be at least one user authorized to manage incidents with AWS Support.",
    "remediation": "Attach the AWSSupportAccess to a role or group",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "1.22"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "1.20"
        }
    ],
    "dashboard_name": "Policies",
    "display_path": "iam.policies.id",
    "path": "iam.policies.id",
    "conditions": [
        "and",
        [
            "iam.policies.id.arn",
            "equal",
            "arn:aws:iam::aws:policy/AWSSupportAccess"
        ],
        [
            "iam.policies.id.attached_to",
            "empty",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-password-policy-expiration-threshold.json
================================================
{
    "description": "Passwords Expire after _ARG_0_ Days",
    "rationale": "Password expiration is disabled, or expiration time is set to a too high value. As a result, compromised credentials could be used by potential attackers for a larger period of time. Periodic password change enforced with an appropriate password expiration policy could help to mitigate this issue.",
    "remediation": "Enable password expiration and set the expiration period to 90 days or less",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "1.11"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "1.11"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "1.11"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.11"
    ],
    "dashboard_name": "Password policy",
    "display_path": "iam.password_policy.MaxPasswordAge",
    "path": "iam.password_policy",
    "conditions": [
        "or",
        [
            "iam.password_policy.ExpirePasswords",
            "false",
            ""
        ],
        [
            "iam.password_policy.MaxPasswordAge",
            "moreThan",
            "_ARG_0_"
        ]
    ],
    "arg_names": [
        "Maximum password age"
    ],
    "id_suffix": "MaxPasswordAge"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-password-policy-minimum-length.json
================================================
{
    "description": "Minimum Password Length Too Short",
    "rationale": "The password policy did not enforce a minimum of _ARG_0_ characters. As a result, password complexity requirements were not in line with security best practice.",
    "remediation": "Ensure the password policy is configured to require a minimum length",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "1.9"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "1.9"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "1.9"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.9",
        "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html#best-practices_mgmt-acct_complex-password",
        "https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html#best-practices_mbr-acct_complex-password"
    ],
    "dashboard_name": "Password policy",
    "path": "iam.password_policy.MinimumPasswordLength",
    "conditions": [
        "or",
        [
            "this",
            "lessThan",
            "_ARG_0_"
        ]
    ],
    "arg_names": [
        "Minimum password length"
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-password-policy-no-expiration.json
================================================
{
    "description": "Password Expiration Disabled",
    "rationale": "Password expiration is disabled. As a result, compromised credentials could be used by potential attackers for a indefinite amount of time. Periodic password change enforced with an appropriate password expiration policy could help to mitigate this issue.",
    "references": [
        "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.11"
    ],
    "dashboard_name": "Password policy",
    "path": "iam.password_policy.ExpirePasswords",
    "conditions": [
        "or",
        [
            "this",
            "false",
            ""
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-password-policy-no-lowercase-required.json
================================================
{
    "description": "Password Policy Lacks Lowercase Requirement",
    "rationale": "The password policy did not require the use of at least one lowercase character. As a result, password complexity requirements were not in line with security best practice.",
    "remediation": "Ensure the password policy is configured to require at least one lowercase letter",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "1.6"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "1.6"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "1.6"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.6",
        "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html#best-practices_mgmt-acct_complex-password",
        "https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html#best-practices_mbr-acct_complex-password"
    ],
    "dashboard_name": "Password policy",
    "path": "iam.password_policy.RequireLowercaseCharacters",
    "conditions": [
        "or",
        [
            "this",
            "false",
            ""
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-password-policy-no-number-required.json
================================================
{
    "description": "Password Policy Lacks Number Requirement",
    "rationale": "The password policy did not require the use of at least one number. As a result, password complexity requirements were not in line with security best practice.",
    "remediation": "Ensure the password policy is configured to require at least one number",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "1.8"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "1.8"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "1.8"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.8",
        "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html#best-practices_mgmt-acct_complex-password",
        "https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html#best-practices_mbr-acct_complex-password"
    ],
    "dashboard_name": "Password policy",
    "path": "iam.password_policy.RequireNumbers",
    "conditions": [
        "or",
        [
            "this",
            "false",
            ""
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-password-policy-no-symbol-required.json
================================================
{
    "description": "Password Policy Lacks Symbol Requirement",
    "rationale": "The password policy did not require the use of at least one special character. As a result, password complexity requirements were not in line with security best practice.",
    "remediation": "Ensure the password policy is configured to require at least one symbol",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "1.7"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "1.7"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "1.7"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.7",
        "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html#best-practices_mgmt-acct_complex-password",
        "https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html#best-practices_mbr-acct_complex-password"
    ],
    "dashboard_name": "Password policy",
    "path": "iam.password_policy.RequireSymbols",
    "conditions": [
        "or",
        [
            "this",
            "false",
            ""
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-password-policy-no-uppercase-required.json
================================================
{
    "description": "Password Policy Lacks Uppercase Requirement",
    "rationale": "The password policy did not require the use of at least one uppercase character. As a result, password complexity requirements were not in line with security best practice.",
    "remediation": "Ensure the password policy is configured to require at least one uppercase letter",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "1.5"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "1.5"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "1.5"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.5",
        "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html#best-practices_mgmt-acct_complex-password",
        "https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html#best-practices_mbr-acct_complex-password"
    ],
    "dashboard_name": "Password policy",
    "path": "iam.password_policy.RequireUppercaseCharacters",
    "conditions": [
        "or",
        [
            "this",
            "false",
            ""
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-password-policy-reuse-enabled.json
================================================
{
    "description": "Password Policy Allows the Reuse of Passwords",
    "rationale": "The password policy allowed password reuse. As a result, password complexity requirements were not in line with security best practice.",
    "remediation": "Ensure the password policy is configured to prevent password reuse",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "1.10"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "1.10"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "1.10"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.10"
    ],
    "dashboard_name": "Password policy",
    "path": "iam.password_policy.PasswordReusePrevention",
    "conditions": [
        "or",
        [
            "this",
            "false",
            ""
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-role-with-inline-policies.json
================================================
{
    "description": "Role with Inline Policies",
    "rationale": "An inline policy is a policy that's embedded in an IAM identity (a user, group, or role). These policies are harder to audit and manage, and should be deprecated in favor of managed policies.",
    "references": [
        "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#best-practice-managed-vs-inline",
        "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html"
    ],
    "dashboard_name": "Roles",
    "path": "iam.roles.id",
    "conditions": [
        "and",
        [
            "iam.roles.id.",
            "withKey",
            "inline_policies"
        ],
        [
            "iam.roles.id.inline_policies",
            "notEmpty",
            ""
        ]
    ],
    "id_suffix": "inline_policies"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-root-account-no-hardware-mfa.json
================================================
{
    "description": "Root Account without Hardware MFA",
    "rationale": "The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device.",
    "remediation": "Enable MFA for the root account",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "1.13"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "1.14"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "1.14"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.13",
        "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html#best-practices_mgmt-acct_mfa"
    ],
    "dashboard_name": "Accounts",
    "path": "iam.credential_reports.id",
    "conditions": [
        "and",
        [
            "iam.credential_reports.id.name",
            "equal",
            ""
        ],
        [
            "or",
            [
                "iam.credential_reports.id.mfa_active",
                "notTrue",
                ""
            ],
            [
                "iam.credential_reports.id.mfa_active_hardware",
                "false",
                ""
            ]
        ],
        [
            "iam.credential_reports.id.partition",
            "notEqual",
            "aws-us-gov"
        ]
    ],
    "keys": [
        "this"
    ],
    "id_suffix": "mfa_active_hardware"
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-root-account-no-mfa.json
================================================
{
    "description": "Root Account without MFA",
    "rationale": "The root account is the most privileged user in an account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device.",
    "remediation": "Enable MFA for the root account",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "1.13"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "1.13"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.13",
        "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html#best-practices_mgmt-acct_mfa"
    ],
    "dashboard_name": "Accounts",
    "path": "iam.credential_reports.id",
    "conditions": [
        "and",
        [
            "iam.credential_reports.id.name",
            "equal",
            ""
        ],
        [
            "iam.credential_reports.id.mfa_active",
            "notTrue",
            ""
        ],
        [
            "iam.credential_reports.id.partition",
            "notEqual",
            "aws-us-gov"
        ]
    ],
    "keys": [
        "this"
    ],
    "id_suffix": "mfa_active"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-root-account-used-recently.json
================================================
{
    "description": "Root Account Used Recently",
    "rationale": "The root account is the most privileged user in an account. As a best practice, the root account should only be used when required for root-only tasks.",
    "remediation": "Follow the remediation instructions of the Ensure IAM policies are attached only to groups or roles recommendation",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "1.1"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "1.1"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "1.1"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-standards-cis-controls-1.1",
        "https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html",
        "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html#best-practices_mgmt-use",
        "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html#best-practices_mgmt-acct_review-access",
        "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html#best-practices_mgmt-acct_document-processes",
        "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html#best-practices_mgmt-acct_monitor-access"
    ],
    "dashboard_name": "Root account",
    "path": "iam.credential_reports.id",
    "conditions": [
        "and",
        [
            "iam.credential_reports.id.password_last_used",
            "notNull",
            ""
        ],
        [
            "iam.credential_reports.id.password_last_used",
            "newerThan",
            [
                "90",
                "days"
            ]
        ],
        [
            "iam.credential_reports.id.name",
            "equal",
            ""
        ]
    ],
    "id_suffix": "password_last_used"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-root-account-with-active-certs.json
================================================
{
    "description": "Root Account Has Active X.509 Certs",
    "rationale": "Root account X.509 certificates should be deleted as they may be used to make SOAP-protocol requests in the context of the root account.",
    "references": [
        "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-standards-cis-controls-1.1",
        "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html#best-practices_mgmt-use"
    ],
    "dashboard_name": "Root account",
    "path": "iam.credential_reports.id",
    "conditions": [
        "and",
        [
            "iam.credential_reports.id.name",
            "equal",
            ""
        ],
        [
            "or",
            [
                "iam.credential_reports.id.cert_1_active",
                "true",
                ""
            ],
            [
                "iam.credential_reports.id.cert_2_active",
                "true",
                ""
            ]
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-root-account-with-active-keys.json
================================================
{
    "description": "Root Account Has Active Keys",
    "rationale": "AWS root account access keys should be deleted as they provide unrestricted access to the AWS Account.",
    "remediation": "Delete or disable active root account access keys",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "1.12"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "1.12"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "1.12"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-standards-cis-controls-1.1",
        "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html#best-practices_mgmt-use",
        "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html#best-practices_mgmt-acct_review-access",
        "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html#best-practices_mgmt-acct_document-processes"
    ],
    "dashboard_name": "Root account",
    "path": "iam.credential_reports.id",
    "conditions": [
        "and",
        [
            "iam.credential_reports.id.name",
            "equal",
            ""
        ],
        [
            "or",
            [
                "iam.credential_reports.id.access_key_1_active",
                "true",
                ""
            ],
            [
                "iam.credential_reports.id.access_key_2_active",
                "true",
                ""
            ]
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-service-user-with-password.json
================================================
{
    "description": "Service User with Password Enabled",
    "rationale": "A user meant to be used for a service or application not hosted in AWS was found to have password authentication enabled. This goes against security best practice, which recommends that these types of users should only have API authentication enabled, to minimize the likeliness of account compromise.",
    "dashboard_name": "Users",
    "path": "iam.users.id",
    "conditions": [
        "and",
        [
            "iam.users.id.",
            "withKey",
            "LoginProfile"
        ],
        [
            "iam.users.id.groups",
            "containAtLeastOneOf",
            "_ARG_0_"
        ]
    ],
    "arg_names": [
        "Group for service users"
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-unused-credentials-not-disabled.json
================================================
{
    "description": "Credentials Unused for _ARG_0_ Days or Greater Are Not Disabled",
    "rationale": "Disabling or removing unnecessary credentials will reduce the window of opportunity for compromised accounts to be used.",
    "remediation": "Ensure that all credentials (including passwords and access keys) have been used and changed in the last _ARG_0_ days",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "1.3"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "1.3"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "1.3"
        }
    ],
    "dashboard_name": "Users",
    "path": "iam.credential_reports.id",
    "conditions": [
        "or",
        [
            "and",
            [
                "iam.credential_reports.id.password_enabled",
                "true",
                ""
            ],
            [
                "and",
                [
                    "iam.credential_reports.id.password_last_used",
                    "notNull",
                    ""
                ],
                [
                    "iam.credential_reports.id.password_last_used",
                    "olderThan",
                    [
                        "_ARG_0_",
                        "days"
                    ]
                ]
            ]
        ],
        [
            "and",
            [
                "iam.credential_reports.id.access_key_1_active",
                "true",
                ""
            ],
            [
                "and",
                [
                    "iam.credential_reports.id.access_key_1_last_used_date",
                    "notNull",
                    ""
                ],
                [
                    "iam.credential_reports.id.access_key_1_last_used_date",
                    "olderThan",
                    [
                        "_ARG_0_",
                        "days"
                    ]
                ]
            ]
        ],
        [
            "and",
            [
                "iam.credential_reports.id.access_key_2_active",
                "true",
                ""
            ],
            [
                "and",
                [
                    "iam.credential_reports.id.access_key_2_last_used_date",
                    "notNull",
                    ""
                ],
                [
                    "iam.credential_reports.id.access_key_2_last_used_date",
                    "olderThan",
                    [
                        "_ARG_0_",
                        "days"
                    ]
                ]
            ]
        ]
    ],
    "arg_names": [
        "Period in days"
    ],
    "class_suffix": "unused_credentials"
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-user-no-key-rotation.json
================================================
{
    "description": "Lack of Key Rotation for _ARG_1_ Days (Key Status: _ARG_0_)",
    "rationale": "In case of access key compromise, the lack of credential rotation increases the period during which an attacker has access to the AWS account.",
    "remediation": "Rotate access keys that have not been changed recently",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "1.4"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "1.4"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "1.4"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials"
    ],
    "dashboard_name": "Access keys",
    "display_path": "iam.users.id",
    "path": "iam.users.id.AccessKeys.id",
    "conditions": [
        "and",
        [
            "iam.users.id.AccessKeys.id.Status",
            "equal",
            "_ARG_0_"
        ],
        [
            "iam.users.id.AccessKeys.id.CreateDate",
            "olderThan",
            [
                "_ARG_1_",
                "days"
            ]
        ]
    ],
    "key": "iam-user-no-_ARG_0_-key-rotation.json",
    "arg_names": [
        "Key status",
        "Rotation period"
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-user-not-in-category-group.json
================================================
{
    "description": "User Not in Category Group",
    "rationale": "This configuration goes against organizational policies.",
    "dashboard_name": "Users",
    "path": "iam.users.id",
    "conditions": [
        "and",
        [
            "iam.users.id.groups",
            "containNoneOf",
            "_ARG_0_"
        ]
    ],
    "arg_names": [
        "Category groups"
    ],
    "id_suffix": "user_groups"
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-user-not-in-common-group.json
================================================
{
    "description": "User Not in Common Group",
    "rationale": "This configuration goes against organizational policies.",
    "dashboard_name": "Users",
    "path": "iam.users.id",
    "conditions": [
        "and",
        [
            "iam.users.id.groups",
            "containNoneOf",
            "_ARG_0_"
        ]
    ],
    "arg_names": [
        "Common group"
    ],
    "id_suffix": "user_groups"
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-user-unused-access-key-initial-setup.json
================================================
{
    "description": "Users with Access Keys Created during Initial Setup and Not Used",
    "rationale": "Not creating access keys during initial user setup will avoid unnecessary management work and give more control over keys used somewhere in the organization.",
    "remediation": "Do not setup access keys during initial user setup. Instead, require users to create the keys themselves or put in a support ticket to have them created",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "1.23"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "1.21"
        }
    ],
    "dashboard_name": "Users",
    "path": "iam.credential_reports.id",
    "conditions": [
        "or",
        [
            "and",
            [
                "iam.credential_reports.id.access_key_1_active",
                "true",
                ""
            ],
            [
                "iam.credential_reports.id.access_key_1_last_used_date",
                "equal",
                "None"
            ]
        ],
        [
            "and",
            [
                "iam.credential_reports.id.access_key_2_active",
                "true",
                ""
            ],
            [
                "iam.credential_reports.id.access_key_2_last_used_date",
                "equal",
                "None"
            ]
        ]
    ],
    "class_suffix": "unused_access_keys"
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-user-with-multiple-access-keys.json
================================================
{
    "description": "User with Multiple API Keys",
    "rationale": "The user was configured to have more than one active API keys associated with the account. Redundant or unused API keys should be removed.",
    "references": [
        "https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html"
    ],
    "dashboard_name": "Users",
    "path": "iam.users.id",
    "conditions": [
        "and",
        [
            "iam.users.id.AccessKeys",
            "lengthMoreThan",
            "1"
        ],
        [
            "iam.users.id.AccessKeys.0.Status",
            "equal",
            "Active"
        ],
        [
            "iam.users.id.AccessKeys.1.Status",
            "equal",
            "Active"
        ]
    ],
    "keys": [
        "iam.users.id.name",
        "iam.users.id.AccessKeys"
    ],
    "id_suffix": "multiple_api_keys"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-user-with-password-and-key.json
================================================
{
    "description": "User with Password and Keys Enabled",
    "rationale": "The user was found to have configured with both password and API keys for authentication. This is considered against security best practice.",
    "references": [
        "https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html",
        "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html"
    ],
    "dashboard_name": "Users",
    "path": "iam.users.id",
    "conditions": [
        "and",
        [
            "iam.users.id.",
            "withKey",
            "LoginProfile"
        ],
        [
            "iam.users.id.AccessKeys",
            "notEmpty",
            ""
        ]
    ],
    "keys": [
        "iam.users.id.name"
    ],
    "id_suffix": "password_and_keys"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-user-with-policies.json
================================================
{
    "description": "User with _ARG_0_ Policies",
    "rationale": "The user was found to be attached to inline policies. This can increase the complexity in user and policy management, and increase the risk of the user being assigned or retaining excessive permissions.",
    "remediation": "Ensure IAM policies are only attached to groups or roles",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "1.15"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "1.16"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "1.16"
        }
    ],
    "dashboard_name": "Users",
    "path": "iam.users.id",
    "conditions": [
        "and",
        [
            "iam.users.id.",
            "withKey",
            "_ARG_1_"
        ],
        [
            "iam.users.id._ARG_1_",
            "notEmpty",
            ""
        ]
    ],
    "key": "iam-user-with-_ARG_0_-policies",
    "arg_names": [
        "Type of policy",
        "Path to policies"
    ],
    "id_suffix": "_ARG_1_"
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/iam-user-without-mfa.json
================================================
{
    "description": "User without MFA",
    "rationale": "All IAM users should have MFA. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device.",
    "remediation": "Enable MFA for all users in the AWS account",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "1.2"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "1.2"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "1.2"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users",
        "https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html#best-practices_mbr-acct_mfa"
    ],
    "dashboard_name": "Users",
    "path": "iam.users.id",
    "conditions": [
        "and",
        [
            "iam.users.id.",
            "withKey",
            "LoginProfile"
        ],
        [
            "iam.users.id.MFADevices",
            "empty",
            ""
        ]
    ],
    "keys": [
        "iam.users.id.name"
    ],
    "id_suffix": "mfa_enabled"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/kms-cmk-rotation-disabled.json
================================================
{
    "description": "KMS Customer Master Keys (CMKs) with Rotation Disabled",
    "rationale": "Cryptographic best practices discourage extensive reuse of encryption keys. Consequently, Customer Master Keys (CMKs) should be rotated to prevent usage of compromised keys.

Note that AWS KMS supports optional automatic key rotation only for customer managed CMKs.",
    "remediation": "For every KMS Customer Master Keys (CMKs), ensure that Rotate this key every year is enabled",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "2.8"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "2.8"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "2.8"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html"
    ],
    "dashboard_name": "Keys",
    "display_path": "kms.regions.id.keys.id",
    "path": "kms.regions.id.keys.id",
    "conditions": [
        "and",
        [
            "kms.regions.id.keys.id.rotation_enabled",
            "false",
            ""
        ],
        [
            "kms.regions.id.keys.id.origin",
            "equal",
            "AWS_KMS"
        ],
        [
            "kms.regions.id.keys.id.key_manager",
            "equal",
            "CUSTOMER"
        ],
        [
            "kms.regions.id.keys.id.key_enabled",
            "true",
            ""
        ]
    ],
    "id_suffix": "rotation_enabled"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/logs-no-alarm-aws-configuration-changes.json
================================================
{
    "description": "No CloudWatch Alarm for \"AWS Configuration Changes\"",
    "rationale": "There was no CloudWatch alarm to monitor AWS configuration changes. Monitoring for AWS configuration changes will help ensure sustained visibility to changes performed in the AWS account.",
    "remediation": "Enable a CloudWatch alarm to detect AWS configuration changes.",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "3.9"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "3.9"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "3.9"
        }
    ],
    "dashboard_name": "Alarms",
    "path": "cloudwatch.regions.id.metric_filters.id",
    "conditions": [
        "or",
        [
            "cloudwatch.regions.id.metric_filters_pattern_checks.aws_configuration_changes",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/logs-no-alarm-cloudtrail-configuration-changes.json
================================================
{
    "description": "No CloudWatch Alarm for \"CloudTrail Configuration Changes\"",
    "rationale": "There was no CloudWatch alarm to monitor CloudTrail configuration changes. Monitoring for CloudTrail policy changes will help ensure sustained visibility to activities performed in the AWS account.",
    "remediation": "Enable a CloudWatch alarm to monitor CloudTrail configuration changes.",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "3.5"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "3.5"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "3.5"
        }
    ],
    "dashboard_name": "Alarms",
    "path": "cloudwatch.regions.id.metric_filters.id",
    "conditions": [
        "or",
        [
            "cloudwatch.regions.id.metric_filters_pattern_checks.cloudtrail_configuration_changes",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/logs-no-alarm-cmk-deletion.json
================================================
{
    "description": "No CloudWatch Alarm for \"Disabled or Deleted Master Keys\"",
    "rationale": "There was no CloudWatch alarm to alert about disabled or deleted master keys. Monitoring for disabled or deleted master keys can prevent permanent loss of data encrypted with such keys.",
    "remediation": "Enable a CloudWatch alarm to detect recently disabled or deleted master keys.",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "3.7"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "3.7"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "3.7"
        }
    ],
    "dashboard_name": "Alarms",
    "path": "cloudwatch.regions.id.metric_filters.id",
    "conditions": [
        "or",
        [
            "cloudwatch.regions.id.metric_filters_pattern_checks.cmk_deletion",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/logs-no-alarm-console-authentication-failures.json
================================================
{
    "description": "No CloudWatch Alarm for \"Failed Console Authentications\"",
    "rationale": "There was no CloudWatch alarm for failed console authentication requests. Monitoring for failed console authentications can decrease the lead time to detect brute force attacks.",
    "remediation": "Enable a CloudWatch alarm to monitor failed authentication attempts.",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "3.6"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "3.6"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "3.6"
        }
    ],
    "dashboard_name": "Alarms",
    "path": "cloudwatch.regions.id.metric_filters.id",
    "conditions": [
        "or",
        [
            "cloudwatch.regions.id.metric_filters_pattern_checks.console_authentication_failures",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/logs-no-alarm-iam-policy-changes.json
================================================
{
    "description": "No CloudWatch Alarm for \"IAM Policy Changes\"",
    "rationale": "There was no CloudWatch alarm to monitor IAM policy changes. Monitoring for IAM policy changes will help ensure authentication and authorization control remain intact.",
    "remediation": "Enable a CloudWatch alarm to monitor the usage of the root account.",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "3.4"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "3.4"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "3.4"
        }
    ],
    "dashboard_name": "Alarms",
    "path": "cloudwatch.regions.id.metric_filters.id",
    "conditions": [
        "or",
        [
            "cloudwatch.regions.id.metric_filters_pattern_checks.iam_policy_changes",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/logs-no-alarm-nacl-changes.json
================================================
{
    "description": "No CloudWatch Alarm for \"Network Access Control Lists Changes\"",
    "rationale": "There was no CloudWatch alarm to detect changes to NACL. Monitoring for NACL changes will help ensure that no service or resource is unintentionally exposed.",
    "remediation": "Enable a CloudWatch alarm to detect NACL changes.",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "3.11"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "3.11"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "3.11"
        }
    ],
    "dashboard_name": "Alarms",
    "path": "cloudwatch.regions.id.metric_filters.id",
    "conditions": [
        "or",
        [
            "cloudwatch.regions.id.metric_filters_pattern_checks.nacl_changes",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/logs-no-alarm-network-gateways-changes.json
================================================
{
    "description": "No CloudWatch Alarm for \"Network Gateways Changes\"",
    "rationale": "There was no CloudWatch alarm to monitor changes in network gateways. Monitoring for network gateways changes will help ensure that all traffic traverses the VPC border via a controlled path.",
    "remediation": "Enable a CloudWatch alarm to detect network gateways changes.",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "3.12"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "3.12"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "3.12"
        }
    ],
    "dashboard_name": "Alarms",
    "path": "cloudwatch.regions.id.metric_filters.id",
    "conditions": [
        "or",
        [
            "cloudwatch.regions.id.metric_filters_pattern_checks.network_gateways_changes",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/logs-no-alarm-root-usage.json
================================================
{
    "description": "No CloudWatch Alarm for \"Root Account Usage\"",
    "rationale": "There was no CloudWatch alarm for the usage of the root account. Monitoring for root account log ins will provide visibility into the use of a fully privileged account.",
    "remediation": "Enable a CloudWatch alarm to monitor the usage of the root account.",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "3.3"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "3.3"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "3.3"
        }
    ],
    "dashboard_name": "Alarms",
    "path": "cloudwatch.regions.id.metric_filters.id",
    "conditions": [
        "or",
        [
            "cloudwatch.regions.id.metric_filters_pattern_checks.root_usage",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/logs-no-alarm-route-table-changes.json
================================================
{
    "description": "No CloudWatch Alarm for \"Route Table Changes\"",
    "rationale": "There was no CloudWatch alarm to monitor changes in route tables. Monitoring for route table changes will help ensure that all VPC traffic flows thorough an expected path.",
    "remediation": "Enable a CloudWatch alarm to detect route table changes.",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "3.13"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "3.13"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "3.13"
        }
    ],
    "dashboard_name": "Alarms",
    "path": "cloudwatch.regions.id.metric_filters.id",
    "conditions": [
        "or",
        [
            "cloudwatch.regions.id.metric_filters_pattern_checks.route_table_changes",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/logs-no-alarm-s3-policy-changes.json
================================================
{
    "description": "No CloudWatch Alarm for \"S3 Bucket Policy Changes\"",
    "rationale": "There was no CloudWatch alarm to detect changes in S3 bucket policy changes. Monitoring for changes in S3 bucket policy changes may reduce the time to detect and fix permissive policies on sensitive S3 buckets.",
    "remediation": "Enable a CloudWatch alarm to detect policy changes in S3 buckets.",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "3.8"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "3.8"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "3.8"
        }
    ],
    "dashboard_name": "Alarms",
    "path": "cloudwatch.regions.id.metric_filters.id",
    "conditions": [
        "or",
        [
            "cloudwatch.regions.id.metric_filters_pattern_checks.s3_policy_changes",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/logs-no-alarm-security-group-changes.json
================================================
{
    "description": "No CloudWatch Alarm for \"Security Group Changes\"",
    "rationale": "There was no CloudWatch alarm to monitor changes to security groups. Monitoring for security group changes will help ensure that no service or resource is unintentionally exposed.",
    "remediation": "Enable a CloudWatch alarm to monitor security group changes.",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "3.10"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "3.10"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "3.10"
        }
    ],
    "dashboard_name": "Alarms",
    "path": "cloudwatch.regions.id.metric_filters.id",
    "conditions": [
        "or",
        [
            "cloudwatch.regions.id.metric_filters_pattern_checks.security_group_changes",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/logs-no-alarm-signin-without-mfa.json
================================================
{
    "description": "No CloudWatch Alarm for \"Console Logins without MFA\"",
    "rationale": "There was no CloudWatch alarm for console log ins without MFA. Monitoring for console log ins without MFA will provide visibility into the use of accounts not protected by Multi Factor Authentication (MFA).",
    "remediation": "Enable a CloudWatch alarm to monitor console log ins without MFA.",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "3.2"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "3.2"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "3.2"
        }
    ],
    "dashboard_name": "Alarms",
    "path": "cloudwatch.regions.id.metric_filters.id",
    "conditions": [
        "or",
        [
            "cloudwatch.regions.id.metric_filters_pattern_checks.console_login_mfa",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/logs-no-alarm-unauthorized-api-calls.json
================================================
{
    "description": "No CloudWatch Alarm for \"Unauthorized API Calls\"",
    "rationale": "There was no CloudWatch alarm for unauthorized API calls. Monitoring for unauthorized API calls helps reveal application errors and detect malicious activity.",
    "remediation": "Enable a CloudWatch alarm to monitor unauthorized API calls.",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "3.1"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "3.1"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "3.1"
        }
    ],
    "dashboard_name": "Alarms",
    "path": "cloudwatch.regions.id.metric_filters.id",
    "conditions": [
        "or",
        [
            "cloudwatch.regions.id.metric_filters_pattern_checks.unauthorized_api_calls",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/logs-no-alarm-vpc-changes.json
================================================
{
    "description": "No CloudWatch Alarm for \"VPC Changes\"",
    "rationale": "There was no CloudWatch alarm to monitor VPC changes. Monitoring for VPC changes will help ensure authentication and authorization controls remain intact.",
    "remediation": "Enable a CloudWatch alarm to detect VPC changes.",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "3.14"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "3.14"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "3.14"
        }
    ],
    "dashboard_name": "Alarms",
    "path": "cloudwatch.regions.id.metric_filters.id",
    "conditions": [
        "or",
        [
            "cloudwatch.regions.id.metric_filters_pattern_checks.vpc_changes",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/rds-instance-backup-disabled.json
================================================
{
    "description": "Instance Backups Disabled",
    "rationale": "The backup retention period is a period of time between 0 and 35 days for which you can perform a point-in-time restore. Setting the backup retention period to 0 disables automated backups. Backups should be enabled to enable disaster recovery.",
    "references": [
        "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html",
        "https://aws.amazon.com/rds/details/backup/",
        "https://aws.amazon.com/rds/faqs/"
    ],
    "dashboard_name": "Instances",
    "path": "rds.regions.id.vpcs.id.instances.id",
    "conditions": [
        "and",
        [
            "rds.regions.id.vpcs.id.instances.id.is_read_replica",
            "false",
            ""
        ],
        [
            "rds.regions.id.vpcs.id.instances.id.BackupRetentionPeriod",
            "lessThan",
            "1"
        ]
    ],
    "id_suffix": "BackupRetentionPeriod"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/rds-instance-ca-certificate-deprecated.json
================================================
{
    "description": "Deprecated Certificate Authority Assigned to RDS Instance",
    "rationale": "Amazon Web Services is deprecating the RDS Certificate Authority created in 2015 (rds-ca-2015). Any endpoints using TLS to protect RDS communications will fail after March 5th, 2020.",
    "references": [
        "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html"
    ],
    "dashboard_name": "Instances",
    "path": "rds.regions.id.vpcs.id.instances.id",
    "conditions": [
        "and",
        [
            "rds.regions.id.vpcs.id.instances.id.CACertificateIdentifier",
            "containAtLeastOneOf",
            [
                "rds-ca-2015"
            ]
        ]
    ],
    "id_suffix": "CACertificateIdentifier"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/rds-instance-no-minor-upgrade.json
================================================
{
    "description": "Auto Minor Version Upgrade Disabled",
    "rationale": "Auto Minor Version Upgrade is a feature that you can enable to have your database automatically upgraded when a new minor database engine version is available. Minor version upgrades often patch security vulnerabilities and fix bugs, and therefor should be applied.",
    "references": [
        "https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/",
        "https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-rds-enhances-auto-minor-version-upgrades/"
    ],
    "dashboard_name": "Instances",
    "path": "rds.regions.id.vpcs.id.instances.id",
    "conditions": [
        "and",
        [
            "rds.regions.id.vpcs.id.instances.id.AutoMinorVersionUpgrade",
            "false",
            ""
        ],
        [
            "rds.regions.id.vpcs.id.instances.id.Engine",
            "notEqual",
            "sqlserver-se"
        ]
    ],
    "id_suffix": "AutoMinorVersionUpgrade"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/rds-instance-publicly-accessible.json
================================================
{
    "description": "RDS Instance Publicly Accessible",
    "rationale": "Instances should not be publicly accessible as this risks exposing sensitive data.",
    "references": [
        "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Hiding"
    ],
    "dashboard_name": "Instances",
    "path": "rds.regions.id.vpcs.id.instances.id",
    "conditions": [
        "and",
        [
            "rds.regions.id.vpcs.id.instances.id.PubliclyAccessible",
            "true",
            ""
        ]
    ],
    "id_suffix": "PubliclyAccessible"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/rds-instance-short-backup-retention-period.json
================================================
{
    "description": "Short Backup Retention Period",
    "rationale": "The backup retention period is a period of time between 0 and 35 days for which you can perform a point-in-time restore. Setting the backup retention period to 0 disables automated backups.

It is recommended that the retention period is set to at least 30 days. Having a short retention period will impact how far back in time the database can be restored to, and may affect integrity and availability of data.",
    "references": [
        "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html",
        "https://aws.amazon.com/rds/details/backup/",
        "https://aws.amazon.com/rds/faqs/"
    ],
    "dashboard_name": "Instances",
    "path": "rds.regions.id.vpcs.id.instances.id",
    "conditions": [
        "and",
        [
            "rds.regions.id.vpcs.id.instances.id.BackupRetentionPeriod",
            "moreThan",
            "0"
        ],
        [
            "rds.regions.id.vpcs.id.instances.id.BackupRetentionPeriod",
            "lessThan",
            "30"
        ]
    ],
    "id_suffix": "BackupRetentionPeriod"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/rds-instance-single-az.json
================================================
{
    "description": "Single AZ RDS Instance",
    "rationale": "In case of failure, with a single-AZ deployment configuration, should an availability zone specific database failure occur, Amazon RDS can not automatically fail over to the standby availability zone.",
    "references": [
        "https://aws.amazon.com/rds/features/multi-az/"
    ],
    "dashboard_name": "Instances",
    "path": "rds.regions.id.vpcs.id.instances.id",
    "conditions": [
        "and",
        [
            "rds.regions.id.vpcs.id.instances.id.MultiAZ",
            "false",
            ""
        ]
    ],
    "id_suffix": "MultiAZ"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/rds-instance-storage-not-encrypted.json
================================================
{
    "description": "Instance Storage Not Encrypted",
    "rationale": "Data-at-rest should be encrypted.",
    "references": [
        "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html"
    ],
    "dashboard_name": "Instances",
    "path": "rds.regions.id.vpcs.id.instances.id",
    "conditions": [
        "and",
        [
            "rds.regions.id.vpcs.id.instances.id.StorageEncrypted",
            "false",
            ""
        ]
    ],
    "id_suffix": "StorageEncrypted"
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/rds-postgres-instance-with-invalid-certificate.json
================================================
{
    "description": "Legacy SSL Certificate (PostgreSQL)",
    "rationale": "This instance was created prior to August 5, 2014. Consequently, it uses the DB instance endpoint in the Common Name (CN) field of the SSL certificate. Prior to August 5, 2014, SSL certificate verification was not available for VPC-based SQL Server instances. If you have a VPC-based SQL Server DB instance that was created before August 5, 2014, and you want to use SSL certificate verification and ensure that the instance endpoint is included as the CN for the SSL certificate for that DB instance, then rename the instance. When you rename a DB instance, a new certificate is deployed and the instance is rebooted to enable the new certificate.",
    "references": [
        "https://aws.amazon.com/about-aws/whats-new/2017/02/amazon-rds-for-sql-server-supports-forced-ssl/",
        "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/SQLServer.Concepts.General.SSL.Using.html"
    ],
    "dashboard_name": "Instances",
    "path": "rds.regions.id.vpcs.id.instances.id",
    "conditions": [
        "and",
        [
            "rds.regions.id.vpcs.id.instances.id.Engine",
            "equal",
            "postgres"
        ],
        [
            "rds.regions.id.vpcs.id.instances.id.DBInstanceStatus",
            "notEqual",
            "creating"
        ],
        [
            "rds.regions.id.vpcs.id.instances.id.InstanceCreateTime",
            "priorToDate",
            "08/05/2014"
        ]
    ],
    "id_suffix": "pgsslcert"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/rds-security-group-allows-all.json
================================================
{
    "description": "Security Group Allows All IP Addresses",
    "rationale": "The security group allows access to RDS instances from any source address, which creates a wider attack surface for resources assigned to it. Source address restrictions should be implemented",
    "dashboard_name": "Security Groups",
    "display_path": "rds.regions.id.vpcs.id.security_groups.id",
    "path": "rds.regions.id.vpcs.id.security_groups.id.ip_ranges",
    "conditions": [
        "and",
        [
            "rds.regions.id.vpcs.id.security_groups.id.ip_ranges",
            "containAtLeastOneOf",
            [
                "0.0.0.0/0",
                "::/0"
            ]
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/rds-snapshot-public.json
================================================
{
    "description": "Publicly Accessible Snapshot",
    "rationale": "Snapshots should never be public, as this risks exposing sensitive data.",
    "references": [
        "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html"
    ],
    "dashboard_name": "Snapshots",
    "display_path": "rds.regions.id.vpcs.id.snapshots.id",
    "path": "rds.regions.id.vpcs.id.snapshots.id.attributes.id",
    "conditions": [
        "and",
        [
            "rds.regions.id.vpcs.id.snapshots.id.attributes.id.AttributeName",
            "equal",
            "restore"
        ],
        [
            "rds.regions.id.vpcs.id.snapshots.id.attributes.id.AttributeValues",
            "containAtLeastOneOf",
            "all"
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/redshift-cluster-database-not-encrypted.json
================================================
{
    "description": "Cluster Database Encryption Disabled",
    "rationale": "Data-at-rest should be encrypted.",
    "references": [
        "https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html"
    ],
    "dashboard_name": "Clusters",
    "path": "redshift.regions.id.vpcs.id.clusters.id",
    "conditions": [
        "and",
        [
            "redshift.regions.id.vpcs.id.clusters.id.Encrypted",
            "false",
            ""
        ]
    ],
    "id_suffix": "Encrypted"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/redshift-cluster-no-version-upgrade.json
================================================
{
    "description": "Version Upgrade Disabled",
    "rationale": "Version upgrade is necessary to ensure major version upgrades will be applied automatically to the cluster within the maintenance window.",
    "references": [
        "https://docs.aws.amazon.com/redshift/latest/APIReference/API_ModifyCluster.html"
    ],
    "dashboard_name": "Clusters",
    "path": "redshift.regions.id.vpcs.id.clusters.id",
    "conditions": [
        "and",
        [
            "redshift.regions.id.vpcs.id.clusters.id.AllowVersionUpgrade",
            "false",
            ""
        ]
    ],
    "id_suffix": "AllowVersionUpgrade"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/redshift-cluster-publicly-accessible.json
================================================
{
    "description": "Cluster Publicly Accessible",
    "rationale": "Redshift clusters should never be public, as this increases the risk of exposing sensitive data. Public accessibility means that other AWS users can access your cluster and the data stored in it.",
    "references": [
        "https://docs.aws.amazon.com/redshift/latest/gsg/getting-started.html"
    ],
    "dashboard_name": "Clusters",
    "path": "redshift.regions.id.vpcs.id.clusters.id",
    "conditions": [
        "and",
        [
            "redshift.regions.id.vpcs.id.clusters.id.PubliclyAccessible",
            "true",
            ""
        ]
    ],
    "id_suffix": "PubliclyAccessible"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/redshift-parameter-group-logging-disabled.json
================================================
{
    "description": "User Activity Logging Disabled",
    "rationale": "Audit logging is not enabled by default in Amazon Redshift. A lack of user activity logging could impede the ability to investigate issues involving misuse, malicious access or performance.

Note that this rule will only flag non-default parameter groups, as default parameter groups cannot be modified. It is recommended to use custom groups and configure them according to security best practice.",
    "references": [
        "https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html"
    ],
    "dashboard_name": "Parameter Groups",
    "path": "redshift.regions.id.parameter_groups.id",
    "conditions": [
        "and",
        [
            "redshift.regions.id.parameter_groups.id.is_default",
            "false",
            ""
        ],
        [
            "redshift.regions.id.parameter_groups.id.parameters.enable_user_activity_logging.value",
            "false",
            ""
        ]
    ],
    "id_suffix": "enable_user_activity_logging"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/redshift-parameter-group-ssl-not-required.json
================================================
{
    "description": "SSL Not Required",
    "rationale": "Parameter groups associated with Redshift clusters should have the \"require_ssl\" parameter enabled, to ensure that data in transit is encrypted.

Note that this rule will only flag non-default parameter groups, as default parameter groups cannot be modified. It is recommended to use custom groups and configure them according to security best practice.",
    "references": [
        "https://docs.aws.amazon.com/redshift/latest/mgmt/connecting-ssl-support.html"
    ],
    "dashboard_name": "Parameter Groups",
    "path": "redshift.regions.id.parameter_groups.id",
    "conditions": [
        "and",
        [
            "redshift.regions.id.parameter_groups.id.is_default",
            "false",
            ""
        ],
        [
            "redshift.regions.id.parameter_groups.id.parameters.require_ssl.value",
            "false",
            ""
        ]
    ],
    "id_suffix": "require_ssl"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/redshift-security-group-whitelists-all.json
================================================
{
    "description": "Security Group Allows All Traffic",
    "rationale": "The security group allows access to Redshift instances from any source address, which creates a wider attack surface for resources assigned to it. Source address restrictions should be implemented",
    "dashboard_name": "Security Groups",
    "display_path": "redshift.regions.id.vpcs.id.security_groups.id",
    "path": "redshift.regions.id.vpcs.id.security_groups.id.IPRanges.id.CIDRIP",
    "conditions": [
        "and",
        [
            "this",
            "equal",
            "0.0.0.0/0"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/route53-domain-no-autorenew.json
================================================
{
    "description": "Automatic Renewal Not Set for Domain",
    "rationale": "Enable automatic renewal to remove the risk of losing control over your domain names.",
    "references": [
        "https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-enable-disable-auto-renewal.html"
    ],
    "dashboard_name": "Domains",
    "path": "route53.regions.id.domains.id",
    "conditions": [
        "and",
        [
            "auto_renew",
            "false",
            ""
        ]
    ],
    "id_suffix": "auto_renew"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/route53-domain-no-transferlock.json
================================================
{
    "description": "Domain Transfer Not Locked",
    "rationale": "A domain lock prevents someone from transferring your domain to another registrar without your permission.",
    "references": [
        "https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-lock.html"
    ],
    "dashboard_name": "Domains",
    "path": "route53.regions.id.domains.id",
    "conditions": [
        "and",
        [
            "transfer_lock",
            "false",
            ""
        ]
    ],
    "id_suffix": "transfer_lock"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/route53-domain-transferlock-not-authorized.json
================================================
{
    "description": "Domain Transfer Lock Not Supported by TLD",
    "rationale": "A domain lock prevents someone from transferring your domain to another registrar without your permission. Your domain's TLD does not support this feature.",
    "references": [
        "https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/registrar-tld-list.html"
    ],
    "dashboard_name": "Domains",
    "path": "route53.regions.id.domains.id",
    "conditions": [
        "and",
        [
            "name",
            "match",
            [
                ".*\\.ch$",
                ".*\\.cl$",
                ".*\\.co.nz$",
                ".*\\.co.za$",
                ".*\\.com.ar$",
                ".*\\.com.au$",
                ".*\\.de$",
                ".*\\.es$",
                ".*\\.eu$",
                ".*\\.fi$",
                ".*\\.fr$",
                ".*\\.it$",
                ".*\\.jp$",
                ".*\\.net.au$",
                ".*\\.net.nz$",
                ".*\\.nl$",
                ".*\\.org.nz$",
                ".*\\.qa$",
                ".*\\.ru$",
                ".*\\.se$"
            ]
        ]
    ],
    "id_suffix": "transfer_lock"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/s3-bucket-allowing-cleartext.json
================================================
{
    "description": "Bucket Allowing Clear Text (HTTP) Communication",
    "rationale": "If HTTPS is not enforced on the bucket policy, communication between clients and S3 buckets can use unencrypted HTTP. As a result, sensitive information could be transmitted in clear text over the network|Internet.",
    "references": [
        "https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html"
    ],
    "dashboard_name": "Buckets",
    "path": "s3.buckets.id",
    "conditions": [
        "and",
        [
            "s3.buckets.id.secure_transport_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "secure_transport_enabled"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/s3-bucket-no-default-encryption.json
================================================
{
    "description": "Bucket without Default Encryption Enabled",
    "rationale": "Amazon S3 default encryption provides a way to set the default encryption behavior for an S3 bucket. This will ensure data-at-rest is encrypted",
    "references": [
        "https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html",
        "https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html"
    ],
    "dashboard_name": "Buckets",
    "path": "s3.buckets.id",
    "conditions": [
        "and",
        [
            "s3.buckets.id.default_encryption_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "default_encryption_enabled"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/s3-bucket-no-logging.json
================================================
{
    "description": "Bucket Access Logging Disabled",
    "rationale": "Server access logging provides detailed records of the requests that are made to a bucket. Server access logs can assist you in security and access audits, help you learn about your customer base, and understand your Amazon S3 bill. 

Note: CloudTrail data events can be used in place of S3 bucket logging. If that is the case, this finding can be considered a false positive.",
    "remediation": "Ensure that S3 buckets have Logging enabled",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "2.6"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "2.6"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "2.6"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html"
    ],
    "dashboard_name": "Buckets",
    "path": "s3.buckets.id",
    "conditions": [
        "and",
        [
            "s3.buckets.id.logging",
            "equal",
            "Disabled"
        ]
    ],
    "id_suffix": "logging"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/s3-bucket-no-mfa-delete.json
================================================
{
    "description": "Bucket without MFA Delete",
    "rationale": "Enable MFA delete to help protect objects from accidental or unauthorized deletion. It should be noted that MFA Delete can only be configured on buckets that have versioning enabled.",
    "references": [
        "https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html"
    ],
    "dashboard_name": "Buckets",
    "path": "s3.buckets.id",
    "conditions": [
        "and",
        [
            "s3.buckets.id.version_mfa_delete_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "mfa_delete"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/s3-bucket-no-versioning.json
================================================
{
    "description": "Bucket without Versioning",
    "rationale": "Versioning is a means of keeping multiple variants of an object in the same bucket. With versioning, you can easily recover from both unintended user actions and application failures.",
    "references": [
        "https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html"
    ],
    "dashboard_name": "Buckets",
    "path": "s3.buckets.id",
    "conditions": [
        "and",
        [
            "s3.buckets.id.versioning_status_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "versioning"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/s3-bucket-world-acl.json
================================================
{
    "description": "_ARG_2_",
    "rationale": "An S3 bucket has been found that was accessible for _ARG_0_. If sensitive information is stored in this bucket, it could be at risk of being accessed by potential attackers.",
    "dashboard_name": "Bucket ACLs",
    "display_path": "s3.buckets.id",
    "path": "s3.buckets.id.grantees.id",
    "conditions": [
        "and",
        [
            "s3.buckets.id.grantees.id.",
            "withKey",
            "URI"
        ],
        [
            "s3.buckets.id.grantees.id.URI",
            "equal",
            "http://acs.amazonaws.com/groups/global/_ARG_0_"
        ],
        [
            "s3.buckets.id.grantees.id.permissions._ARG_1_",
            "true",
            ""
        ]
    ],
    "key": "s3-bucket-_ARG_0_-_ARG_1_",
    "arg_names": [
        "Grantee",
        "Permission",
        "Description",
        "Level"
    ],
    "id_suffix": "_ARG_1_"
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/s3-bucket-world-policy-arg.json
================================================
{
    "description": "_ARG_0_ Actions Authorized to All Principals",
    "rationale": "Allowing IAM actions to all principals is contrary to the principle of least privilege and presents an opportunity for abuse. This policy should be reviewed to ensure it is secure and in line with the resource's intended use.",
    "dashboard_name": "Bucket Policy Statements",
    "display_path": "s3.buckets.id",
    "path": "s3.buckets.id.policy.Statement.id",
    "conditions": [
        "and",
        [
            "s3.buckets.id.",
            "withKey",
            "policy"
        ],
        [
            "s3.buckets.id.policy.Statement.id.Effect",
            "equal",
            "Allow"
        ],
        [
            "s3.buckets.id.policy.Statement.id.",
            "withoutKey",
            "Condition"
        ],
        [
            "s3.buckets.id.policy.Statement.id.",
            "containAction",
            "_ARG_1_"
        ],
        [
            "s3.buckets.id.policy.Statement.id.Action",
            "containNoneOf",
            [
                "s3:*",
                "*"
            ]
        ],
        [
            "_INCLUDE_(conditions/policy-statement-any-principal.json)",
            [
                "_STATEMENT_"
            ],
            [
                "s3.buckets.id.policy.Statement.id"
            ]
        ],
        [
            "_INCLUDE_(conditions/policy-statement-poor-condition.json)",
            [
                "_STATEMENT_"
            ],
            [
                "s3.buckets.id.policy.Statement.id"
            ]
        ]
    ],
    "key": "s3-bucket-world-_ARG_0_-policy",
    "keys": [
        "s3.buckets.id",
        "this",
        "s3.buckets.id.policy.Statement.id.Principal"
    ],
    "arg_names": [
        "Action shortname",
        "Service:Action"
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/s3-bucket-world-policy-star.json
================================================
{
    "description": "All Actions Authorized to All Principals",
    "rationale": "Allowing IAM actions to all principals is contrary to the principle of least privilege and presents an opportunity for abuse. This policy should be reviewed to ensure it is secure and in line with the resource's intended use.",
    "remediation": "Remove any Statement having an Effect set to Allow and a Principal set to \"*\" or {\"AWS\":\"*\"} in the affected bucket policy",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "2.3"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "2.3"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "2.3"
        }
    ],
    "dashboard_name": "Bucket Policy Statements",
    "display_path": "s3.buckets.id",
    "path": "s3.buckets.id.policy.Statement.id",
    "conditions": [
        "and",
        [
            "s3.buckets.id.",
            "withKey",
            "policy"
        ],
        [
            "s3.buckets.id.policy.Statement.id.Effect",
            "equal",
            "Allow"
        ],
        [
            "s3.buckets.id.policy.Statement.id.Action",
            "containAtLeastOneOf",
            [
                "s3:*",
                "*"
            ]
        ],
        [
            "_INCLUDE_(conditions/policy-statement-any-principal.json)",
            [
                "_STATEMENT_"
            ],
            [
                "s3.buckets.id.policy.Statement.id"
            ]
        ],
        [
            "_INCLUDE_(conditions/policy-statement-poor-condition.json)",
            [
                "_STATEMENT_"
            ],
            [
                "s3.buckets.id.policy.Statement.id"
            ]
        ]
    ],
    "arg_names": [
        "Action shortname",
        "Service:Action"
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/ses-identity-dkim-not-enabled.json
================================================
{
    "description": "DKIM Not Enabled",
    "rationale": "DKIM signing is not enabled for emails sent from the identity.",
    "references": [
        "https://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-email-authentication-dkim.html"
    ],
    "dashboard_name": "Identities",
    "path": "ses.regions.id.identities.id",
    "conditions": [
        "and",
        [
            "DkimEnabled",
            "false",
            ""
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/ses-identity-dkim-not-verified.json
================================================
{
    "description": "DKIM Not Verified",
    "rationale": "Amazon SES has not verified the DKIM DNS records (tokens) published in the domain name's DNS.",
    "references": [
        "https://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-email-authentication-dkim.html"
    ],
    "dashboard_name": "Identities",
    "path": "ses.regions.id.identities.id",
    "conditions": [
        "and",
        [
            "DkimEnabled",
            "true",
            ""
        ],
        [
            "DkimVerificationStatus",
            "notEqual",
            "Success"
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/ses-identity-world-policy.json
================================================
{
    "description": "_ARG_0_ Authorized to All Principals",
    "rationale": "Allowing IAM actions to all principals is contrary to the principle of least privilege and presents an opportunity for abuse. This policy should be reviewed to ensure it is secure and in line with the resource's intended use.",
    "dashboard_name": "Statements",
    "display_path": "ses.regions.id.identities.id",
    "path": "ses.regions.id.identities.id.policies.id.Statement.id",
    "conditions": [
        "and",
        [
            "ses.regions.id.identities.id.policies.id.Statement.id.Effect",
            "equal",
            "Allow"
        ],
        [
            "ses.regions.id.identities.id.policies.id.Statement.id.",
            "containAction",
            "ses:_ARG_0_"
        ],
        [
            "_INCLUDE_(conditions/policy-statement-any-principal.json)",
            [
                "_STATEMENT_"
            ],
            [
                "ses.regions.id.identities.id.policies.id.Statement.id"
            ]
        ],
        [
            "_INCLUDE_(conditions/policy-statement-poor-condition.json)",
            [
                "_STATEMENT_"
            ],
            [
                "ses.regions.id.identities.id.policies.id.Statement.id"
            ]
        ]
    ],
    "key": "ses-identity-world-_ARG_0_-policy",
    "arg_names": [
        "SES action"
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/sns-topic-world-policy.json
================================================
{
    "description": "_ARG_0_ Authorized to All Principals",
    "rationale": "Allowing IAM actions to all principals is contrary to the principle of least privilege and presents an opportunity for abuse. This policy should be reviewed to ensure it is secure and in line with the resource's intended use.",
    "dashboard_name": "Statements",
    "display_path": "sns.regions.id.topics.id",
    "path": "sns.regions.id.topics.id.Policy.Statement.id",
    "conditions": [
        "and",
        [
            "sns.regions.id.topics.id.Policy",
            "notNull",
            ""
        ],
        [
            "sns.regions.id.topics.id.Policy.Statement.id.Effect",
            "equal",
            "Allow"
        ],
        [
            "sns.regions.id.topics.id.Policy.Statement.id.",
            "containAction",
            "SNS:_ARG_0_"
        ],
        [
            "_INCLUDE_(conditions/policy-statement-any-principal.json)",
            [
                "_STATEMENT_"
            ],
            [
                "sns.regions.id.topics.id.Policy.Statement.id"
            ]
        ],
        [
            "_INCLUDE_(conditions/policy-statement-poor-condition.json)",
            [
                "_STATEMENT_"
            ],
            [
                "sns.regions.id.topics.id.Policy.Statement.id"
            ]
        ]
    ],
    "key": "sns-topic-world-_ARG_0_-policy",
    "arg_names": [
        "SNS action"
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/sqs-queue-server-side-encryption-disabled.json
================================================
{
    "description": "Queue with Encryption Disabled",
    "rationale": "SQS Server-Side Encryption ensures that the contents of messages in queues are encrypted.",
    "references": [
        "https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html"
    ],
    "dashboard_name": "Queues",
    "display_path": "sqs.regions.id.queues.id",
    "path": "sqs.regions.id.queues.id",
    "conditions": [
        "and",
        [
            "sqs.regions.id.queues.id.kms_master_key_id",
            "null",
            ""
        ],
        [
            "sqs.regions.id.queues.id.sqs_managed_sse_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "server-side-encryption-disabled"
}


================================================
FILE: ScoutSuite/providers/aws/rules/findings/sqs-queue-world-policy.json
================================================
{
    "description": "_ARG_0_ Authorized to All Principals",
    "rationale": "Allowing IAM actions to all principals is contrary to the principle of least privilege and presents an opportunity for abuse. This policy should be reviewed to ensure it is secure and in line with the resource's intended use.",
    "dashboard_name": "Statements",
    "display_path": "sqs.regions.id.queues.id",
    "path": "sqs.regions.id.queues.id.Policy.Statement.id",
    "conditions": [
        "and",
        [
            "sqs.regions.id.queues.id.Policy",
            "notNull",
            ""
        ],
        [
            "sqs.regions.id.queues.id.Policy.Statement.id.Effect",
            "equal",
            "Allow"
        ],
        [
            "sqs.regions.id.queues.id.Policy.Statement.id.",
            "containAction",
            "sqs:_ARG_0_"
        ],
        [
            "_INCLUDE_(conditions/policy-statement-any-principal.json)",
            [
                "_STATEMENT_"
            ],
            [
                "sqs.regions.id.queues.id.Policy.Statement.id"
            ]
        ],
        [
            "_INCLUDE_(conditions/policy-statement-poor-condition.json)",
            [
                "_STATEMENT_"
            ],
            [
                "sqs.regions.id.queues.id.Policy.Statement.id"
            ]
        ]
    ],
    "key": "sqs-queue-world-_ARG_0_-policy",
    "arg_names": [
        "SQS action"
    ]
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/vpc-custom-network-acls-allow-all.json
================================================
{
    "description": "Network ACLs Allow All _ARG_0_ Traffic (custom)",
    "rationale": "Network ACLs are designed to provide a secondary layer of security. Adding a rule that allows all network traffic (all protocols, IPs, and _ARG_1_) prior to any deny rule defeats the purpose of network ACLs.",
    "dashboard_name": "Network ACLs",
    "path": "vpc.regions.id.vpcs.id.network_acls.id",
    "conditions": [
        "and",
        [
            "allow_all__ARG_0__traffic",
            "notEqual",
            "0"
        ],
        [
            "use_default__ARG_0__rules",
            "false",
            ""
        ]
    ],
    "key": "vpc-custom-network-acls-allow-all-_ARG_0_",
    "arg_names": [
        "Direction of traffic (ingress or egress)",
        "Corresponding target (source or destination)"
    ],
    "id_suffix": "_ARG_0_._GET_VALUE_AT_(vpc.regions.id.vpcs.id.network_acls.id.allow_all__ARG_0__traffic)"
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/vpc-default-network-acls-allow-all.json
================================================
{
    "description": "Network ACLs Allow All _ARG_0_ Traffic (default)",
    "rationale": "Network ACLs are designed to provide a secondary layer of security. Adding a rule that allows all network traffic (all protocols, IPs, and _ARG_1_) prior to any deny rule defeats the purpose of network ACLs.",
    "dashboard_name": "Network ACLs",
    "path": "vpc.regions.id.vpcs.id.network_acls.id",
    "conditions": [
        "and",
        [
            "allow_all__ARG_0__traffic",
            "notEqual",
            "0"
        ],
        [
            "use_default__ARG_0__rules",
            "true",
            ""
        ]
    ],
    "key": "vpc-default-network-acls-allow-all-_ARG_0_",
    "arg_names": [
        "Direction of traffic (ingress or egress)",
        "Corresponding target (source or destination)"
    ],
    "id_suffix": "_ARG_0_._GET_VALUE_AT_(vpc.regions.id.vpcs.id.network_acls.id.allow_all__ARG_0__traffic)"
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/vpc-network-acl-not-used.json
================================================
{
    "description": "Unused Network ACLs",
    "rationale": "Maintaining unused resources increases risks of misconfigurations and increases the difficulty of audits.",
    "dashboard_name": "Network ACLs",
    "path": "vpc.regions.id.vpcs.id.network_acls.id",
    "conditions": [
        "and",
        [
            "IsDefault",
            "false",
            ""
        ],
        [
            "Associations",
            "empty",
            ""
        ]
    ],
    "id_suffix": "unused"
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/vpc-routing-tables-with-peering.json
================================================
{
    "description": "Routing Table with VPC Peering",
    "rationale": "Being highly selective in peering routing tables minimizes the impact of breach as resources outside of these routes are inaccessible to the peered VPC.",
    "remediation": "Ensure route tables contain the least number of subnets or hosts as is required to accomplish the purpose for peering",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "4.5"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "4.4"
        }
    ],
    "dashboard_name": "Rulesets",
    "path": "vpc.regions.id.peering_connections.id",
    "conditions": [
        "and",
        [
            "vpc.regions.id.peering_connections.id.VpcPeeringConnectionId",
            "null",
            ""
        ]
    ],
    "id_suffix": "default_with_rules"
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/vpc-subnet-with-bad-acls.json
================================================
{
    "description": "Subnet with \"Allow All\" _ARG_0_ NACLs",
    "rationale": "Network ACLs associated with subnets and VPCs should not allow all _ARG_0_ traffic.",
    "dashboard_name": "Subnets",
    "path": "vpc.regions.id.vpcs.id.subnets.id",
    "conditions": [
        "and",
        [
            "vpc.regions.id.vpcs.id.network_acls._GET_VALUE_AT_(vpc.regions.id.vpcs.id.subnets.id.network_acl).allow_all__ARG_0__traffic",
            "notEqual",
            "0"
        ]
    ],
    "key": "vpc-subnet-with-allow-all-_ARG_0_-acls",
    "arg_names": [
        "Direction of traffic (ingress or egress)",
        "Corresponding target (source or destination)"
    ],
    "id_suffix": "bad_nacls"
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/vpc-subnet-with-default-acls.json
================================================
{
    "description": "Subnet with Default _ARG_0_ NACLs",
    "rationale": "Default _ARG_0_ network access control lists allow all network traffic (all protocols, IPs, and _ARG_1_), hence do not provide the secondary layer of security network ACLs are supposed to.",
    "dashboard_name": "Subnets",
    "path": "vpc.regions.id.vpcs.id.subnets.id",
    "conditions": [
        "and",
        [
            "vpc.regions.id.vpcs.id.network_acls._GET_VALUE_AT_(vpc.regions.id.vpcs.id.subnets.id.network_acl).use_default__ARG_0__rules",
            "true",
            ""
        ]
    ],
    "key": "vpc-subnet-with-default-_ARG_0_-acls",
    "arg_names": [
        "Direction of traffic (ingress or egress)",
        "Corresponding target (source or destination)"
    ],
    "id_suffix": "DefaultNACLs"
}

================================================
FILE: ScoutSuite/providers/aws/rules/findings/vpc-subnet-without-flow-log.json
================================================
{
    "description": "Subnet without a Flow Log",
    "rationale": "Flow logs enable the investigation of incidents involving unauthorized network traffic, such as an attacker exfiltrating data or pivoting to other hosts.",
    "remediation": "Create a flow log for each subnet.",
    "compliance": [
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.0.0",
            "reference": "4.3"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.1.0",
            "reference": "4.3"
        },
        {
            "name": "CIS Amazon Web Services Foundations",
            "version": "1.2.0",
            "reference": "2.9"
        }
    ],
    "references": [
        "https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html"
    ],
    "dashboard_name": "Subnets",
    "path": "vpc.regions.id.vpcs.id.subnets.id",
    "conditions": [
        "or",
        [
            "this",
            "withoutKey",
            "flow_logs"
        ],
        [
            "flow_logs",
            "empty",
            ""
        ]
    ],
    "id_suffix": "no_flowlog"
}

================================================
FILE: ScoutSuite/providers/aws/rules/rulesets/cis-1.2.0.json
================================================
{
    "about": "This ruleset covers most of the recommendations from the CIS Amazon Web Services Foundation v1.2.0.",
    "rules": {
        "cloudtrail-no-cloudwatch-integration.json": [
            {
                "comment": "Recommendation 2.4",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "cloudtrail-no-encryption-with-kms.json": [
            {
                "comment": "Recommendation 2.7",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "cloudtrail-no-log-file-validation.json": [
            {
                "comment": "Recommendation 2.2",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "cloudtrail-no-logging.json": [
            {
                "comment": "Recommendation 2.1 (Part 1/2)",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "cloudtrail-not-configured.json": [
            {
                "comment": "Recommendation 2.1 (Part 2/2)",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "config-recorder-not-configured.json": [
            {
                "comment": "Recommendation 2.5",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "ec2-default-security-group-in-use.json": [
            {
                "comment": "Recommendation 4.3 (Part 2/2)",
                "enabled": true,
                "level": "danger",
                "scored": "true"
            }
        ],
        "ec2-default-security-group-with-rules.json": [
            {
                "comment": "Recommendation 4.3 (Part 1/2)",
                "enabled": true,
                "level": "danger",
                "scored": "true"
            }
        ],
        "ec2-security-group-opens-known-port-to-all.json": [
            {
                "args": [
                    "SSH",
                    "TCP",
                    "22"
                ],
                "comment": "Recommendation 4.1",
                "enabled": true,
                "level": "danger",
                "scored": true
            },
            {
                "args": [
                    "RDP",
                    "TCP",
                    "3389"
                ],
                "comment": "Recommendation 4.2",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "iam-managed-policy-allows-full-privileges.json": [
            {
                "comment": "Recommendation 1.22",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "iam-no-support-role.json": [
            {
                "comment": "Recommendation 1.20",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "iam-password-policy-expiration-threshold.json": [
            {
                "args": [
                    "90"
                ],
                "comment": "Recommendation 1.11",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "iam-password-policy-minimum-length.json": [
            {
                "args": [
                    "14"
                ],
                "comment": "Recommendation 1.9",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "iam-password-policy-no-lowercase-required.json": [
            {
                "comment": "Recommendation 1.6",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "iam-password-policy-no-number-required.json": [
            {
                "comment": "Recommendation 1.8",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "iam-password-policy-no-symbol-required.json": [
            {
                "comment": "Recommendation 1.7",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "iam-password-policy-no-uppercase-required.json": [
            {
                "comment": "Recommendation 1.5",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "iam-password-policy-reuse-enabled.json": [
            {
                "comment": "Recommendation 1.10",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "iam-root-account-no-hardware-mfa.json": [
            {
                "comment": "Recommendation 1.14",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "iam-root-account-no-mfa.json": [
            {
                "comment": "Recommendation 1.13",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "iam-root-account-used-recently.json": [
            {
                "comment": "Recommendation 1.1",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "iam-root-account-with-active-keys.json": [
            {
                "comment": "Recommendation 1.12",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "iam-unused-credentials-not-disabled.json": [
            {
                "args": [
                    "90"
                ],
                "comment": "Recommendation 1.3",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "iam-user-no-key-rotation.json": [
            {
                "args": [
                    "Active",
                    "90"
                ],
                "comment": "Recommendation 1.4",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "iam-user-unused-access-key-initial-setup.json": [
            {
                "comment": "Recommendation 1.21",
                "enabled": true,
                "level": "warning",
                "scored": false
            }
        ],
        "iam-user-with-policies.json": [
            {
                "args": [
                    "inline",
                    "inline_policies"
                ],
                "comment": "Recommendation 1.16 (Part 1/2)",
                "enabled": true,
                "level": "danger",
                "scored": true
            },
            {
                "args": [
                    "managed",
                    "policies"
                ],
                "comment": "Recommendation 1.16 (Part 2/2)",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "iam-user-without-mfa.json": [
            {
                "comment": "Recommendation 1.2",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "kms-cmk-rotation-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "logs-no-alarm-aws-configuration-changes.json": [
            {
                "comment": "Recommendation 3.9",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "logs-no-alarm-cloudtrail-configuration-changes.json": [
            {
                "comment": "Recommendation 3.5",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "logs-no-alarm-cmk-deletion.json": [
            {
                "comment": "Recommendation 3.7",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "logs-no-alarm-console-authentication-failures.json": [
            {
                "comment": "Recommendation 3.6",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "logs-no-alarm-iam-policy-changes.json": [
            {
                "comment": "Recommendation 3.4",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "logs-no-alarm-nacl-changes.json": [
            {
                "comment": "Recommendation 3.11",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "logs-no-alarm-network-gateways-changes.json": [
            {
                "comment": "Recommendation 3.12",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "logs-no-alarm-root-usage.json": [
            {
                "comment": "Recommendation 3.3",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "logs-no-alarm-route-table-changes.json": [
            {
                "comment": "Recommendation 3.13",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "logs-no-alarm-s3-policy-changes.json": [
            {
                "comment": "Recommendation 3.8",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "logs-no-alarm-security-group-changes.json": [
            {
                "comment": "Recommendation 3.10",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "logs-no-alarm-signin-without-mfa.json": [
            {
                "comment": "Recommendation 3.2",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "logs-no-alarm-unauthorized-api-calls.json": [
            {
                "comment": "Recommendation 3.1",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "logs-no-alarm-vpc-changes.json": [
            {
                "comment": "Recommendation 3.14",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "s3-bucket-no-logging.json": [
            {
                "comment": "Recommendation 2.6",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ],
        "s3-bucket-world-acl.json": [
            {
                "args": [
                    "AllUsers",
                    "read",
                    "Bucket world-listable (anonymous)",
                    "warning"
                ],
                "comment": "Recommendation 2.3 (Part 1/2)",
                "enabled": true,
                "level": "danger",
                "score": true
            },
            {
                "args": [
                    "AllUsers",
                    "read_acp",
                    "Bucket's permissions world-readable (anonymous)",
                    "warning"
                ],
                "comment": "Recommendation 2.3 (Part 1/2)",
                "enabled": true,
                "level": "danger",
                "score": true
            },
            {
                "args": [
                    "AllUsers",
                    "write",
                    "Bucket world-writable (anonymous)",
                    "danger"
                ],
                "comment": "Recommendation 2.3 (Part 1/2)",
                "enabled": true,
                "level": "danger",
                "score": true
            },
            {
                "args": [
                    "AllUsers",
                    "write_acp",
                    "Bucket's permissions world-writable (anonymous)",
                    "danger"
                ],
                "comment": "Recommendation 2.3 (Part 1/2)",
                "enabled": true,
                "level": "danger",
                "score": true
            },
            {
                "args": [
                    "AuthenticatedUsers",
                    "read",
                    "Bucket world-listable",
                    "danger"
                ],
                "comment": "Recommendation 2.3 (Part 1/2)",
                "enabled": true,
                "level": "danger",
                "score": true
            },
            {
                "args": [
                    "AuthenticatedUsers",
                    "read_acp",
                    "Bucket's permissions world-readable",
                    "warning"
                ],
                "comment": "Recommendation 2.3 (Part 1/2)",
                "enabled": true,
                "level": "danger",
                "score": true
            },
            {
                "args": [
                    "AuthenticatedUsers",
                    "write",
                    "Bucket world-writable",
                    "danger"
                ],
                "comment": "Recommendation 2.3 (Part 1/2)",
                "enabled": true,
                "level": "danger",
                "score": true
            },
            {
                "args": [
                    "AuthenticatedUsers",
                    "write_acp",
                    "Bucket's permissions world-writable",
                    "danger"
                ],
                "comment": "Recommendation 2.3 (Part 1/2)",
                "enabled": true,
                "level": "danger",
                "score": true
            }
        ],
        "s3-bucket-world-policy-star.json": [
            {
                "comment": "Recommendation 2.3 (Part 2/2)",
                "enabled": true,
                "level": "danger",
                "score": true
            }
        ],
        "vpc-routing-tables-with-peering.json": [
            {
                "comment": "Recommendation 4.4",
                "enabled": true,
                "level": "warning",
                "scored": "false"
            }
        ],
        "vpc-subnet-without-flow-log.json": [
            {
                "comment": "Recommendation 2.9",
                "enabled": true,
                "level": "danger",
                "scored": true
            }
        ]
    }
}


================================================
FILE: ScoutSuite/providers/aws/rules/rulesets/default.json
================================================
{
    "about": "This ruleset consists of numerous rules that are considered standard by NCC Group. The rules enabled range from violations of well-known security best practices to gaps resulting from less-known security implications of provider-specific mechanisms. Additional rules exist, some of them requiring extra-parameters to be configured, and some of them being applicable to a limited number of users.",
    "rules": {
        "acm-certificate-with-close-expiration-date.json": [
            {
                "args": [
                    "7"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "acm-certificate-with-transparency-logging-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudformation-stack-with-role.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cloudfront-distribution-cleartext-origin.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudfront-distribution-insecure-origin.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudfront-distribution-insufficient-viewer-security.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudtrail-duplicated-global-services-logging.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudtrail-no-cloudwatch-integration.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudtrail-no-data-logging.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudtrail-no-encryption-with-kms.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cloudtrail-no-global-services-logging.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cloudtrail-no-log-file-validation.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cloudtrail-no-logging.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cloudtrail-not-configured.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cloudtrail-partial-data-logging.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudwatch-alarm-without-actions.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "config-recorder-not-configured.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ec2-ami-public.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ec2-default-security-group-in-use.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ec2-default-security-group-with-rules.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ec2-ebs-snapshot-not-encrypted.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ec2-ebs-snapshot-public.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ec2-ebs-volume-not-encrypted.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ec2-ebs-default-encryption-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ec2-instance-in-security-group.json": [
            {
                "args": [
                    "_LIST_(BannedSecurityGroup)"
                ],
                "enabled": false,
                "level": "warning"
            }
        ],
        "ec2-instance-type.json": [
            {
                "args": [
                    "t2.micro"
                ],
                "enabled": false,
                "level": "warning"
            }
        ],
        "ec2-instance-types.json": [
            {
                "args": [
                    "beefy",
                    "g3.4xlarge,g3.8xlarge,g3.16xlarge"
                ],
                "enabled": false,
                "level": "warning"
            }
        ],
        "ec2-instance-with-public-ip.json": [
            {
                "enabled": false,
                "level": "warning"
            }
        ],
        "ec2-instance-with-user-data-secrets.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ec2-security-group-opens-all-ports-to-all.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ec2-security-group-opens-all-ports-to-self.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ec2-security-group-opens-all-ports.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ec2-security-group-opens-icmp-to-all.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ec2-security-group-opens-known-port-to-all.json": [
            {
                "args": [
                    "MySQL",
                    "TCP",
                    "3306"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "DNS",
                    "UDP",
                    "53"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "MongoDB",
                    "TCP",
                    "27017"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "MsSQL",
                    "TCP",
                    "1433"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "Oracle DB",
                    "TCP",
                    "1521"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "PostgreSQL",
                    "TCP",
                    "5432"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "RDP",
                    "TCP",
                    "3389"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "SSH",
                    "TCP",
                    "22"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "NFS",
                    "TCP",
                    "2049"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "SMTP",
                    "TCP",
                    "25"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "ec2-security-group-opens-plaintext-port.json": [
            {
                "args": [
                    "FTP",
                    "TCP",
                    "21"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "Telnet",
                    "TCP",
                    "23"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "ec2-security-group-opens-port-range.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ec2-security-group-opens-port-to-all.json": [
            {
                "args": [
                    "TCP"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "UDP"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "ec2-security-group-whitelists-aws-ip-from-banned-region.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "ec2-security-group-whitelists-aws.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ec2-security-group-whitelists-non-elastic-ips.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "ec2-security-group-whitelists-unknown-aws.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "ec2-security-group-whitelists-unknown-cidrs.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "ec2-unused-security-group.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "elb-listener-allowing-cleartext.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "elb-no-access-logs.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "elb-older-ssl-policy.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "elbv2-http-request-smuggling.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "elbv2-listener-allowing-cleartext.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "elbv2-no-access-logs.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "elbv2-no-deletion-protection.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "elbv2-older-ssl-policy.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-assume-role-lacks-external-id-and-mfa.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-assume-role-no-mfa.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "iam-assume-role-policy-allows-all.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-ec2-role-without-instances.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-group-with-inline-policies.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-group-with-no-users.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-human-user-with-policies.json": [
            {
                "args": [
                    "_LIST_(AllHumanUsers)",
                    "managed",
                    "policies"
                ],
                "enabled": false,
                "level": "danger"
            }
        ],
        "iam-inline-policy-allows-NotActions.json": [
            {
                "args": [
                    "group"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "role"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "user"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-inline-policy-allows-non-sts-action.json": [
            {
                "args": [
                    "group"
                ],
                "enabled": false,
                "level": "danger"
            },
            {
                "args": [
                    "role"
                ],
                "enabled": false,
                "level": "danger"
            },
            {
                "args": [
                    "user"
                ],
                "enabled": false,
                "level": "danger"
            }
        ],
        "iam-inline-policy-for-role.json": [
            {
                "args": [
                    "group",
                    "iam",
                    "PassRole"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "group",
                    "sts",
                    "AssumeRole"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "role",
                    "iam",
                    "PassRole"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "role",
                    "sts",
                    "AssumeRole"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "user",
                    "iam",
                    "PassRole"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "user",
                    "sts",
                    "AssumeRole"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-lightspin-user-action-denied-for-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-managed-policy-allows-NotActions.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-managed-policy-allows-full-privileges.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-managed-policy-allows-non-sts-action.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "iam-managed-policy-for-role.json": [
            {
                "args": [
                    "iam",
                    "PassRole"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "sts",
                    "AssumeRole"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-managed-policy-no-attachments.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-no-support-role.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "iam-password-policy-expiration-threshold.json": [
            {
                "args": [
                    "90"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-password-policy-minimum-length.json": [
            {
                "args": [
                    "14"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-password-policy-no-expiration.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-password-policy-no-lowercase-required.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "iam-password-policy-no-number-required.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "iam-password-policy-no-symbol-required.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "iam-password-policy-no-uppercase-required.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "iam-password-policy-reuse-enabled.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-role-with-inline-policies.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-root-account-no-hardware-mfa.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-root-account-no-mfa.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-root-account-used-recently.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-root-account-with-active-certs.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-root-account-with-active-keys.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-service-user-with-password.json": [
            {
                "args": [
                    "_LIST_(AllHeadlessUsers)"
                ],
                "enabled": false,
                "level": "warning"
            }
        ],
        "iam-unused-credentials-not-disabled.json": [
            {
                "args": [
                    "90"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-user-no-key-rotation.json": [
            {
                "args": [
                    "Active",
                    "90"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "Inactive",
                    "90"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-user-not-in-category-group.json": [
            {
                "args": [
                    "_LIST_(AllHumanUsers, AllHeadlessUsers)"
                ],
                "enabled": false,
                "level": "danger"
            }
        ],
        "iam-user-not-in-common-group.json": [
            {
                "args": [
                    "_LIST_(AllUsers)"
                ],
                "enabled": false,
                "level": "danger"
            }
        ],
        "iam-user-unused-access-key-initial-setup.json": [
            {
                "enabled": false,
                "level": "warning"
            }
        ],
        "iam-user-with-multiple-access-keys.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-user-with-password-and-key.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-user-with-policies.json": [
            {
                "args": [
                    "inline",
                    "inline_policies"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-user-without-mfa.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "kms-cmk-rotation-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "logs-no-alarm-aws-configuration-changes.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "logs-no-alarm-cloudtrail-configuration-changes.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "logs-no-alarm-cmk-deletion.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "logs-no-alarm-console-authentication-failures.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "logs-no-alarm-iam-policy-changes.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "logs-no-alarm-nacl-changes.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "logs-no-alarm-network-gateways-changes.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "logs-no-alarm-root-usage.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "logs-no-alarm-route-table-changes.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "logs-no-alarm-s3-policy-changes.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "logs-no-alarm-security-group-changes.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "logs-no-alarm-signin-without-mfa.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "logs-no-alarm-unauthorized-api-calls.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "logs-no-alarm-vpc-changes.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "rds-instance-backup-disabled.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "rds-instance-ca-certificate-deprecated.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "rds-instance-no-minor-upgrade.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "rds-instance-publicly-accessible.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "rds-instance-short-backup-retention-period.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "rds-instance-single-az.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "rds-instance-storage-not-encrypted.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "rds-postgres-instance-with-invalid-certificate.json": [
            {
                "enabled": false,
                "level": "warning"
            }
        ],
        "rds-security-group-allows-all.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "rds-snapshot-public.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "redshift-cluster-database-not-encrypted.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "redshift-cluster-no-version-upgrade.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "redshift-cluster-publicly-accessible.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "redshift-parameter-group-logging-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "redshift-parameter-group-ssl-not-required.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "redshift-security-group-whitelists-all.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "route53-domain-no-autorenew.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "route53-domain-no-transferlock.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "route53-domain-transferlock-not-authorized.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "s3-bucket-allowing-cleartext.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "s3-bucket-no-default-encryption.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "s3-bucket-no-logging.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "s3-bucket-no-mfa-delete.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "s3-bucket-no-versioning.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "s3-bucket-world-acl.json": [
            {
                "args": [
                    "AllUsers",
                    "read",
                    "Bucket world-listable (anonymous)",
                    "warning"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "AllUsers",
                    "read_acp",
                    "Bucket's permissions world-readable (anonymous)",
                    "warning"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "AllUsers",
                    "write",
                    "Bucket world-writable (anonymous)",
                    "danger"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "AllUsers",
                    "write_acp",
                    "Bucket's permissions world-writable (anonymous)",
                    "danger"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "AuthenticatedUsers",
                    "read",
                    "Bucket world-listable",
                    "danger"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "AuthenticatedUsers",
                    "read_acp",
                    "Bucket's permissions world-readable",
                    "warning"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "AuthenticatedUsers",
                    "write",
                    "Bucket world-writable",
                    "danger"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "AuthenticatedUsers",
                    "write_acp",
                    "Bucket's permissions world-writable",
                    "danger"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "s3-bucket-world-policy-arg.json": [
            {
                "args": [
                    "Delete",
                    "s3:Delete*"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "Get",
                    "s3:Get*"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "List",
                    "s3:List*"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "Put",
                    "s3:Put*"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "s3-bucket-world-policy-star.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ses-identity-dkim-not-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ses-identity-dkim-not-verified.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ses-identity-world-policy.json": [
            {
                "args": [
                    "SendEmail"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "SendRawEmail"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "sns-topic-world-policy.json": [
            {
                "args": [
                    "Publish"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "Subscribe"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "AddPermission"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "RemovePermission"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "GetTopicAttributes"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "SetTopicAttributes"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "ListSubscriptionsByTopic"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "DeleteTopic"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "sqs-queue-server-side-encryption-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqs-queue-world-policy.json": [
            {
                "args": [
                    "SendMessage"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "ReceiveMessage"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "PurgeQueue"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "DeleteMessage"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "ChangeMessageVisibility"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "GetQueueAttributes"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "GetQueueUrl"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "vpc-custom-network-acls-allow-all.json": [
            {
                "args": [
                    "ingress",
                    "source"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "egress",
                    "destination"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "vpc-default-network-acls-allow-all.json": [
            {
                "args": [
                    "ingress",
                    "source"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "egress",
                    "destination"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "vpc-network-acl-not-used.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "vpc-routing-tables-with-peering.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "vpc-subnet-with-bad-acls.json": [
            {
                "args": [
                    "ingress",
                    "source"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "egress",
                    "destination"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "vpc-subnet-with-default-acls.json": [
            {
                "args": [
                    "ingress",
                    "source"
                ],
                "enabled": false,
                "level": "warning"
            },
            {
                "args": [
                    "egress",
                    "destination"
                ],
                "enabled": false,
                "level": "warning"
            }
        ],
        "vpc-subnet-without-flow-log.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ]
    }
}


================================================
FILE: ScoutSuite/providers/aws/rules/rulesets/detailed.json
================================================
{
    "about": "This ruleset consists of numerous rules that are considered standard by NCC Group. The rules enabled range from violations of well-known security best practices to gaps resulting from less-known security implications of provider-specific mechanisms. Additional rules exist, some of them requiring extra-parameters to be configured, and some of them being applicable to a limited number of users.",
    "rules": {
        "acm-certificate-with-close-expiration-date.json": [
            {
                "args": [
                    "7"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "acm-certificate-with-transparency-logging-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudformation-stack-with-role.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cloudfront-distribution-cleartext-origin.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudfront-distribution-insecure-origin.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudfront-distribution-insufficient-viewer-security.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudtrail-duplicated-global-services-logging.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudtrail-no-cloudwatch-integration.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudtrail-no-data-logging.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudtrail-no-encryption-with-kms.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cloudtrail-no-global-services-logging.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cloudtrail-no-log-file-validation.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cloudtrail-no-logging.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cloudtrail-not-configured.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cloudtrail-partial-data-logging.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudwatch-alarm-without-actions.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "config-recorder-not-configured.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ec2-ami-public.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ec2-default-security-group-in-use.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ec2-default-security-group-with-rules.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ec2-ebs-snapshot-not-encrypted.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ec2-ebs-snapshot-public.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ec2-ebs-volume-not-encrypted.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ec2-ebs-default-encryption-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ec2-instance-in-security-group.json": [
            {
                "args": [
                    "_LIST_(BannedSecurityGroup)"
                ],
                "enabled": false,
                "level": "warning"
            }
        ],
        "ec2-instance-type.json": [
            {
                "args": [
                    "t2.micro"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "ec2-instance-types.json": [
            {
                "args": [
                    "beefy",
                    "g3.4xlarge,g3.8xlarge,g3.16xlarge"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "ec2-instance-with-public-ip.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ec2-instance-with-user-data-secrets.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ec2-security-group-opens-all-ports-to-all.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ec2-security-group-opens-all-ports-to-self.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ec2-security-group-opens-all-ports.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ec2-security-group-opens-icmp-to-all.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ec2-security-group-opens-known-port-to-all.json": [
            {
                "args": [
                    "MySQL",
                    "TCP",
                    "3306"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "DNS",
                    "UDP",
                    "53"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "MongoDB",
                    "TCP",
                    "27017"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "MsSQL",
                    "TCP",
                    "1433"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "Oracle DB",
                    "TCP",
                    "1521"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "PostgreSQL",
                    "TCP",
                    "5432"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "RDP",
                    "TCP",
                    "3389"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "SSH",
                    "TCP",
                    "22"
                ],
                "enabled": true,
                "versions": {
                    "in_use": {
                        "conditions": [
                            [
                                "_INCLUDE_(conditions/ec2-security-group-in-use.json)",
                                "",
                                ""
                            ]
                        ],
                        "level": "danger"
                    },
                    "not_used": {
                        "conditions": [
                            [
                                "_INCLUDE_(conditions/ec2-security-group-not-used.json)",
                                "",
                                ""
                            ]
                        ],
                        "level": "warning"
                    }
                }
            },
            {
                "args": [
                    "NFS",
                    "TCP",
                    "2049"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "SMTP",
                    "TCP",
                    "25"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "ec2-security-group-opens-plaintext-port.json": [
            {
                "args": [
                    "FTP",
                    "TCP",
                    "21"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "Telnet",
                    "TCP",
                    "23"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "ec2-security-group-opens-port-range.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ec2-security-group-opens-port-to-all.json": [
            {
                "args": [
                    "TCP"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "UDP"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "ec2-security-group-whitelists-aws-ip-from-banned-region.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "ec2-security-group-whitelists-aws.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ec2-security-group-whitelists-non-elastic-ips.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "ec2-security-group-whitelists-unknown-aws.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "ec2-security-group-whitelists-unknown-cidrs.json": [
            {
                "enabled": false,
                "level": "danger"
            }
        ],
        "ec2-unused-security-group.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "elb-listener-allowing-cleartext.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "elb-no-access-logs.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "elb-older-ssl-policy.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "elbv2-http-request-smuggling.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "elbv2-listener-allowing-cleartext.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "elbv2-no-access-logs.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "elbv2-no-deletion-protection.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "elbv2-older-ssl-policy.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-assume-role-lacks-external-id-and-mfa.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-assume-role-no-mfa.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-assume-role-policy-allows-all.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-ec2-role-without-instances.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-group-with-inline-policies.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-group-with-no-users.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-human-user-with-policies.json": [
            {
                "args": [
                    "_LIST_(AllHumanUsers)",
                    "managed",
                    "policies"
                ],
                "enabled": false,
                "level": "danger"
            }
        ],
        "iam-inline-policy-allows-NotActions.json": [
            {
                "args": [
                    "group"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "role"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "user"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-inline-policy-allows-non-sts-action.json": [
            {
                "args": [
                    "group"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "role"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "user"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-inline-policy-for-role.json": [
            {
                "args": [
                    "group",
                    "iam",
                    "PassRole"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "group",
                    "sts",
                    "AssumeRole"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "role",
                    "iam",
                    "PassRole"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "role",
                    "sts",
                    "AssumeRole"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "user",
                    "iam",
                    "PassRole"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "user",
                    "sts",
                    "AssumeRole"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-lightspin-user-action-denied-for-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-managed-policy-allows-NotActions.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-managed-policy-allows-full-privileges.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-managed-policy-allows-non-sts-action.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-managed-policy-for-role.json": [
            {
                "args": [
                    "iam",
                    "PassRole"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "sts",
                    "AssumeRole"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-managed-policy-no-attachments.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-no-support-role.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-password-policy-expiration-threshold.json": [
            {
                "args": [
                    "90"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-password-policy-minimum-length.json": [
            {
                "args": [
                    "14"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-password-policy-no-expiration.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-password-policy-no-lowercase-required.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-password-policy-no-number-required.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-password-policy-no-symbol-required.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-password-policy-no-uppercase-required.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-password-policy-reuse-enabled.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-role-with-inline-policies.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-root-account-no-hardware-mfa.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-root-account-no-mfa.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-root-account-used-recently.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-root-account-with-active-certs.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-root-account-with-active-keys.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-service-user-with-password.json": [
            {
                "args": [
                    "_LIST_(AllHeadlessUsers)"
                ],
                "enabled": false,
                "level": "warning"
            }
        ],
        "iam-unused-credentials-not-disabled.json": [
            {
                "args": [
                    "90"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-user-no-key-rotation.json": [
            {
                "args": [
                    "Active",
                    "90"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "Inactive",
                    "90"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-user-not-in-category-group.json": [
            {
                "args": [
                    "_LIST_(AllHumanUsers, AllHeadlessUsers)"
                ],
                "enabled": false,
                "level": "danger"
            }
        ],
        "iam-user-not-in-common-group.json": [
            {
                "args": [
                    "_LIST_(AllUsers)"
                ],
                "enabled": false,
                "level": "danger"
            }
        ],
        "iam-user-unused-access-key-initial-setup.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-user-with-multiple-access-keys.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-user-with-password-and-key.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-user-with-policies.json": [
            {
                "args": [
                    "inline",
                    "inline_policies"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "managed",
                    "policies"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-user-without-mfa.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "kms-cmk-rotation-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "logs-no-alarm-aws-configuration-changes.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "logs-no-alarm-cloudtrail-configuration-changes.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "logs-no-alarm-cmk-deletion.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "logs-no-alarm-console-authentication-failures.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "logs-no-alarm-iam-policy-changes.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "logs-no-alarm-nacl-changes.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "logs-no-alarm-network-gateways-changes.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "logs-no-alarm-root-usage.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "logs-no-alarm-route-table-changes.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "logs-no-alarm-s3-policy-changes.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "logs-no-alarm-security-group-changes.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "logs-no-alarm-signin-without-mfa.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "logs-no-alarm-unauthorized-api-calls.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "logs-no-alarm-vpc-changes.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "rds-instance-backup-disabled.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "rds-instance-ca-certificate-deprecated.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "rds-instance-no-minor-upgrade.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "rds-instance-publicly-accessible.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "rds-instance-short-backup-retention-period.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "rds-instance-single-az.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "rds-instance-storage-not-encrypted.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "rds-postgres-instance-with-invalid-certificate.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "rds-security-group-allows-all.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "rds-snapshot-public.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "redshift-cluster-database-not-encrypted.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "redshift-cluster-no-version-upgrade.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "redshift-cluster-publicly-accessible.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "redshift-parameter-group-logging-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "redshift-parameter-group-ssl-not-required.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "redshift-security-group-whitelists-all.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "route53-domain-no-autorenew.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "route53-domain-no-transferlock.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "route53-domain-transferlock-not-authorized.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "s3-bucket-allowing-cleartext.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "s3-bucket-no-default-encryption.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "s3-bucket-no-logging.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "s3-bucket-no-mfa-delete.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "s3-bucket-no-versioning.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "s3-bucket-world-acl.json": [
            {
                "args": [
                    "AllUsers",
                    "read",
                    "Bucket world-listable (anonymous)",
                    "warning"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "AllUsers",
                    "read_acp",
                    "Bucket's permissions world-readable (anonymous)",
                    "warning"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "AllUsers",
                    "write",
                    "Bucket world-writable (anonymous)",
                    "danger"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "AllUsers",
                    "write_acp",
                    "Bucket's permissions world-writable (anonymous)",
                    "danger"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "AuthenticatedUsers",
                    "read",
                    "Bucket world-listable",
                    "danger"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "AuthenticatedUsers",
                    "read_acp",
                    "Bucket's permissions world-readable",
                    "warning"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "AuthenticatedUsers",
                    "write",
                    "Bucket world-writable",
                    "danger"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "AuthenticatedUsers",
                    "write_acp",
                    "Bucket's permissions world-writable",
                    "danger"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "s3-bucket-world-policy-arg.json": [
            {
                "args": [
                    "Delete",
                    "s3:Delete*"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "Get",
                    "s3:Get*"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "List",
                    "s3:List*"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "Put",
                    "s3:Put*"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "s3-bucket-world-policy-star.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "ses-identity-dkim-not-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ses-identity-dkim-not-verified.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "ses-identity-world-policy.json": [
            {
                "args": [
                    "SendEmail"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "SendRawEmail"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "sns-topic-world-policy.json": [
            {
                "args": [
                    "Publish"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "Subscribe"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "AddPermission"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "RemovePermission"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "GetTopicAttributes"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "SetTopicAttributes"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "ListSubscriptionsByTopic"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "DeleteTopic"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "sqs-queue-server-side-encryption-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqs-queue-world-policy.json": [
            {
                "args": [
                    "SendMessage"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "ReceiveMessage"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "PurgeQueue"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "DeleteMessage"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "ChangeMessageVisibility"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "GetQueueAttributes"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "GetQueueUrl"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "vpc-custom-network-acls-allow-all.json": [
            {
                "args": [
                    "ingress",
                    "source"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "egress",
                    "destination"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "vpc-default-network-acls-allow-all.json": [
            {
                "args": [
                    "ingress",
                    "source"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "egress",
                    "destination"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "vpc-network-acl-not-used.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "vpc-routing-tables-with-peering.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "vpc-subnet-with-bad-acls.json": [
            {
                "args": [
                    "ingress",
                    "source"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "egress",
                    "destination"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "vpc-subnet-with-default-acls.json": [
            {
                "args": [
                    "ingress",
                    "source"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "egress",
                    "destination"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "vpc-subnet-without-flow-log.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ]
    }
}


================================================
FILE: ScoutSuite/providers/aws/rules/rulesets/filters.json
================================================
{
    "about": "Default set of filters for Scout",
    "rules": {
        "ec2-instance-with-open-nacls.json": [
            {
                "enabled": true
            }
        ],
        "ec2-security-group-with-public-cidr-grant.json": [
            {
                "enabled": true
            }
        ],
        "iam-role-for-aws-account.json": [
            {
                "args": [
                    "same",
                    "isSameAccount"
                ],
                "enabled": true
            },
            {
                "args": [
                    "cross",
                    "isCrossAccount"
                ],
                "enabled": true
            }
        ],
        "iam-role-for-service.json": [
            {
                "args": [
                    "EC2",
                    "ec2.amazonaws.com"
                ],
                "enabled": true
            },
            {
                "args": [
                    "Lambda",
                    "lambda.amazonaws.com"
                ],
                "enabled": true
            }
        ],
        "s3-bucket-website-enabled.json": [
            {
                "enabled": true
            }
        ]
    }
}


================================================
FILE: ScoutSuite/providers/aws/services.py
================================================
from ScoutSuite.providers.aws.facade.base import AWSFacade
from ScoutSuite.providers.aws.resources.acm.base import Certificates
from ScoutSuite.providers.aws.resources.awslambda.base import Lambdas
from ScoutSuite.providers.aws.resources.cloudformation.base import CloudFormation
from ScoutSuite.providers.aws.resources.cloudtrail.base import CloudTrail
from ScoutSuite.providers.aws.resources.cloudwatch.base import CloudWatch
from ScoutSuite.providers.aws.resources.cloudfront.base import CloudFront
from ScoutSuite.providers.aws.resources.codebuild.base import CodeBuild
from ScoutSuite.providers.aws.resources.config.base import Config
from ScoutSuite.providers.aws.resources.directconnect.base import DirectConnect
from ScoutSuite.providers.aws.resources.dynamodb.base import DynamoDB
from ScoutSuite.providers.aws.resources.ec2.base import EC2
from ScoutSuite.providers.aws.resources.efs.base import EFS
from ScoutSuite.providers.aws.resources.elasticache.base import ElastiCache
from ScoutSuite.providers.aws.resources.elb.base import ELB
from ScoutSuite.providers.aws.resources.elbv2.base import ELBv2
from ScoutSuite.providers.aws.resources.emr.base import EMR
from ScoutSuite.providers.aws.resources.iam.base import IAM
from ScoutSuite.providers.aws.resources.kms.base import KMS
from ScoutSuite.providers.aws.resources.rds.base import RDS
from ScoutSuite.providers.aws.resources.redshift.base import Redshift
from ScoutSuite.providers.aws.resources.route53.base import Route53
from ScoutSuite.providers.aws.resources.s3.base import S3
from ScoutSuite.providers.aws.resources.ses.base import SES
from ScoutSuite.providers.aws.resources.sns.base import SNS
from ScoutSuite.providers.aws.resources.sqs.base import SQS
from ScoutSuite.providers.aws.resources.vpc.base import VPC
from ScoutSuite.providers.aws.resources.secretsmanager.base import SecretsManager
from ScoutSuite.providers.base.services import BaseServicesConfig

# Try to import proprietary services
try:
    from ScoutSuite.providers.aws.resources.private_cognito.base import Cognito
except ImportError:
    pass
try:
    from ScoutSuite.providers.aws.resources.private_docdb.base import DocDB
except ImportError:
    pass
try:
    from ScoutSuite.providers.aws.resources.private_ecr.base import ECR
except ImportError:
    pass
try:
    from ScoutSuite.providers.aws.resources.private_ecs.base import ECS
except ImportError:
    pass
try:
    from ScoutSuite.providers.aws.resources.private_eks.base import EKS
except ImportError:
    pass
try:
    from ScoutSuite.providers.aws.resources.private_guardduty.base import GuardDuty
except ImportError:
    pass
try:
    from ScoutSuite.providers.aws.resources.private_ssm.base import SSM
except ImportError:
    pass


class AWSServicesConfig(BaseServicesConfig):
    """
    Object that holds the necessary AWS configuration for all services in scope.

    :ivar cloudtrail:                   CloudTrail configuration
    :ivar cloudwatch:                   CloudWatch configuration:
    :ivar cloudfront:                   CloudFront configuration
    :ivar config:                       Config configuration
    :ivar dynamodb:                     DynamoDB configuration
    :ivar ec2:                          EC2 configuration
    :ivar ecs:                          ECS configuration
    :ivar ecr:                          ECR configuration
    :ivar eks:                          EKS configuration
    :ivar guarduty:                     GuardDuty configuration
    :ivar iam:                          IAM configuration
    :ivar kms:                          KMS configuration
    :ivar rds:                          RDS configuration
    :ivar redshift:                     Redshift configuration
    :ivar s3:                           S3 configuration
    :ivar ses:                          SES configuration:
    :ivar sns:                          SNS configuration
    :ivar sqs:                          SQS configuration
    """

    def __init__(self, credentials=None, **kwargs):

        super().__init__(credentials)

        facade = AWSFacade(credentials)

        self.acm = Certificates(facade)
        self.awslambda = Lambdas(facade)
        self.cloudformation = CloudFormation(facade)
        self.cloudtrail = CloudTrail(facade)
        self.cloudwatch = CloudWatch(facade)
        self.cloudfront = CloudFront(facade)
        self.codebuild = CodeBuild(facade)
        self.config = Config(facade)
        self.directconnect = DirectConnect(facade)
        self.dynamodb = DynamoDB(facade)
        self.ec2 = EC2(facade)
        self.efs = EFS(facade)
        self.elasticache = ElastiCache(facade)
        self.elb = ELB(facade)
        self.elbv2 = ELBv2(facade)
        self.emr = EMR(facade)
        self.iam = IAM(facade)
        self.kms = KMS(facade)
        self.rds = RDS(facade)
        self.redshift = Redshift(facade)
        self.route53 = Route53(facade)
        self.s3 = S3(facade)
        self.ses = SES(facade)
        self.sns = SNS(facade)
        self.sqs = SQS(facade)
        self.vpc = VPC(facade)
        self.secretsmanager = SecretsManager(facade)

        # Instantiate proprietary services
        try:
            self.cognito = Cognito(facade)
        except NameError as _:
            pass
        try:
            self.docdb = DocDB(facade)
        except NameError as _:
            pass
        try:
            self.ecr = ECR(facade)
        except NameError as _:
            pass
        try:
            self.ecs = ECS(facade)
        except NameError as _:
            pass
        try:
            self.eks = EKS(facade)
        except NameError as _:
            pass
        try:
            self.guardduty = GuardDuty(facade)
        except NameError as _:
            pass
        try:
            self.ssm = SSM(facade)
        except NameError as _:
            pass

    def _is_provider(self, provider_name):
        return provider_name == 'aws'


================================================
FILE: ScoutSuite/providers/aws/utils.py
================================================
import re

from ScoutSuite.core.console import print_exception

ec2_classic = "EC2-Classic"


def get_caller_identity(session):
    sts_client = session.client("sts")
    identity = sts_client.get_caller_identity()
    return identity


def get_aws_account_id(session):
    caller_identity = get_caller_identity(session)
    account_id = caller_identity["Arn"].split(":")[4]
    return account_id


def get_partition_name(session):
    caller_identity = get_caller_identity(session)
    partition_name = caller_identity["Arn"].split(":")[1]
    return partition_name


def is_throttled(exception):
    """
    Determines whether the exception is due to API throttling.

    :param exception:                           Exception raised
    :return:                            True if it's a throttling exception else False
    """
    # taken from botocore.retries.standard.ThrottledRetryableChecker
    throttled_errors = [
        'Throttling',
        'ThrottlingException',
        'ThrottledException',
        'RequestThrottledException',
        'TooManyRequestsException',
        'ProvisionedThroughputExceededException',
        'TransactionInProgressException',
        'RequestLimitExceeded',
        'BandwidthLimitExceeded',
        'LimitExceededException',
        'RequestThrottled',
        'SlowDown',
        'PriorRequestNotComplete',
        'EC2ThrottledException',
    ]

    try:
        throttled = (hasattr(exception, "response")
                     and exception.response
                     and "Error" in exception.response
                     and exception.response["Error"]["Code"] in throttled_errors) \
                    or \
                    any(error in str(exception) for error in throttled_errors)
        return throttled
    except Exception as e:
        print_exception(f'Unable to validate exception {exception} for AWS throttling: {e}')
        return False


def get_keys(src, dst, keys):
    """
    Copies the value of keys from source object to dest object

    :param src:                         Source object
    :param dst:                         Destination object
    :param keys:                        Keys
    :return:
    """
    for key in keys:
        dst[key] = src[key] if key in src else None


def get_name(src, dst, default_attribute):
    """

    :param src:                         Source object
    :param dst:                         Destination object
    :param default_attribute:           Default attribute

    :return:
    """
    name_found = False
    if "Tags" in src:
        for tag in src["Tags"]:
            if tag["Key"] == "Name" and tag["Value"] != "":
                dst["name"] = tag["Value"]
                name_found = True
    if not name_found:
        dst["name"] = src[default_attribute]
    return dst["name"]


def no_camel(name):
    """
    Converts CamelCase to camel_case

    :param name:                        Name string to convert
    :return:
    """
    s1 = re.sub("(.)([A-Z][a-z]+)", r"\1_\2", name)
    return re.sub("([a-z0-9])([A-Z])", r"\1_\2", s1).lower()


def snake_keys(d):
    """
    Converts a dictionary with CamelCase keys to camel_case

    :param name:                        d Dictionary to iterate over
    :return:
    """

    new_table = {}
    if isinstance(d, dict):
        for k in d.keys():
            new_key = no_camel(k)
            if isinstance(d[k], dict):
                new_table[new_key] = snake_keys(d[k])
            elif isinstance(d[k], list):
                new_ary = []
                for v in d[k]:
                    if isinstance(v, dict):
                        new_ary.append(snake_keys(v))
                    else:
                        new_ary.append(v)
                new_table[new_key] = new_ary
            else:
                new_table[new_key] = d[k]
    return new_table


def format_arn(partition, service, region, account_id, resource_id, resource_type=None):
    """
    Formats a resource ARN based on the parameters

    :param partition:                   The partition where the resource is located
    :param service:                     The service namespace that identified the AWS product
    :param region:                      The corresponding region
    :param account_id:                  The ID of the AWS account that owns the resource
    :param resource_id:                 The resource identified
    :param resource_type:               (Optional) The resource type
    :return:                            Resource ARN
    """

    try:
        # If a resource type is specified
        if resource_type is not None:
            arn = f"arn:{partition}:{service}:{region}:{account_id}:{resource_type}/{resource_id}"
        else:
            arn = f"arn:{partition}:{service}:{region}:{account_id}:{resource_id}"
    except Exception as e:
        print_exception(f'Failed to parse a resource ARN: {e}')
        return None
    return arn


================================================
FILE: ScoutSuite/providers/azure/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/azure/authentication_strategy.py
================================================
import json
import logging
from getpass import getpass

import requests
from ScoutSuite.core.console import print_exception

from azure.identity import UsernamePasswordCredential, AzureCliCredential, ClientSecretCredential, \
    ManagedIdentityCredential, DeviceCodeCredential
from ScoutSuite.providers.base.authentication_strategy import AuthenticationStrategy, AuthenticationException

AUTHORITY_HOST_URI = 'https://login.microsoftonline.com/'
AZURE_CLI_CLIENT_ID = "04b07795-8ddb-461a-bbee-02f9e1bf7b46"


class AzureCredentials:

    def __init__(self,
                 identity_credentials,
                 tenant_id=None, default_subscription_id=None,
                 context=None):

        self.identity_credentials = identity_credentials  # Azure Resource Manager API credentials
        self.tenant_id = tenant_id
        self.default_subscription_id = default_subscription_id
        self.context = context

    def get_tenant_id(self):
        if self.tenant_id:
            return self.tenant_id
        elif hasattr(self.identity_credentials, 'tenant_id'):
            return self.identity_credentials['tenant_id']

        else:
            # Additional request for CLI & MSI authentication
            try:
                access_token = self.identity_credentials.get_token("https://management.core.windows.net/.default")
                h = {'Authorization': f'Bearer {access_token.token}'}
                r = requests.get('https://management.azure.com/tenants?api-version=2020-01-01', headers=h)
                r2 = r.json()
                return r2.get('value')[0].get('tenantId')
            except Exception as e:
                print_exception(f'Unable to infer tenant ID: {e}')
                return None

    def get_credentials(self):
        return self.identity_credentials


class AzureAuthenticationStrategy(AuthenticationStrategy):

    def authenticate(self,
                     cli=None, user_account=None, user_account_browser=None,
                     service_principal=None, file_auth=None, msi=None,
                     tenant_id=None,
                     subscription_id=None,
                     client_id=None, client_secret=None,
                     username=None, password=None,
                     programmatic_execution=False,
                     **kargs):
        """
        Implements authentication for the Azure provider
        """
        try:

            # Set logging level to error for libraries as otherwise generates a lot of warnings
            logging.getLogger('azure.identity').setLevel(logging.ERROR)
            logging.getLogger('azure.core.pipeline').setLevel(logging.ERROR)

            context = None

            if cli:
                identity_credentials = AzureCliCredential()

            elif user_account:

                if not (username and password):
                    if not programmatic_execution:
                        username = username if username else input("Username: ")
                        password = password if password else getpass("Password: ")
                    else:
                        raise AuthenticationException('Username or password not set')

                identity_credentials = UsernamePasswordCredential(AZURE_CLI_CLIENT_ID, username, password,
                                                                  authority=AUTHORITY_HOST_URI, tenant_id=tenant_id)

            elif user_account_browser:

                identity_credentials = DeviceCodeCredential(authority=AUTHORITY_HOST_URI,tenant_id=tenant_id,client_id=AZURE_CLI_CLIENT_ID)

            elif service_principal:

                if not tenant_id:
                    if not programmatic_execution:
                        tenant_id = input("Tenant ID: ")
                    else:
                        raise AuthenticationException('No Tenant ID set')

                if not client_id:
                    if not programmatic_execution:
                        client_id = input("Client ID: ")
                    else:
                        raise AuthenticationException('No Client ID set')

                if not client_secret:
                    if not programmatic_execution:
                        client_secret = getpass("Client secret: ")
                    else:
                        raise AuthenticationException('No Client Secret set')

                identity_credentials = ClientSecretCredential(
                    client_id=client_id,
                    client_secret=client_secret,
                    tenant_id=tenant_id
                )

            elif file_auth:

                data = json.loads(file_auth.read())
                tenant_id = data.get('tenantId')
                client_id = data.get('clientId')
                client_secret = data.get('clientSecret')

                identity_credentials = ClientSecretCredential(
                    client_id=client_id,
                    client_secret=client_secret,
                    tenant_id=tenant_id
                )

            elif msi:
                identity_credentials = ManagedIdentityCredential()

            else:
                raise AuthenticationException('Unknown authentication method')

            # Getting token to authenticate and detect AuthenticationException
            identity_credentials.get_token("https://management.core.windows.net/.default")

            return AzureCredentials(
                identity_credentials,
                tenant_id, subscription_id,
                context)

        except Exception as e:
            if 'Authentication failed: Unable to find wstrust endpoint from MEX. This typically happens when ' \
               'attempting MSA accounts. More details available here. ' \
               'https://github.com/AzureAD/microsoft-authentication-library-for-python/' \
               'wiki/Username-Password-Authentication' in e.args:

                raise AuthenticationException(
                    'You are likely authenticating with a Microsoft Account. '
                    'This authentication mode only support Azure Active Directory principal authentication.')
            raise AuthenticationException(e)


================================================
FILE: ScoutSuite/providers/azure/facade/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/azure/facade/aad.py
================================================
from msgraph.core import GraphClient

from ScoutSuite.core.console import print_exception


class AADFacade:

    def __init__(self, credentials):
        self.credentials = credentials


    async def _get_microsoft_graph_response(self, api_resource, api_version='v1.0'):
        scopes = ['https://graph.microsoft.com/.default']

        client = GraphClient(credential=self.credentials.get_credentials(), scopes=scopes)
        endpoint = 'https://graph.microsoft.com/{}/{}'.format(api_version, api_resource)
        try:
            response = client.get(endpoint)
            if response.status_code == 200:
                return response.json()
            # If response is 404 then it means there is no resource associated with the provided id
            elif response.status_code == 404:
                return {}
            else:
                print_exception('Failed to query Microsoft Graph endpoint \"{}\": status code {}'.
                                format(api_resource, response.status_code))
                return {}
        except Exception as e:
            print_exception('Failed to query Microsoft Graph endpoint \"{}\": {}'.format(api_resource, e))
            return {}

    async def get_users(self):
        try:
            # This filters down the users which are pulled from the directory, otherwise for large tenants this
            # becomes out of hands
            # See https://github.com/nccgroup/ScoutSuite/issues/698
            user_filter = '?$filter=userType+eq+%27Guest%27'
            users_response_beta = await self._get_microsoft_graph_response('users'+ user_filter, 'beta')
            if users_response_beta:
                users = users_response_beta.get('value')
                return users
            return users_response_beta
        except Exception as e:
            print_exception(f'Failed to retrieve users: {e}')
            return []

    async def get_user(self, user_id):
        try:
            user_filter = f'?$filter=id+eq+%27{user_id}%27'
            user_response_beta = await self._get_microsoft_graph_response('users'+user_filter, 'beta')
            if user_response_beta:
                users = user_response_beta.get('value')
                return users[0]
            return user_response_beta
        except Exception as e:
            print_exception(f'Failed to retrieve user {user_id}: {e}')
            return None

    async def get_groups(self):
        try:
            groups_response = await self._get_microsoft_graph_response('groups')
            if groups_response:
                groups = groups_response.get('value')
                return groups
            return groups_response
        except Exception as e:
            print_exception(f'Failed to retrieve groups: {e}')
            return []

    async def get_user_groups(self, group_id):
        try:
            group_filter = f'?$filter=id+eq+%27{group_id}%27'
            user_groups_response = await self._get_microsoft_graph_response('groups' + group_filter)
            if user_groups_response:
                groups = user_groups_response.get('value')
                return groups
            return user_groups_response
        except Exception as e:
            print_exception(f'Failed to retrieve user\'s groups: {e}')
            return []

    async def get_service_principals(self):
        try:
            # Need publisher name value for serviceprincipals.py. v1.0 does not have that value, thus we use beta
            service_principals_response_beta = await self._get_microsoft_graph_response('servicePrincipals', 'beta')
            if service_principals_response_beta:
                service_principals = service_principals_response_beta.get('value')
                return service_principals
            return service_principals_response_beta
        except Exception as e:
            print_exception(f'Failed to retrieve service principals: {e}')
            return []

    async def get_applications(self):
        try:
            applications_response = await self._get_microsoft_graph_response('applications')
            if applications_response:
                applications = applications_response.get('value')
                return applications
            return applications_response
        except Exception as e:
            print_exception(f'Failed to retrieve applications: {e}')
            return []

    async def get_policies(self):
        try:
            policies_response = await self._get_microsoft_graph_response('policies/authorizationPolicy')
            return policies_response
        except Exception as e:
            print_exception(f'Failed to retrieve policies: {e}')
            return []


================================================
FILE: ScoutSuite/providers/azure/facade/appservice.py
================================================
from azure.mgmt.web import WebSiteManagementClient

from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.azure.utils import get_resource_group_name
from ScoutSuite.providers.utils import run_concurrently, get_and_set_concurrently
from ScoutSuite.utils import get_user_agent


class AppServiceFacade:

    def __init__(self, credentials):
        self.credentials = credentials

    def get_client(self, subscription_id: str):
        client = WebSiteManagementClient(self.credentials.get_credentials(),
                                         subscription_id=subscription_id, user_agent=get_user_agent())
        return client

    async def get_web_apps(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            web_apps = await run_concurrently(
                lambda: list(client.web_apps.list())
            )
        except Exception as e:
            print_exception(f'Failed to retrieve web apps: {e}')
            return []
        else:
            await get_and_set_concurrently([self._get_and_set_web_app_configuration], web_apps, api_client=client)
            await get_and_set_concurrently([self._get_and_set_web_app_auth_settings], web_apps, api_client=client)
            return web_apps

    async def _get_and_set_web_app_configuration(self, web_app, api_client):
        resource_group_name = get_resource_group_name(web_app.id)
        try:
            web_app_config = await run_concurrently(
                lambda: api_client.web_apps.get_configuration(resource_group_name, web_app.name)
            )
        except Exception as e:
            print_exception(f'Failed to retrieve web app configuration: {e}')
            setattr(web_app, 'config', None)
        else:
            setattr(web_app, 'config', web_app_config)

    async def _get_and_set_web_app_auth_settings(self, web_app, api_client):
        resource_group_name = get_resource_group_name(web_app.id)
        try:
            web_app_auth_settings = await run_concurrently(
                lambda: api_client.web_apps.get_auth_settings(resource_group_name=resource_group_name,
                                                              name=web_app.name)
            )
        except Exception as e:
            print_exception(f'Failed to retrieve web app auth settings: {e}')
            setattr(web_app, 'auth_settings', None)
        else:
            setattr(web_app, 'auth_settings', web_app_auth_settings)


================================================
FILE: ScoutSuite/providers/azure/facade/base.py
================================================
from ScoutSuite.providers.azure.authentication_strategy import AzureCredentials
from ScoutSuite.providers.azure.facade.aad import AADFacade
from ScoutSuite.providers.azure.facade.rbac import RBACFacade
from ScoutSuite.providers.azure.facade.keyvault import KeyVaultFacade
from ScoutSuite.providers.azure.facade.network import NetworkFacade
from ScoutSuite.providers.azure.facade.resourcemanagement import ResourceManagementFacade
from ScoutSuite.providers.azure.facade.securitycenter import SecurityCenterFacade
from ScoutSuite.providers.azure.facade.sqldatabase import SQLDatabaseFacade
from ScoutSuite.providers.azure.facade.storageaccounts import StorageAccountsFacade
from ScoutSuite.providers.azure.facade.virtualmachines import VirtualMachineFacade
from ScoutSuite.providers.azure.facade.appservice import AppServiceFacade
from ScoutSuite.providers.azure.facade.mysqldatabase import MySQLDatabaseFacade
from ScoutSuite.providers.azure.facade.postgresqldatabse import PostgreSQLDatabaseFacade
from ScoutSuite.providers.azure.facade.loggingmonitoring import LoggingMonitoringFacade

from azure.mgmt.resource import SubscriptionClient
from ScoutSuite.providers.base.authentication_strategy import AuthenticationException
from ScoutSuite.utils import get_user_agent

from ScoutSuite.core.console import print_info, print_exception

# Try to import proprietary services
try:
    from ScoutSuite.providers.azure.facade.appgateway_private import AppGatewayFacade
except ImportError:
    pass
try:
    from ScoutSuite.providers.azure.facade.loadbalancer_private import LoadBalancerFacade
except ImportError:
    pass
try:
    from ScoutSuite.providers.azure.facade.rediscache_private import RedisCacheFacade
except ImportError:
    pass


class AzureFacade:
    def __init__(self,
                 credentials: AzureCredentials,
                 subscription_ids=[], all_subscriptions=False,
                 programmatic_execution=False):

        self.credentials = credentials
        self.programmatic_execution = programmatic_execution

        self.subscription_list = []
        self.subscription_ids = subscription_ids
        self.all_subscriptions = all_subscriptions

        self.aad = AADFacade(credentials)
        self.rbac = RBACFacade(credentials)
        self.keyvault = KeyVaultFacade(credentials)
        self.virtualmachines = VirtualMachineFacade(credentials)
        self.network = NetworkFacade(credentials)
        self.securitycenter = SecurityCenterFacade(credentials)
        self.sqldatabase = SQLDatabaseFacade(credentials)
        self.storageaccounts = StorageAccountsFacade(credentials)
        self.appservice = AppServiceFacade(credentials)
        self.mysqldatabase = MySQLDatabaseFacade(credentials)
        self.postgresqldatabase = PostgreSQLDatabaseFacade(credentials)
        self.loggingmonitoring = LoggingMonitoringFacade(credentials)
        self.resourcemanagement = ResourceManagementFacade(credentials)

        # Instantiate facades for proprietary services
        try:
            self.appgateway = AppGatewayFacade(credentials)
        except NameError:
            pass
        try:
            self.loadbalancer = LoadBalancerFacade(credentials)
        except NameError:
            pass
        try:
            self.rediscache = RedisCacheFacade(credentials)
        except NameError:
            pass

        self._set_subscriptions()

    async def get_subscriptions(self):
        if self.subscription_list:
            return self.subscription_list
        else:
            self._set_subscriptions()

    def _set_subscriptions(self):

        # Create the client
        subscription_client = SubscriptionClient(self.credentials.get_credentials(), user_agent=get_user_agent())
        # Get all the accessible subscriptions
        accessible_subscriptions_list = list(subscription_client.subscriptions.list())

        if not accessible_subscriptions_list:
            raise AuthenticationException('The provided credentials do not have access to any subscriptions')

        # Final list, start empty
        subscriptions_list = []

        # No subscription provided, infer
        if not (self.subscription_ids or self.all_subscriptions):
            try:
                # Tries to read the subscription list
                print_info('No subscription set, inferring')
                s = next(subscription_client.subscriptions.list())
            except StopIteration:
                print_info('Unable to infer a subscription')
                # If the user cannot read subscription list, ask Subscription ID:
                if not self.programmatic_execution:
                    s = input('Subscription ID: ')
                else:
                    print_exception('Unable to infer a Subscription ID')
                    # raise
            finally:
                subscriptions_list.append(s)

        # All subscriptions
        elif self.all_subscriptions:
            subscriptions_list = accessible_subscriptions_list

        # A specific set of subscriptions
        elif self.subscription_ids:
            # Only include accessible subscriptions
            subscriptions_list = [s for s in accessible_subscriptions_list if
                                  s.subscription_id in self.subscription_ids]
            # Verbose skip
            for s in self.subscription_ids:
                if not any(subs.subscription_id == s for subs in accessible_subscriptions_list):
                    raise AuthenticationException('Subscription {} does not exist or is not accessible '
                                                  'with the provided credentials'.format(s))

        # Other == error
        else:
            raise AuthenticationException('Unknown Azure subscription option')

        if subscriptions_list and len(subscriptions_list) > 0:
            self.subscription_list = subscriptions_list
            if len(subscriptions_list) == 1:
                print_info('Running against subscription {}'.format(subscriptions_list[0].subscription_id))
            else:
                print_info('Running against {} subscriptions'.format(len(subscriptions_list)))
        else:
            raise AuthenticationException('No subscriptions to scan')


================================================
FILE: ScoutSuite/providers/azure/facade/keyvault.py
================================================
from azure.mgmt.keyvault import KeyVaultManagementClient

from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.utils import run_concurrently
from ScoutSuite.utils import get_user_agent


class KeyVaultFacade:

    def __init__(self, credentials):
        self.credentials = credentials

    def get_client(self, subscription_id: str):
        client = KeyVaultManagementClient(self.credentials.get_credentials(),
                                          subscription_id=subscription_id, user_agent=get_user_agent())
        return client

    async def get_key_vaults(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.vaults.list_by_subscription()))
        except Exception as e:
            print_exception(f'Failed to retrieve key vaults: {e}')
            return []


================================================
FILE: ScoutSuite/providers/azure/facade/loggingmonitoring.py
================================================
from ScoutSuite.providers.utils import run_concurrently
from ScoutSuite.core.console import print_exception
from ScoutSuite.utils import get_user_agent
from azure.mgmt.monitor import MonitorManagementClient


class LoggingMonitoringFacade:

    def __init__(self, credentials):
        self.credentials = credentials

    def get_client(self, subscription_id: str):
        client = MonitorManagementClient(self.credentials.get_credentials(),
                                         subscription_id=subscription_id,
                                         user_agent=get_user_agent())
        return client

    async def get_log_profiles(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            log_profiles = await run_concurrently(
                lambda: list(client.log_profiles.list())
            )
            return log_profiles
        except Exception as e:
            print_exception(f'Failed to retrieve log profiles: {e}')
            return []

    async def get_subscription_diagnostic_settings(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            diagnostic_settings = await run_concurrently(
                lambda: client.subscription_diagnostic_settings.list(subscription_id).value
            )
            return diagnostic_settings
        except Exception as e:
            print_exception(f'Failed to retrieve subscription diagnostic settings: {e}')
            return []

    async def get_diagnostic_settings(self, subscription_id: str, resource_id: str):
        try:
            client = self.get_client(subscription_id)
            diagnostic_settings = await run_concurrently(
                lambda: client.diagnostic_settings.list(resource_id).value
            )
            return diagnostic_settings
        except Exception as e:
            print_exception(f'Failed to retrieve resource diagnostic settings: {e}')
            return []

    async def get_activity_log_alerts(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            activity_log_alerts = await run_concurrently(
                lambda: list(client.activity_log_alerts.list_by_subscription_id())
            )
            return activity_log_alerts
        except Exception as e:
            print_exception(f'Failed to retrieve activity log alerts: {e}')
            return []


================================================
FILE: ScoutSuite/providers/azure/facade/mysqldatabase.py
================================================
from azure.mgmt.rdbms.mysql import MySQLManagementClient
from ScoutSuite.providers.utils import run_concurrently
from ScoutSuite.core.console import print_exception
from ScoutSuite.utils import get_user_agent


class MySQLDatabaseFacade:

    def __init__(self, credentials):
        self.credentials = credentials

    def get_client(self, subscription_id: str):
        client = MySQLManagementClient(self.credentials.get_credentials(),
                                       subscription_id=subscription_id,
                                       user_agent=get_user_agent())
        return client

    async def get_servers(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.servers.list())
            )
        except Exception as e:
            print_exception(f'Failed to retrieve mySQL servers: {e}')
            return []


================================================
FILE: ScoutSuite/providers/azure/facade/network.py
================================================
from azure.mgmt.network import NetworkManagementClient

from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.utils import run_concurrently
from ScoutSuite.utils import get_user_agent


class NetworkFacade:

    def __init__(self, credentials):
        self.credentials = credentials

    def get_client(self, subscription_id: str):
        client = NetworkManagementClient(self.credentials.get_credentials(),
                                         subscription_id=subscription_id,
                                         user_agent=get_user_agent())
        return client

    async def get_network_watchers(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.network_watchers.list_all())
            )
        except Exception as e:
            print_exception(f'Failed to retrieve network watchers: {e}')
            return []

    async def get_network_security_groups(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.network_security_groups.list_all())
            )
        except Exception as e:
            print_exception(f'Failed to retrieve network security groups: {e}')
            return []

    async def get_application_security_groups(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.application_security_groups.list_all())
            )
        except Exception as e:
            print_exception(f'Failed to retrieve application security groups: {e}')
            return []

    async def get_virtual_networks(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.virtual_networks.list_all())
            )
        except Exception as e:
            print_exception(f'Failed to retrieve virtual networks: {e}')
            return []

    async def get_network_interfaces(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.network_interfaces.list_all())
            )
        except Exception as e:
            print_exception(f'Failed to retrieve network interfaces: {e}')
            return []


================================================
FILE: ScoutSuite/providers/azure/facade/postgresqldatabse.py
================================================
from azure.mgmt.rdbms.postgresql import PostgreSQLManagementClient
from ScoutSuite.providers.utils import run_concurrently
from ScoutSuite.core.console import print_exception
from ScoutSuite.utils import get_user_agent


class PostgreSQLDatabaseFacade:

    def __init__(self, credentials):
        self.credentials = credentials

    def get_client(self, subscription_id: str):
        client = PostgreSQLManagementClient(self.credentials.get_credentials(),
                                            subscription_id=subscription_id,
                                            user_agent=get_user_agent())
        return client

    async def get_servers(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.servers.list())
            )
        except Exception as e:
            print_exception(f'Failed to retrieve postgresSQL servers: {e}')
            return []

    async def get_config(self, resource_group_name, server_name,
                         subscription_id: str, configuration_name: str):
        try:
            client = self.get_client(subscription_id)
            val = await run_concurrently(
                lambda: client.configurations.get(resource_group_name, server_name, configuration_name)
            )
            return val
        except Exception as e:
            print_exception(f'Failed to retrieve server configuration: {e}')
            return []

    async def get_firewall_rules(self, resource_group_name, server_name, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.firewall_rules.list_by_server(resource_group_name, server_name))
            )
        except Exception as e:
            print_exception(f'Failed to retrieve firewalls rules: {e}')
            return []


================================================
FILE: ScoutSuite/providers/azure/facade/rbac.py
================================================
from azure.mgmt.authorization import AuthorizationManagementClient

from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.utils import run_concurrently
from ScoutSuite.utils import get_user_agent


class RBACFacade:

    def __init__(self, credentials):
        self.credentials = credentials

    def get_client(self, subscription_id: str):
        client = AuthorizationManagementClient(self.credentials.get_credentials(),
                                               subscription_id=subscription_id,
                                               user_agent=get_user_agent())
        return client

    async def get_roles(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            scope = f'/subscriptions/{subscription_id}'
            return await run_concurrently(lambda: list(client.role_definitions.list(scope=scope)))
        except Exception as e:
            print_exception(f'Failed to retrieve roles: {e}')
            return []

    async def get_role_assignments(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            scope = f'/subscriptions/{subscription_id}'
            return await run_concurrently(lambda: list(client.role_assignments.list_for_scope(scope=scope)))
        except Exception as e:
            print_exception(f'Failed to retrieve role assignments: {e}')
            return []


================================================
FILE: ScoutSuite/providers/azure/facade/resourcemanagement.py
================================================
from ScoutSuite.providers.utils import run_concurrently
from ScoutSuite.core.console import print_exception
from ScoutSuite.utils import get_user_agent
from azure.mgmt.resource import ResourceManagementClient


class ResourceManagementFacade:

    def __init__(self, credentials):
        self.credentials = credentials

    def get_client(self, subscription_id: str):
        client = ResourceManagementClient(self.credentials.get_credentials(),
                                          subscription_id=subscription_id,
                                          user_agent=get_user_agent())
        return client

    async def get_specific_type_resources_with_filter(self, subscription_id: str, resource_type_filter: str):
        try:
            type_filter = " and ".join([
                f'resourceType eq \'{resource_type_filter}\''
            ])
            client = self.get_client(subscription_id)
            resource = await run_concurrently(
                lambda: list(client.resources.list(filter=type_filter))
            )
            return resource
        except Exception as e:
            print_exception(f'Failed to retrieve key vault resources: {e}')
            return []

    async def get_all_resources(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            resource = await run_concurrently(
                lambda: list(client.resources.list())
            )
            return resource
        except Exception as e:
            print_exception(f'Failed to retrieve resources: {e}')
            return []


================================================
FILE: ScoutSuite/providers/azure/facade/securitycenter.py
================================================
from azure.mgmt.security import SecurityCenter

from ScoutSuite.core.console import print_exception, print_debug
from ScoutSuite.providers.utils import run_concurrently
from ScoutSuite.utils import get_user_agent


class SecurityCenterFacade:

    def __init__(self, credentials):
        self.credentials = credentials

    def get_client(self, subscription_id: str):
        client = SecurityCenter(self.credentials.get_credentials(),
                                subscription_id, '',
                                user_agent=get_user_agent())
        return client

    async def get_pricings(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            pricings_list = await run_concurrently(
                lambda: client.pricings.list()
            )
            if hasattr(pricings_list, 'value'):
                return pricings_list.value
            else:
                return []
        except Exception as e:
            print_exception(f'Failed to retrieve pricings: {e}')
            return []

    async def get_security_contacts(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.security_contacts.list())
            )
        except Exception as e:
            print_exception(f'Failed to retrieve security contacts: {e}')
            return []

    async def get_auto_provisioning_settings(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.auto_provisioning_settings.list())
            )
        except Exception as e:
            print_exception(f'Failed to retrieve auto provisioning settings: {e}')
            return []

    async def get_information_protection_policies(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            scope = f'/subscriptions/{self._subscription_id}'
            return await run_concurrently(lambda: list(client.information_protection_policies.list(scope=scope)))
        except Exception as e:
            print_exception(f'Failed to retrieve information protection policies: {e}')
            return []

    async def get_settings(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.settings.list())
            )
        except Exception as e:
            print_exception(f'Failed to retrieve settings: {e}')
            return []

    async def get_alerts(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.alerts.list())
            )
        except Exception as e:
            print_exception(f'Failed to retrieve alerts: {e}')
            return []

    def remove_last_ItemPage_from_the_list(self, results):
        p = list()
        try:
            for i in results:
                p.append(i)
        except Exception:
        # TODO implement condition to pass only if the triggered error is MissingApiVersionParameter
            pass
        return p
    
    """
    Commented out this part since a weird bug causes MissingApiVersionParameter errors to appear in the last response from Azure API. 
    Workaround bypasses this but obviously not ideal.
    
    async def get_compliance_results(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            scope = f'/subscriptions/{subscription_id}'
            return await run_concurrently(
                lambda: list(client.compliance_results.list(scope=scope))
            )
        except Exception as e:
            print_exception(f'Failed to retrieve compliance results: {e}')
            return []
     """
            
    async def get_compliance_results(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            scope = f'/subscriptions/{subscription_id}'
            return await run_concurrently(
                lambda: self.remove_last_ItemPage_from_the_list(client.compliance_results.list(scope=scope))
            )
        except Exception as e:
            print_exception(f'Failed to retrieve compliance results: {e}')
            return []

    async def get_regulatory_compliance_results(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            results = []
            try:
                compliance_standards = await run_concurrently(
                    lambda: list(client.regulatory_compliance_standards.list())
                )
            except Exception as e:
                if 'as it has no standard pricing bundle' in str(e):
                    print_debug(f'Failed to retrieve regulatory compliance standards: {e}')
                else:
                    print_exception(f'Failed to retrieve regulatory compliance standards: {e}')
                return {}
            else:
                for standard in compliance_standards:
                    try:
                        compliance_controls = await run_concurrently(
                            lambda standard=standard: list(client.regulatory_compliance_controls.list(
                                regulatory_compliance_standard_name=standard.name))
                        )
                        for control in compliance_controls:
                            control.standard_name = standard.name
                            results.append(control)
                    except Exception as e:
                        print_exception(f'Failed to retrieve compliance controls: {e}')
            finally:
                return results
        except Exception as e:
            print_exception(f'Failed to retrieve regulatory compliance results: {e}')
            return []


================================================
FILE: ScoutSuite/providers/azure/facade/sqldatabase.py
================================================

from azure.mgmt.sql import SqlManagementClient
from ScoutSuite.providers.utils import run_concurrently
from ScoutSuite.core.console import print_exception
from ScoutSuite.utils import get_user_agent


class SQLDatabaseFacade:

    def __init__(self, credentials):
        self.credentials = credentials

    def get_client(self, subscription_id: str):
        client = SqlManagementClient(self.credentials.get_credentials(),
                                     subscription_id=subscription_id,
                                     user_agent=get_user_agent())

        return client

    async def get_database_blob_auditing_policies(self, resource_group_name, server_name, database_name,
                                                  subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: client.database_blob_auditing_policies.get(
                    resource_group_name, server_name, database_name)
            )
        except Exception as e:
            print_exception(f'Failed to retrieve database blob auditing policies: {e}')
            return []

    async def get_database_threat_detection_policies(self, resource_group_name, server_name, database_name,
                                                     subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: client.database_threat_detection_policies.get(resource_group_name, server_name, database_name,
                                                                      'default')
            )
        except Exception as e:
            print_exception(f'Failed to retrieve database threat detection policies: {e}')
            return []

    async def get_databases(self, resource_group_name, server_name, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.databases.list_by_server(resource_group_name, server_name))
            )
        except Exception as e:
            print_exception(f'Failed to retrieve databases: {e}')
            return []

    async def get_database_replication_links(self, resource_group_name, server_name, database_name,
                                             subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.replication_links.list_by_database(
                    resource_group_name, server_name, database_name))
            )
        except Exception as e:
            print_exception(f'Failed to retrieve database replication links: {e}')
            return []

    async def get_server_azure_ad_administrators(self, resource_group_name, server_name, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.server_azure_ad_administrators.list_by_server(resource_group_name, server_name))
            )
        except Exception as e:
            print_exception(f'Failed to retrieve server azure ad administrators: {e}')
            return None

    async def get_server_blob_auditing_policies(self, resource_group_name, server_name, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: client.server_blob_auditing_policies.get(resource_group_name, server_name)
            )
        except Exception as e:
            print_exception(f'Failed to retrieve server blob auditing policies: {e}')
            return []

    async def get_server_security_alert_policies(self, resource_group_name, server_name, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: client.server_security_alert_policies.get(resource_group_name, server_name, 'default')
            )
        except Exception as e:
            print_exception(f'Failed to retrieve server security alert policies: {e}')
            return []

    async def get_servers(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.servers.list())
            )
        except Exception as e:
            print_exception(f'Failed to retrieve servers: {e}')
            return []

    async def get_database_transparent_data_encryptions(self, resource_group_name, server_name, database_name,
                                                        subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: client.transparent_data_encryptions.get(
                    resource_group_name, server_name, database_name, 'current')
            )
        except Exception as e:
            print_exception(f'Failed to retrieve database transparent data encryptions: {e}')
            return []

    async def get_server_vulnerability_assessments(self, resource_group_name, server_name,
                                                   subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: client.server_vulnerability_assessments.get(resource_group_name, server_name, 'default')
            )
        except Exception as e:
            print_exception(f'Failed to retrieve server vulnerability assessments: {e}')

    async def get_server_encryption_protectors(self, resource_group_name, server_name, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: client.encryption_protectors.get(resource_group_name, server_name, 'current')
            )
        except Exception as e:
            print_exception(f'Failed to retrieve database transparent data encryptions: {e}')
            return []

    async def get_firewall_rules(self, resource_group_name, server_name, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.firewall_rules.list_by_server(resource_group_name, server_name))
            )
        except Exception as e:
            print_exception(f'Failed to retrieve firewalls rules: {e}')
            return []


================================================
FILE: ScoutSuite/providers/azure/facade/storageaccounts.py
================================================
import datetime
from azure.mgmt.monitor import MonitorManagementClient
from azure.mgmt.storage import StorageManagementClient

from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.utils import run_concurrently, get_and_set_concurrently
from ScoutSuite.utils import get_user_agent


class StorageAccountsFacade:

    def __init__(self, credentials):
        self.credentials = credentials

    def get_client(self, subscription_id: str):
        client = StorageManagementClient(self.credentials.get_credentials(),
                                         subscription_id=subscription_id,
                                         user_agent=get_user_agent())
        return client

    async def get_storage_accounts(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            storage_accounts = await run_concurrently(
                lambda: list(client.storage_accounts.list())
            )
        except Exception as e:
            print_exception(f'Failed to retrieve storage accounts: {e}')
            return []
        else:
            await get_and_set_concurrently([self._get_and_set_activity_logs], storage_accounts,
                                           subscription_id=subscription_id)
            return storage_accounts

    async def get_blob_containers(self, resource_group_name, storage_account_name, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            containers = await run_concurrently(
                lambda: list(client.blob_containers.list(resource_group_name, storage_account_name))
            )

        except Exception as e:
            print_exception(f'Failed to retrieve blob containers: {e}')
            return []
        else:
            return containers

    async def get_blob_services(self, resource_group_name, storage_account_name, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            blob_services = await run_concurrently(
                lambda: list(client.blob_services.list(resource_group_name, storage_account_name))
            )

        except Exception as e:
            print_exception(f'Failed to retrieve blob services: {e}')
            return []
        else:

            return blob_services

    async def _get_and_set_activity_logs(self, storage_account, subscription_id: str):
        client = MonitorManagementClient(self.credentials.get_credentials(), subscription_id, user_agent=get_user_agent())

        # Time format used by Azure API:
        time_format = "%Y-%m-%dT%H:%M:%S.%f"
        # Azure API uses UTC time, we need to use the same to avoid bad requests:
        utc_now = datetime.datetime.utcnow()
        # Activity logs are only archived for a period of 90 days max (requesting a timespan of more than that ends up
        # with a bad request):
        timespan = datetime.timedelta(90)

        logs_filter = " and ".join([
            "eventTimestamp ge {}".format((utc_now - timespan).strftime(time_format)),
            "eventTimestamp le {}".format(utc_now.strftime(time_format)),
            f"resourceId eq {storage_account.id}",
        ])
        try:
            activity_logs = await run_concurrently(
                lambda: list(client.activity_logs.list(filter=logs_filter, select="eventTimestamp, operationName"))
            )
        except Exception as e:
            print_exception(f'Failed to retrieve activity logs: {e}')
            setattr(storage_account, 'activity_logs', [])
        else:
            setattr(storage_account, 'activity_logs', activity_logs)

    # FIXME - not implemented by SDK
    # async def get_queues(self, resource_group_name, storage_account_name, subscription_id: str):
    #     try:
    #         client = QueueServiceClient(account_url="https://{}.queue.core.windows.net".format(storage_account_name),
    #                                      credential=self.credentials.aad_graph_credentials)
    #
    #         # queues = await run_concurrently(
    #         #     lambda: list(client.queues.list(resource_group_name, storage_account_name))
    #         # )
    #     except Exception as e:
    #         print_exception('Failed to retrieve queues: {}'.format(e))
    #         return []
    #     else:
    #         return None
    #         # return queues


================================================
FILE: ScoutSuite/providers/azure/facade/virtualmachines.py
================================================
from azure.mgmt.compute import ComputeManagementClient

from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.utils import run_concurrently
from ScoutSuite.utils import get_user_agent


class VirtualMachineFacade:

    def __init__(self, credentials):
        self.credentials = credentials

    def get_client(self, subscription_id: str):

        client = ComputeManagementClient(self.credentials.get_credentials(),
                                         subscription_id=subscription_id,
                                         user_agent=get_user_agent())
        return client

    async def get_instances(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.virtual_machines.list_all())
            )
        except Exception as e:
            print_exception(f'Failed to retrieve virtual machines: {e}')
            return []

    async def get_instance_extensions(self, subscription_id: str,
                                      instance_name: str,
                                      resource_group: str):
        try:
            client = self.get_client(subscription_id)
            extensions = await run_concurrently(
                lambda: client.virtual_machine_extensions.list(resource_group,
                                                               instance_name)
            )
            return list(extensions.value)
        except Exception as e:
            print_exception(f'Failed to retrieve virtual machine extensions: {e}')
            return []

    async def get_disks(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.disks.list())
            )
        except Exception as e:
            print_exception(f'Failed to retrieve disks: {e}')
            return []

    async def get_snapshots(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.snapshots.list())
            )
        except Exception as e:
            print_exception(f'Failed to retrieve snapshots: {e}')
            return []

    async def get_images(self, subscription_id: str):
        try:
            client = self.get_client(subscription_id)
            return await run_concurrently(
                lambda: list(client.images.list())
            )
        except Exception as e:
            print_exception(f'Failed to retrieve images: {e}')
            return []


================================================
FILE: ScoutSuite/providers/azure/metadata.json
================================================
{
  "storage": {
    "storageaccounts": {
      "resources": {
        "storage_accounts": {
          "cols": 2,
          "path": "services.storageaccounts.subscriptions.id.storage_accounts"
        }
      }
    }
  },
  "compute": {
    "virtualmachines": {
      "resources": {
        "instances": {
          "cols": 2,
          "path": "services.virtualmachines.subscriptions.id.instances"
        },
        "disks": {
          "cols": 2,
          "path": "services.virtualmachines.subscriptions.id.disks"
        },
        "snapshots": {
          "cols": 2,
          "path": "services.virtualmachines.subscriptions.id.snapshots"
        },
        "images": {
          "cols": 2,
          "path": "services.virtualmachines.subscriptions.id.images"
        }
      }
    }
  },
  "database": {
    "sqldatabase": {
      "resources": {
        "servers": {
          "cols": 2,
          "path": "services.sqldatabase.subscriptions.id.servers"
        }
      }
    },
    "rediscache": {
      "resources": {
        "caches": {
          "cols": 2,
          "path": "services.rediscache.subscriptions.id.caches"
        }
      }
    }
  },
  "security": {
    "aad": {
      "resources": {
        "users": {
          "cols": 2,
          "path": "services.aad.users"
        },
        "groups": {
          "cols": 2,
          "path": "services.aad.groups"
        },
        "service_principals": {
          "cols": 2,
          "path": "services.aad.service_principals"
        },
        "applications": {
          "cols": 2,
          "path": "services.aad.applications"
        },
        "policies": {
          "cols": 2,
          "path": "services.aad.policies"
        }
      }
    },
    "rbac": {
      "resources": {
        "roles": {
          "cols": 2,
          "path": "services.rbac.subscriptions.id.roles"
        },
        "custom_roles_report": {
          "cols": 2,
          "path": "services.rbac.subscriptions.id.custom_roles_report"
        }
      }
    },
    "keyvault": {
      "resources": {
        "vaults": {
          "cols": 2,
          "path": "services.keyvault.subscriptions.id.vaults"
        }
      }
    },
    "securitycenter": {
      "resources": {
        "pricings": {
          "cols": 2,
          "path": "services.securitycenter.subscriptions.id.pricings"
        },
        "security_contacts": {
          "cols": 2,
          "path": "services.securitycenter.subscriptions.id.security_contacts"
        },
        "auto_provisioning_settings": {
          "cols": 2,
          "path": "services.securitycenter.subscriptions.id.auto_provisioning_settings"
        },
        "compliance_results": {
          "cols": 2,
          "path": "services.securitycenter.subscriptions.id.compliance_results"
        },
        "regulatory_compliance_results": {
          "cols": 2,
          "path": "services.securitycenter.subscriptions.id.regulatory_compliance_results"
        },
        "settings": {
          "cols": 2,
          "path": "services.securitycenter.subscriptions.id.settings"
        }
      }
    }
  },
  "networking": {
    "appgateway": {
      "resources": {
        "app_gateways": {
          "cols": 2,
          "path": "services.appgateway.subscriptions.id.app_gateways"
        }
      }
    },
    "network": {
      "resources": {
        "virtual_networks": {
          "cols": 2,
          "path": "services.network.subscriptions.id.virtual_networks"
        },
        "security_groups": {
          "cols": 2,
          "path": "services.network.subscriptions.id.security_groups"
        },
        "application_security_groups": {
          "cols": 2,
          "path": "services.network.subscriptions.id.application_security_groups"
        },
        "watchers": {
          "cols": 2,
          "path": "services.network.subscriptions.id.watchers"
        }
      }
    },
    "loadbalancer": {
      "resources": {
        "load_balancers": {
          "cols": 2,
          "path": "services.loadbalancer.subscriptions.id.load_balancers"
        }
      }
    }
  },
  "applications": {
    "appservice": {
      "resources": {
        "web_apps": {
          "cols": 2,
          "path": "services.appservice.subscriptions.id.web_apps"
        }
      }
    }
  },
  "mysql": {
    "mysqldatabase": {
      "resources": {
        "servers": {
          "cols": 2,
          "path": "services.mysqldatabase.subscriptions.id.servers"
        }
      }
    }
  },
  "postgres": {
    "postgresqldatabase": {
      "resources": {
        "servers": {
          "cols": 2,
          "path": "services.postgresqldatabase.subscriptions.id.servers"
        }
      }
    }
  },
 "logging": {
    "loggingmonitoring": {
      "resources": {
        "resources_logging": {
          "cols": 2,
          "path": "services.loggingmonitoring.subscriptions.id.resources_logging"
        },
        "log_alerts": {
          "cols": 2,
          "path": "services.loggingmonitoring.subscriptions.id.log_alerts"
        },
        "diagnostic_settings": {
          "cols": 2,
          "path": "services.loggingmonitoring.subscriptions.id.diagnostic_settings"
        },
        "log_profiles": {
          "cols": 2,
          "path": "services.loggingmonitoring.subscriptions.id.log_profiles"
        }
      }
    }
  }
}


================================================
FILE: ScoutSuite/providers/azure/provider.py
================================================
import os

from ScoutSuite.core.console import print_exception

from ScoutSuite.providers.base.provider import BaseProvider
from ScoutSuite.providers.azure.services import AzureServicesConfig


class AzureProvider(BaseProvider):
    """
    Implements provider for Azure
    """

    def __init__(self,
                 subscription_ids=[], all_subscriptions=None,
                 report_dir=None, timestamp=None, services=None, skipped_services=None,
                 result_format='json',
                 **kwargs):
        services = [] if services is None else services
        skipped_services = [] if skipped_services is None else skipped_services

        self.metadata_path = '%s/metadata.json' % os.path.split(os.path.abspath(__file__))[0]

        self.provider_code = 'azure'
        self.provider_name = 'Microsoft Azure'
        self.environment = 'default'

        self.programmatic_execution = kwargs['programmatic_execution']
        self.credentials = kwargs['credentials']

        if subscription_ids:
            self.subscription_ids = subscription_ids
        elif self.credentials.default_subscription_id:
            self.subscription_ids = [self.credentials.default_subscription_id]
        else:
            self.subscription_ids = []
        self.all_subscriptions = all_subscriptions

        try:
            self.account_id = self.credentials.get_tenant_id()
        except Exception as e:
            self.account_id = 'undefined'

        self.services = AzureServicesConfig(self.credentials,
                                            programmatic_execution=self.programmatic_execution,
                                            subscription_ids=self.subscription_ids,
                                            all_subscriptions=self.all_subscriptions)

        self.result_format = result_format

        super().__init__(report_dir, timestamp,
                                            services, skipped_services, result_format)

    def get_report_name(self):
        """
        Returns the name of the report using the provider's configuration
        """
        try:
            return f'azure-tenant-{self.credentials.get_tenant_id()}'
        except Exception as e:
            print_exception(f'Unable to define report name: {e}')
            return 'azure'

    def preprocessing(self, ip_ranges=None, ip_ranges_name_key=None):
        """
        Tweak the Azure config to match cross-service resources and clean any fetching artifacts

        :param ip_ranges:
        :param ip_ranges_name_key:
        :return: None
        """
        ip_ranges = [] if ip_ranges is None else ip_ranges

        # Don't do this if we're running a local execution
        if not self.last_run:
            self._match_rbac_roles_and_principals()

        super().preprocessing()

    def _match_rbac_roles_and_principals(self):
        """
        Matches ARM role assignments to AAD service principals
        """
        try:
            if 'rbac' in self.service_list and 'aad' in self.service_list:
                for subscription in self.services['rbac']['subscriptions']:
                    for assignment in self.services['rbac']['subscriptions'][subscription]['role_assignments'].values():
                        role_id = assignment['role_definition_id'].split('/')[-1]
                        for group in self.services['aad']['groups']:
                            if group == assignment['principal_id']:
                                self.services['aad']['groups'][group]['roles'].append({'subscription_id': subscription,
                                                                                     'role_id': role_id})
                                self.services['rbac']['subscriptions'][subscription]['roles'][role_id]['assignments']['groups'].append(group)
                                self.services['rbac']['subscriptions'][subscription]['roles'][role_id]['assignments_count'] += 1
                        for user in self.services['aad']['users']:
                            if user == assignment['principal_id']:
                                self.services['aad']['users'][user]['roles'].append({'subscription_id': subscription,
                                                                                     'role_id': role_id})
                                self.services['rbac']['subscriptions'][subscription]['roles'][role_id]['assignments']['users'].append(user)
                                self.services['rbac']['subscriptions'][subscription]['roles'][role_id]['assignments_count'] += 1
                        for service_principal in self.services['aad']['service_principals']:
                            if service_principal == assignment['principal_id']:
                                self.services['aad']['service_principals'][service_principal]['roles'].append({'subscription_id': subscription,
                                                                                                               'role_id': role_id})
                                self.services['rbac']['subscriptions'][subscription]['roles'][role_id]['assignments']['service_principals'].append(service_principal)
                                self.services['rbac']['subscriptions'][subscription]['roles'][role_id]['assignments_count'] += 1
        except Exception as e:
            print_exception('Unable to match RBAC roles and principals: {}'.format(e))


================================================
FILE: ScoutSuite/providers/azure/resources/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/azure/resources/aad/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/azure/resources/aad/applications.py
================================================
from ScoutSuite.providers.azure.resources.base import AzureResources


class Applications(AzureResources):
    async def fetch_all(self):
        for raw_application in await self.facade.aad.get_applications():
            id, application = await self._parse_application(raw_application)
            self[id] = application

    async def _parse_application(self, raw_application):
        application_dict = {}
        application_dict['id'] = raw_application.get('id')
        application_dict['app_id'] = raw_application.get('appId')
        application_dict['name'] = raw_application.get('displayName')
        # application_dict['additional_properties'] = raw_application.additional_properties
        application_dict['deletion_timestamp'] = raw_application.get('deletedDateTime')
        application_dict['object_type'] = 'Application'
        # application_dict['allow_guests_sign_in'] = raw_application.allow_guests_sign_in
        # application_dict['allow_passthrough_users'] = raw_application.allow_passthrough_users
        # application_dict['app_logo_url'] = raw_application.app_logo_url
        application_dict['app_roles'] = raw_application.get('appRoles')
        # application_dict['app_permissions'] = raw_application.app_permissions
        # application_dict['available_to_other_tenants'] = raw_application.available_to_other_tenants
        # application_dict['error_url'] = raw_application.error_url
        application_dict['group_membership_claims'] = raw_application.get('groupMembershipClaims')
        # application_dict['homepage'] = raw_application.homepage
        application_dict['identifier_uris'] = raw_application.get('identifierUris')
        application_dict['informational_urls'] = raw_application.get('info')
        application_dict['is_device_only_auth_supported'] = raw_application.get('isDeviceOnlyAuthSupported')
        application_dict['key_credentials'] = raw_application.get('keyCredentials')
        application_dict['known_client_applications'] = raw_application['api'].get('knownClientApplications')
        application_dict['logout_url'] = raw_application['web'].get('logoutUrl')
        # application_dict['oauth2_allow_implicit_flow'] = raw_application.oauth2_allow_implicit_flow
        # application_dict['oauth2_allow_url_path_matching'] = raw_application.oauth2_allow_url_path_matching
        application_dict['oauth2_permissions'] = raw_application['api'].get('oauth2PermissionScopes')
        # application_dict['oauth2_require_post_response'] = raw_application.get('oauth2RequirePostResponse')
        # only in beta
        # application_dict['org_restrictions'] = raw_application.get('orgRestrictions') # only in beta
        application_dict['optional_claims'] = raw_application.get('optionalClaims')
        application_dict['password_credentials'] = raw_application.get('passwordCredentials')
        application_dict['pre_authorized_applications'] = raw_application['api'].get('preAuthorizedApplications')
        application_dict['public_client'] = raw_application.get('publicClient')
        application_dict['publisher_domain'] = raw_application.get('publisherDomain')
        # application_dict['reply_urls'] = raw_application.reply_urls
        application_dict['required_resource_access'] = raw_application.get('requiredResourceAccess')
        # application_dict['saml_metadata_url'] = raw_application.saml_metadata_url
        application_dict['sign_in_audience'] = raw_application.get('signInAudience')
        application_dict['www_homepage'] = raw_application['web'].get('homePageUrl')
        return application_dict['id'], application_dict


================================================
FILE: ScoutSuite/providers/azure/resources/aad/base.py
================================================
from ScoutSuite.providers.azure.resources.base import AzureCompositeResources
from ScoutSuite.core.console import print_exception

from .users import Users
from .groups import Groups
from .serviceprincipals import ServicePrincipals
from .applications import Applications
from .policies import Policies


class AAD(AzureCompositeResources):
    _children = [
        (Users, 'users'),
        (Groups, 'groups'),
        (ServicePrincipals, 'service_principals'),
        (Applications, 'applications'),
        (Policies, 'policies')
    ]

    async def fetch_all(self):
        await self._fetch_children(resource_parent=self)

    async def fetch_additional_users(self, user_list):
        """
        Special method to fetch additional users
        """
        try:
            # fetch the users
            additional_users = Users(self.facade)
            await additional_users.fetch_additional_users(user_list)
            # add them to the resource and update count
            self['users'].update(additional_users)
            self['users_count'] = len(self['users'].values())
        except Exception as e:
            print_exception('Unable to fetch additional users: {}'.format(e))
        finally:
            # re-run the finalize method
            await self.finalize()

    async def finalize(self):
        self.assign_group_memberships()

    def assign_group_memberships(self):
        """
        Assigns members to groups
        """
        try:
            for group in self['groups']:
                for user in self['users']:
                    if group in self['users'][user]['groups']:
                        self['groups'][group]['users'].append(user)
        except Exception as e:
            print_exception('Unable to assign group memberships: {}'.format(e))


================================================
FILE: ScoutSuite/providers/azure/resources/aad/groups.py
================================================
from ScoutSuite.providers.azure.resources.base import AzureResources


class Groups(AzureResources):
    async def fetch_all(self):
        for raw_group in await self.facade.aad.get_groups():
            id, group = await self._parse_group(raw_group)
            self[id] = group

    async def _parse_group(self, raw_group):

        group_dict = {}

        group_dict['id'] = raw_group.get('id')
        group_dict['name'] = raw_group.get('displayName')
        # group_dict['additional_properties'] = raw_group.additional_properties
        group_dict['deletion_timestamp'] = raw_group.get('deletedDateTime')
        group_dict['object_type'] = 'Group'
        group_dict['mail_enabled'] = raw_group.get('mailEnabled')
        group_dict['mail_nickname'] = raw_group.get('mailNickname')
        group_dict['security_enabled'] = raw_group.get('securityEnabled')
        group_dict['mail'] = raw_group.get('mail')
        group_dict['users'] = []  # this will be filled in `finalize()`
        group_dict['roles'] = []  # this will be filled in `finalize()`

        return group_dict['id'], group_dict



================================================
FILE: ScoutSuite/providers/azure/resources/aad/policies.py
================================================
from ScoutSuite.providers.azure.resources.base import AzureResources


class Policies(AzureResources):
    async def fetch_all(self):
        raw_policy = await self.facade.aad.get_policies()
        id, policy = await self._parse_policy(raw_policy)
        self[id] = policy

    async def _parse_policy(self, raw_policy):
        policy_dict = {}
        policy_dict['id'] = raw_policy.get('id')
        policy_dict['name'] = raw_policy.get('displayName')
        policy_dict['allow_invites_from'] = raw_policy.get('allowInvitesFrom')
        policy_dict[
            'allowed_to_sign_up_email_based_subscription'] = raw_policy.get('allowedToSignUpEmailBasedSubscriptions')
        policy_dict['allowed_to_use_SSPR'] = raw_policy.get('allowedToUseSSPR')
        policy_dict['allow_email_verified_users_to_join_organization'
                    ] = raw_policy.get('allowEmailVerifiedUsersToJoinOrganization')
        policy_dict['allowed_to_create_apps'] = raw_policy.get('defaultUserRolePermissions', {}).get('allowedToCreateApps')
        policy_dict['allowed_to_create_security_groups'
                    ] = raw_policy.get('defaultUserRolePermissions', {}).get('allowedToCreateSecurityGroups')
        policy_dict[
            'allowed_to_read_other_users'] = raw_policy.get('defaultUserRolePermissions', {}).get('allowedToReadOtherUsers')

        return policy_dict['id'], policy_dict


================================================
FILE: ScoutSuite/providers/azure/resources/aad/serviceprincipals.py
================================================
from ScoutSuite.providers.azure.resources.base import AzureResources


class ServicePrincipals(AzureResources):
    async def fetch_all(self):
        for raw_service_principal in await self.facade.aad.get_service_principals():
            id, service_principal = await self._parse_service_principal(raw_service_principal)
            # exclude built-in service principals
            if service_principal['publisher_name'] != 'Microsoft Services':
                self[id] = service_principal

    async def _parse_service_principal(self, raw_service_principal):
        service_principal_dict = {}
        service_principal_dict['id'] = raw_service_principal.get('id')
        service_principal_dict['name'] = raw_service_principal.get('displayName')
        # service_principal_dict['additional_properties'] = raw_service_principal.additional_properties
        service_principal_dict['deletion_timestamp'] = raw_service_principal.get('deletedDateTime')
        service_principal_dict['object_type'] = 'ServicePrincipal'
        service_principal_dict['account_enabled'] = raw_service_principal.get('accountEnabled')
        service_principal_dict['alternative_names'] = raw_service_principal.get('alternativeNames')
        service_principal_dict['app_name'] = raw_service_principal.get('appDisplayName')
        service_principal_dict['app_id'] = raw_service_principal.get('appId')
        service_principal_dict['app_owner_tenant_id'] = raw_service_principal.get('appOwnerOrganizationId')
        service_principal_dict['app_role_assignment_required'] = raw_service_principal.get('appRoleAssignmentRequired')
        service_principal_dict['app_roles'] = raw_service_principal.get('appRoles')
        service_principal_dict['error_url'] = raw_service_principal.get('errorUrl')
        service_principal_dict['homepage'] = raw_service_principal.get('homepage')
        service_principal_dict['key_credentials'] = raw_service_principal.get('keyCredentials')
        service_principal_dict['logout_url'] = raw_service_principal.get('logoutUrl')
        service_principal_dict['oauth2_permissions'] = raw_service_principal.get('oauth2PermissionScopes')
        service_principal_dict['password_credentials'] = raw_service_principal.get('passwordCredentials')
        service_principal_dict[
            'preferred_token_signing_key_thumbprint'] = raw_service_principal.get('preferredTokenSigningKeyThumbprint')
        service_principal_dict['publisher_name'] = raw_service_principal.get('publisherName')
        service_principal_dict['reply_urls'] = raw_service_principal.get('replyUrls')
        service_principal_dict['saml_metadata_url'] = raw_service_principal.get('samlMetadataUrl')
        service_principal_dict['service_principal_names'] = raw_service_principal.get('servicePrincipalNames')
        service_principal_dict['service_principal_type'] = raw_service_principal.get('servicePrincipalType')
        service_principal_dict['tags'] = raw_service_principal.get('tags')

        service_principal_dict['roles'] = []  # this will be filled in `finalize()`

        return service_principal_dict['id'], service_principal_dict



================================================
FILE: ScoutSuite/providers/azure/resources/aad/users.py
================================================
from ScoutSuite.providers.azure.resources.base import AzureResources


class Users(AzureResources):
    async def fetch_all(self):
        for raw_user in await self.facade.aad.get_users():
            id, user = await self._parse_user(raw_user)
            self[id] = user

    async def fetch_additional_users(self, user_list):
        """
        Alternative method which only fetches defined users
        :param user_list: a list of the users to fetch and parse
        """
        for user in user_list:
            raw_user = await self.facade.aad.get_user(user)
            if raw_user:
                id, user = await self._parse_user(raw_user)
                self[id] = user

    async def _parse_user(self, raw_user):
        user_dict = {}
        user_dict['id'] = raw_user.get('id')
        # user_dict['additional_properties'] = raw_user.additional_properties
        user_dict['deletion_timestamp'] = raw_user.get('deletedDateTime')
        user_dict['object_type'] = 'User'
        # user_dict['immutable_id'] = raw_user.immutable_id
        user_dict['usage_location'] = raw_user.get('usageLocation')
        user_dict['given_name'] = raw_user.get('given_name')
        user_dict['surname'] = raw_user.get('surname')
        user_dict['user_type'] = raw_user.get('userType')
        user_dict['account_enabled'] = raw_user.get('accountEnabled')
        user_dict['display_name'] = raw_user.get('displayName')
        user_dict['name'] = raw_user.get('userPrincipalName')
        user_dict['mail_nickname'] = raw_user.get('mailNickname')
        user_dict['mail'] = raw_user.get('mail')
        # user_dict['sign_in_names'] = raw_user.sign_in_names
        user_dict['groups'] = await self.facade.aad.get_user_groups(user_dict['id'])
        user_dict['roles'] = []  # this will be filled in `finalize()`

        return user_dict['id'], user_dict


================================================
FILE: ScoutSuite/providers/azure/resources/appservice/base.py
================================================
from ScoutSuite.providers.azure.resources.subscriptions import Subscriptions

from .web_apps import WebApplication


class AppServices(Subscriptions):
    _children = [
        (WebApplication, 'web_apps')
    ]


================================================
FILE: ScoutSuite/providers/azure/resources/appservice/web_apps.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id
from ScoutSuite.providers.azure.utils import get_resource_group_name


class WebApplication(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_web_app in await self.facade.appservice.get_web_apps(self.subscription_id):
            id, web_app = self._parse_web_app(raw_web_app)
            self[id] = web_app

    def _parse_web_app(self, raw_web_app):

        web_app_dict = {}
        web_app_dict['id'] = get_non_provider_id(raw_web_app.id)
        web_app_dict['name'] = raw_web_app.name
        web_app_dict['kind'] = raw_web_app.kind
        web_app_dict['location'] = raw_web_app.location
        web_app_dict['type'] = raw_web_app.type
        if raw_web_app.tags is not None:
            web_app_dict['tags'] = ["{}:{}".format(key, value) for key, value in  raw_web_app.tags.items()]
        else:
            web_app_dict['tags'] = []
        web_app_dict['resource_group_name'] = get_resource_group_name(raw_web_app.id)
        web_app_dict['state'] = raw_web_app.state
        web_app_dict['host_names'] = raw_web_app.host_names
        web_app_dict['repository_site_name'] = raw_web_app.repository_site_name
        web_app_dict['usage_state'] = raw_web_app.usage_state
        web_app_dict['enabled'] = raw_web_app.enabled
        web_app_dict['https_only'] = raw_web_app.https_only
        web_app_dict['enabled_host_names'] = raw_web_app.enabled_host_names
        web_app_dict['availability_state'] = raw_web_app.availability_state
        web_app_dict['host_name_ssl_states'] = raw_web_app.host_name_ssl_states
        web_app_dict['server_farm_id'] = raw_web_app.server_farm_id
        web_app_dict['reserved'] = raw_web_app.reserved
        web_app_dict['is_xenon'] = raw_web_app.is_xenon
        web_app_dict['hyper_v'] = raw_web_app.hyper_v
        web_app_dict['last_modified_time_utc'] = raw_web_app.last_modified_time_utc
        web_app_dict['site_config'] = raw_web_app.site_config
        web_app_dict['traffic_manager_host_names'] = raw_web_app.traffic_manager_host_names
        web_app_dict['scm_site_also_stopped'] = raw_web_app.scm_site_also_stopped
        web_app_dict['target_swap_slot'] = raw_web_app.target_swap_slot
        web_app_dict['hosting_environment_profile'] = raw_web_app.hosting_environment_profile
        web_app_dict['client_affinity_enabled'] = raw_web_app.client_affinity_enabled
        web_app_dict['client_cert_enabled'] = raw_web_app.client_cert_enabled
        web_app_dict['client_cert_exclusion_paths'] = raw_web_app.client_cert_exclusion_paths
        web_app_dict['host_names_disabled'] = raw_web_app.host_names_disabled
        web_app_dict['container_size'] = raw_web_app.container_size
        web_app_dict['daily_memory_time_quota'] = raw_web_app.daily_memory_time_quota
        web_app_dict['suspended_till'] = raw_web_app.suspended_till
        web_app_dict['max_number_of_workers'] = raw_web_app.max_number_of_workers
        web_app_dict['cloning_info'] = raw_web_app.cloning_info
        web_app_dict['resource_group'] = raw_web_app.resource_group
        web_app_dict['is_default_container'] = raw_web_app.is_default_container
        web_app_dict['default_host_name'] = raw_web_app.default_host_name
        web_app_dict['slot_swap_status'] = raw_web_app.slot_swap_status
        web_app_dict['redundancy_mode'] = raw_web_app.redundancy_mode
        web_app_dict['in_progress_operation_id'] = raw_web_app.in_progress_operation_id
        web_app_dict['identity'] = raw_web_app.identity
        web_app_dict['additional_properties'] = raw_web_app.additional_properties

        web_app_dict['outbound_ip_addresses'] = raw_web_app.outbound_ip_addresses.split(',')
        web_app_dict['possible_outbound_ip_addresses'] = raw_web_app.possible_outbound_ip_addresses.split(',')

        if raw_web_app.config is not None:
            web_app_dict['minimum_tls_version_supported'] = raw_web_app.config.min_tls_version
            web_app_dict['http_2_enabled'] = raw_web_app.config.http20_enabled
            web_app_dict['http_logging_enabled'] = raw_web_app.config.http_logging_enabled
            web_app_dict['ftp_deployment_enabled'] = raw_web_app.config.ftps_state == 'AllAllowed'

            if raw_web_app.config.linux_fx_version:
                web_app_dict['programming_language'] = raw_web_app.config.linux_fx_version.split('|')[0].lower()
                web_app_dict['programming_language_version'] = raw_web_app.config.linux_fx_version.split('|')[1]
            elif raw_web_app.config.windows_fx_version:
                web_app_dict['programming_language'] = raw_web_app.config.windows_fx_version.split('|')[0].lower()
                web_app_dict['programming_language_version'] = raw_web_app.config.windows_fx_version.split('|')[1]
            elif raw_web_app.config.net_framework_version:
                web_app_dict['programming_language'] = 'dotnet'
                web_app_dict['programming_language_version'] = raw_web_app.config.net_framework_version
            elif raw_web_app.config.php_version:
                web_app_dict['programming_language'] = 'php'
                web_app_dict['programming_language_version'] = raw_web_app.config.php_version
            elif raw_web_app.config.python_version:
                web_app_dict['programming_language'] = 'python'
                web_app_dict['programming_language_version'] = raw_web_app.config.python_version
            elif raw_web_app.config.node_version:
                web_app_dict['programming_language'] = 'node'
                web_app_dict['programming_language_version'] = raw_web_app.config.node_version
            elif raw_web_app.config.java_version:
                web_app_dict['programming_language'] = 'java'
                web_app_dict['programming_language_version'] = raw_web_app.config.java_version
            else:
                web_app_dict['programming_language'] = None
                web_app_dict['programming_language_version'] = None

        else:
            web_app_dict['minimum_tls_version_supported'] = None
            web_app_dict['http_2_enabled'] = None
            web_app_dict['http_logging_enabled'] = False

            web_app_dict['programming_language'] = None
            web_app_dict['programming_language_version'] = None

        if raw_web_app.auth_settings is not None:
            web_app_dict['authentication_enabled'] = raw_web_app.auth_settings.enabled
        else:
            web_app_dict['authentication_enabled'] = None

        return web_app_dict['id'], web_app_dict


================================================
FILE: ScoutSuite/providers/azure/resources/base.py
================================================
"""This module provides implementations for Resources and CompositeResources for Azure."""

import abc

from ScoutSuite.providers.base.resources.base import Resources, CompositeResources


class AzureResources(Resources, metaclass=abc.ABCMeta):
    """This is the base class for Azure resources."""

    pass


class AzureCompositeResources(AzureResources, CompositeResources, metaclass=abc.ABCMeta):
    """This class represents a collection of composite Resources (resources that include nested resources referred as
    their children). Classes extending AzureCompositeResources have to define a '_children' attribute which consists of
    a list of tuples describing the children. The tuples are expected to respect the following format:
    (, ). 'child_name' is used to indicate the name under which the child resources will be
    stored in the parent object.
    """

    pass


================================================
FILE: ScoutSuite/providers/azure/resources/keyvault/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/azure/resources/keyvault/base.py
================================================
from ScoutSuite.providers.azure.resources.subscriptions import Subscriptions

from .vaults import Vaults


class KeyVaults(Subscriptions):
    _children = [
        (Vaults, 'vaults')
    ]


================================================
FILE: ScoutSuite/providers/azure/resources/keyvault/vaults.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id
from ScoutSuite.providers.azure.utils import get_resource_group_name


class Vaults(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_vault in await self.facade.keyvault.get_key_vaults(self.subscription_id):
            id, vault = self._parse_key_vault(raw_vault)
            self[id] = vault

    def _parse_key_vault(self, raw_vault):
        vault = {}
        vault['id'] = get_non_provider_id(raw_vault.id)
        vault['name'] = raw_vault.name
        vault['type'] = raw_vault.type
        vault['location'] = raw_vault.location

        vault['additional_properties'] = raw_vault.additional_properties
        if raw_vault.tags is not None:
            vault['tags'] = ["{}:{}".format(key, value) for key, value in raw_vault.tags.items()]
        else:
            vault['tags'] = []
        vault['resource_group_name'] = get_resource_group_name(raw_vault.id)
        vault['properties'] = raw_vault.properties
        vault[
            'recovery_protection_enabled'] = bool(raw_vault.properties.enable_soft_delete) and \
                                             bool(raw_vault.properties.enable_purge_protection)
        vault['public_access_allowed'] = self._is_public_access_allowed(raw_vault)
        vault['rbac_authorization_enabled'] = bool(raw_vault.properties.enable_rbac_authorization)
        return vault['id'], vault

    def _is_public_access_allowed(self, raw_vault):
        return raw_vault.properties.network_acls is None or raw_vault.properties.network_acls.default_action == 'Allow'


================================================
FILE: ScoutSuite/providers/azure/resources/loggingmonitoring/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/azure/resources/loggingmonitoring/activity_log_alerts.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class ActivityLogAlerts(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        log_alerts = await self.facade.loggingmonitoring.get_activity_log_alerts(self.subscription_id)
        self[self.subscription_id] = self._parse_log_alerts(log_alerts)

    def _parse_log_alerts(self, log_alerts):
        log_alerts_dict = {}
        log_alerts_dict['create_policy_assignment_exist'] = self.ensure_alert_exist(log_alerts,
                                                                                    'Microsoft.Authorization'
                                                                                    '/policyAssignments/write')
        log_alerts_dict['create_update_NSG_exist'] = self.ensure_alert_exist(log_alerts,
                                                                             'Microsoft.Network/networkSecurityGroups'
                                                                             '/write')
        log_alerts_dict['delete_NSG_exist'] = self.ensure_alert_exist(log_alerts,
                                                                      'Microsoft.Network/networkSecurityGroups/delete')
        log_alerts_dict['create_update_NSG_rule_exist'] = self.ensure_alert_exist(log_alerts,
                                                                                  'Microsoft.Network'
                                                                                  '/networkSecurityGroups'
                                                                                  '/securityRules/write')
        log_alerts_dict['delete_NSG_rule_exist'] = self.ensure_alert_exist(log_alerts,
                                                                           'Microsoft.Network/networkSecurityGroups'
                                                                           '/securityRules/delete')
        log_alerts_dict['create_update_security_solution_exist'] = self.ensure_alert_exist(log_alerts,
                                                                                           'Microsoft.Security'
                                                                                           '/securitySolutions/write')
        log_alerts_dict['delete_security_solution_exist'] = self.ensure_alert_exist(log_alerts,
                                                                                    'Microsoft.Security'
                                                                                    '/securitySolutions/delete')
        log_alerts_dict['create_delete_firewall_rule_exist'] = self.ensure_alert_exist(log_alerts,
                                                                                       'Microsoft.Sql/servers'
                                                                                       '/firewallRules/write')

        return log_alerts_dict

    def ensure_alert_exist(self, log_alerts, equals_value: str):
        for log_alert in log_alerts:
            if log_alert.location == 'Global' and log_alert.enabled:
                if '/subscriptions/' + self.subscription_id in log_alert.scopes:
                    for condition in log_alert.condition.all_of:
                        if condition.field == 'operationName' and condition.equals == equals_value:
                            return True
        return False


================================================
FILE: ScoutSuite/providers/azure/resources/loggingmonitoring/base.py
================================================
from ScoutSuite.providers.azure.resources.subscriptions import Subscriptions

from .log_profiles import LogProfiles
from .diagnostic_settings import DiagnosticSettings
from .activity_log_alerts import ActivityLogAlerts
from.resources import Resources


class LoggingMonitoring(Subscriptions):
    _children = [
        (LogProfiles, 'log_profiles'),
        (DiagnosticSettings, 'diagnostic_settings'),
        (ActivityLogAlerts, 'log_alerts'),
        (Resources, 'resources_logging')
    ]



================================================
FILE: ScoutSuite/providers/azure/resources/loggingmonitoring/diagnostic_resource_key_vault.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class DiagnosticResourceKeyVault(AzureResources):

    def __init__(self, facade: AzureFacade, resource_id: str, subscription_id: str):
        super().__init__(facade)
        self.resource_id = resource_id
        self.subscription_id = subscription_id

    async def fetch_all(self):
        diagnostic_settings = await self.facade.loggingmonitoring.get_diagnostic_settings(self.subscription_id,
                                                                                          self.resource_id)
        self._parse_diagnostic_settings(diagnostic_settings)

    def _parse_diagnostic_settings(self, diagnostic_settings):
        self.update({
            'audit_event_enabled': self.ensure_audit_event_enabled(diagnostic_settings)
        })

    def ensure_audit_event_enabled(self, diagnostic_settings):
        for diagnostic_setting in diagnostic_settings:
            for log in diagnostic_setting.logs:
                if log.category == 'AuditEvent' and log.enabled and log.retention_policy.days > 0:
                    return True
        return False


================================================
FILE: ScoutSuite/providers/azure/resources/loggingmonitoring/diagnostic_settings.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class DiagnosticSettings(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        diagnostic_dict = {}
        diagnostic_dict['diagnostic_exist'] = await self.facade.loggingmonitoring.get_subscription_diagnostic_settings(
            self.subscription_id) != []
        self[self.subscription_id] = diagnostic_dict


================================================
FILE: ScoutSuite/providers/azure/resources/loggingmonitoring/log_profiles.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id


class LogProfiles(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for log_profile in await self.facade.loggingmonitoring.get_log_profiles(self.subscription_id):
            id, log_profiles = self._parse_log_profile(log_profile)
            self[id] = log_profiles

    def _parse_log_profile(self, log_profile):
        log_profile_dict = {}

        log_profile_dict['id'] = get_non_provider_id(log_profile.id.lower())
        log_profile_dict['name'] = log_profile.name
        log_profile_dict['storage_account_id'] = log_profile.storage_account_id
        log_profile_dict['service_bus_rule_id'] = log_profile.service_bus_rule_id
        log_profile_dict['retention_policy_enabled'] = log_profile.retention_policy.enabled
        log_profile_dict['retention_policy_days'] = log_profile.retention_policy.days
        log_profile_dict['captures_all_activities'] = self.profile_captures_all_activities(log_profile)

        return log_profile_dict['id'], log_profile_dict

    def profile_captures_all_activities(self, log_profile):
        categories = log_profile.categories
        if 'Delete' in categories and 'Write' in categories and 'Action' in categories:
            return True
        return False



================================================
FILE: ScoutSuite/providers/azure/resources/loggingmonitoring/resources.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureCompositeResources
from ScoutSuite.providers.utils import get_non_provider_id
from .diagnostic_resource_key_vault import DiagnosticResourceKeyVault


class Resources(AzureCompositeResources):
    """
    TODO this is commented out since DiagnositcResourceKeyVault.get_diagnostic_settings needs to be fixed
    _children = [
        (DiagnosticResourceKeyVault, 'diagnostic_key_vault'),
    ]"""
    
    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id
    async def fetch_all(self):
        for raw_resource in await self.facade.resourcemanagement.get_specific_type_resources_with_filter(
                self.subscription_id, 'Microsoft.KeyVault/vaults'):
            id, resource = self._parse_resource(raw_resource)
            self[id] = resource
         
        """
        TODO this is commented out since DiagnositcResourceKeyVault.get_diagnostic_settings needs to be fixed
        await self._fetch_children_of_all_resources(
            resources=self,
            scopes={resource_id: {'resource_id': resource['id'],
                                  'subscription_id': self.subscription_id}
                    for (resource_id, resource) in self.items()}
        )
        """

    def _parse_resource(self, raw_resource):
        resource = {}
        resource['id'] = get_non_provider_id(raw_resource.id.lower())
        resource['name'] = raw_resource.name
        if raw_resource.tags is not None:
            resource['tags'] = ["{}:{}".format(key, value) for key, value in raw_resource.tags.items()]
        else:
            resource['tags'] = []
        return resource['id'], resource


================================================
FILE: ScoutSuite/providers/azure/resources/mysqldatabase/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/azure/resources/mysqldatabase/base.py
================================================
from ScoutSuite.providers.azure.resources.subscriptions import Subscriptions

from .mysql_servers import MySQLServers


class MySQLServers(Subscriptions):
    _children = [
        (MySQLServers, 'servers')
    ]

================================================
FILE: ScoutSuite/providers/azure/resources/mysqldatabase/mysql_servers.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureCompositeResources
from ScoutSuite.providers.azure.utils import get_resource_group_name
from ScoutSuite.providers.utils import get_non_provider_id


class MySQLServers(AzureCompositeResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_server in await self.facade.mysqldatabase.get_servers(self.subscription_id):
            id, server = self._parse_server(raw_server)
            self[id] = server

    def _parse_server(self, raw_server):
        server = {}
        server['id'] = get_non_provider_id(raw_server.id)
        server['name'] = raw_server.name
        server['resource_group_name'] = get_resource_group_name(raw_server.id)
        server['ssl_enforcement'] = raw_server.ssl_enforcement
        if raw_server.tags is not None:
            server['tags'] = ["{}:{}".format(key, value) for key, value in raw_server.tags.items()]
        else:
            server['tags'] = []
        return server['id'], server

================================================
FILE: ScoutSuite/providers/azure/resources/network/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/azure/resources/network/application_security_groups.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id
from ScoutSuite.providers.azure.utils import get_resource_group_name


class ApplicationSecurityGroups(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_group in await self.facade.network.get_application_security_groups(self.subscription_id):
            id, application_security_group = self._parse_application_security_group(raw_group)
            self[id] = application_security_group

    def _parse_application_security_group(self, raw_application_security_group):
        application_security_group_dict = {}
        application_security_group_dict['id'] = get_non_provider_id(raw_application_security_group.id)
        application_security_group_dict['name'] = raw_application_security_group.name
        application_security_group_dict['type'] = raw_application_security_group.type
        application_security_group_dict['location'] = raw_application_security_group.location
        if raw_application_security_group.tags is not None:
            application_security_group_dict['tags'] = ["{}:{}".format(key, value) for key, value in  raw_application_security_group.tags.items()]
        else:
            application_security_group_dict['tags'] = []
        application_security_group_dict['resource_group_name'] = get_resource_group_name(raw_application_security_group.id)
        application_security_group_dict['resource_guid'] = raw_application_security_group.resource_guid
        application_security_group_dict['provisioning_state'] = raw_application_security_group.provisioning_state
        application_security_group_dict['etag'] = raw_application_security_group.etag
        application_security_group_dict['network_interfaces'] = []  # this is filled in the base class
        return application_security_group_dict['id'], application_security_group_dict


================================================
FILE: ScoutSuite/providers/azure/resources/network/base.py
================================================
from ScoutSuite.providers.azure.resources.subscriptions import Subscriptions
from .application_security_groups import ApplicationSecurityGroups
from .network_interfaces import NetworkInterfaces
from .security_groups import SecurityGroups
from .virtual_networks import VirtualNetworks
from .watchers import Watchers


class Networks(Subscriptions):
    _children = [
        (VirtualNetworks, 'virtual_networks'),
        (SecurityGroups, 'security_groups'),
        (ApplicationSecurityGroups, 'application_security_groups'),
        (NetworkInterfaces, 'network_interfaces'),
        (Watchers, 'watchers')
    ]

    async def finalize(self):
        await self._match_subnets_and_security_groups()
        await self._match_subnets_and_network_interfaces()
        await self._match_asgs_and_network_interfaces()

    async def _match_subnets_and_security_groups(self):
        """
        Goes through each security groups' subnets and adds the ID of the subnet's virtual network.
        This is useful in the partials as both the subnet and its network's IDs are needed to build the path.
        """
        for subscription in self['subscriptions']:
            for sg in self['subscriptions'][subscription]['security_groups']:
                for subnet in self['subscriptions'][subscription]['security_groups'][sg]['subnets']:
                    for network in self['subscriptions'][subscription]['virtual_networks']:
                        for network_subnet in self['subscriptions'][subscription]['virtual_networks'][network].get('subnets', []):
                            if subnet == network_subnet:
                                self['subscriptions'][subscription]['security_groups'][sg]['subnets'][subnet]['virtual_network_id'] = network

    async def _match_subnets_and_network_interfaces(self):
        """
        Goes through each security groups' subnets and adds the network interfaces and instances that are placed in it.
        """
        for subscription in self['subscriptions']:
            for interface in self['subscriptions'][subscription]['network_interfaces']:
                subnet_id = self['subscriptions'][subscription]['network_interfaces'][interface]['ip_configuration']['subnet']['id']
                for network in self['subscriptions'][subscription]['virtual_networks']:
                    for network_subnet in self['subscriptions'][subscription]['virtual_networks'][network].get('subnets', []):
                        if not 'instances' in self['subscriptions'][subscription]['virtual_networks'][network]['subnets'][network_subnet]:
                            self['subscriptions'][subscription]['virtual_networks'][network]['subnets'][network_subnet]['instances'] = []
                        if subnet_id == network_subnet:
                            self['subscriptions'][subscription]['network_interfaces'][interface]['ip_configuration']['subnet'][
                                'virtual_network_id'] = network
                            self['subscriptions'][subscription]['virtual_networks'][network]['subnets'][network_subnet]['instances'].append(
                                self['subscriptions'][subscription]['network_interfaces'][interface]['virtual_machine'])

    async def _match_asgs_and_network_interfaces(self):
        """
        Goes through each application security group and add the network interfaces and instances that are placed in it.
        """
        for subscription in self['subscriptions']:
            for interface in self['subscriptions'][subscription]['network_interfaces']:
                for asg in self['subscriptions'][subscription]['network_interfaces'][interface]['ip_configuration']['application_security_groups']:
                    self['subscriptions'][subscription]['application_security_groups'][asg]['network_interfaces'].append(interface)


================================================
FILE: ScoutSuite/providers/azure/resources/network/network_interfaces.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id
from ScoutSuite.providers.azure.utils import get_resource_group_name


class NetworkInterfaces(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_network_interface in await self.facade.network.get_network_interfaces(self.subscription_id):
            id, network_interface = self._parse_network_interface(raw_network_interface)
            self[id] = network_interface

    def _parse_network_interface(self, raw_network_interface):
        network_interface_dict = {}
        network_interface_dict['id'] = get_non_provider_id(raw_network_interface.id)
        network_interface_dict['enable_accelerated_networking'] = raw_network_interface.enable_accelerated_networking
        network_interface_dict['virtual_machine'] = \
            get_non_provider_id(raw_network_interface.virtual_machine.id.lower()) if \
                raw_network_interface.virtual_machine else None
        network_interface_dict['name'] = raw_network_interface.name
        if raw_network_interface.tags is not None:
            network_interface_dict['tags'] = ["{}:{}".format(key, value) for key, value in  raw_network_interface.tags.items()]
        else:
            network_interface_dict['tags'] = []
        network_interface_dict['resource_group_name'] = get_resource_group_name(raw_network_interface.id)
        network_interface_dict['interface_endpoint'] = raw_network_interface.interface_endpoint if \
            hasattr(raw_network_interface, 'interface_endpoint') else None
        network_interface_dict['primary'] = raw_network_interface.primary
        network_interface_dict['etag'] = raw_network_interface.etag
        network_interface_dict['additional_properties'] = raw_network_interface.additional_properties
        network_interface_dict['location'] = raw_network_interface.location
        network_interface_dict['mac_address'] = raw_network_interface.mac_address
        network_interface_dict['provisioning_state'] = raw_network_interface.provisioning_state
        network_interface_dict['resource_guid'] = raw_network_interface.resource_guid
        network_interface_dict['enable_ip_forwarding'] = raw_network_interface.enable_ip_forwarding
        network_interface_dict['type'] = raw_network_interface.type
        network_interface_dict['network_security_group'] = \
            get_non_provider_id(raw_network_interface.network_security_group.id) if \
                raw_network_interface.network_security_group else None

        # TODO process and display the below
        network_interface_dict['hosted_workloads'] = raw_network_interface.hosted_workloads
        network_interface_dict['tap_configurations'] = raw_network_interface.tap_configurations
        network_interface_dict['dns_settings'] = raw_network_interface.dns_settings

        ip_configuration = raw_network_interface.ip_configurations[0]  # TODO is this always an array of 1?
        network_interface_dict['ip_configuration'] = {}
        network_interface_dict['ip_configuration']['id'] = ip_configuration.id
        network_interface_dict['ip_configuration']['additional_properties'] = ip_configuration.additional_properties
        network_interface_dict['ip_configuration']['virtual_network_taps'] = ip_configuration.virtual_network_taps
        network_interface_dict['ip_configuration'][
            'application_gateway_backend_address_pools'] = ip_configuration.application_gateway_backend_address_pools
        network_interface_dict['ip_configuration'][
            'load_balancer_backend_address_pools'] = ip_configuration.load_balancer_backend_address_pools
        network_interface_dict['ip_configuration'][
            'load_balancer_inbound_nat_rules'] = ip_configuration.load_balancer_inbound_nat_rules
        network_interface_dict['ip_configuration']['private_ip_address'] = ip_configuration.private_ip_address
        network_interface_dict['ip_configuration'][
            'private_ip_allocation_method'] = ip_configuration.private_ip_allocation_method
        network_interface_dict['ip_configuration'][
            'private_ip_address_version'] = ip_configuration.private_ip_address_version
        network_interface_dict['ip_configuration']['subnet'] = {'id': get_non_provider_id(ip_configuration.subnet.id)}
        network_interface_dict['ip_configuration']['primary'] = ip_configuration.primary
        network_interface_dict['ip_configuration']['public_ip_address'] = ip_configuration.public_ip_address
        network_interface_dict['ip_configuration']['provisioning_state'] = ip_configuration.provisioning_state
        network_interface_dict['ip_configuration']['name'] = ip_configuration.name
        network_interface_dict['ip_configuration']['etag'] = ip_configuration.etag

        network_interface_dict['ip_configuration']['application_security_groups'] = []
        if ip_configuration.application_security_groups:
            for asg in ip_configuration.application_security_groups:
                network_interface_dict['ip_configuration']['application_security_groups'].append(
                    get_non_provider_id(asg.id))

        # FIXME this is currently always None, might change in the future?
        # network_interface_dict['ip_configuration']['subnet_security_group'] = ip_configuration.subnet.network_security_group

        return network_interface_dict['id'], network_interface_dict


================================================
FILE: ScoutSuite/providers/azure/resources/network/security_groups.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id
from ScoutSuite.providers.azure.utils import get_resource_group_name


class SecurityGroups(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_group in await self.facade.network.get_network_security_groups(self.subscription_id):
            id, network_security_group = self._parse_network_security_group(raw_group)
            self[id] = network_security_group

    def _parse_network_security_group(self, network_security_group):
        network_security_group_dict = {}
        network_security_group_dict['id'] = get_non_provider_id(network_security_group.id)
        network_security_group_dict['name'] = network_security_group.name
        network_security_group_dict['location'] = network_security_group.location
        network_security_group_dict['provisioning_state'] = network_security_group.provisioning_state
        network_security_group_dict['resource_guid'] = network_security_group.resource_guid
        network_security_group_dict['type'] = network_security_group.type
        network_security_group_dict['etag'] = network_security_group.etag
        if network_security_group.tags is not None:
            network_security_group_dict['tags'] = ["{}:{}".format(key, value) for key, value in  network_security_group.tags.items()]
        else:
            network_security_group_dict['tags'] = []
        network_security_group_dict['resource_group_name'] = get_resource_group_name(network_security_group.id)
        network_security_group_dict['additional_properties'] = network_security_group.additional_properties

        network_security_group_dict['security_rules'] = self._parse_security_rules(network_security_group)

        network_security_group_dict['subnets'] = {}
        if network_security_group.subnets:
            for subnet in network_security_group.subnets:
                identifier = get_non_provider_id(subnet.id)
                network_security_group_dict['subnets'][identifier] = {'id': identifier}

        network_security_group_dict['network_interfaces'] = {}
        if network_security_group.network_interfaces:
            for network_interface in network_security_group.network_interfaces:
                identifier = get_non_provider_id(network_interface.id)
                network_security_group_dict['network_interfaces'][identifier] = {'id': identifier}

        return network_security_group_dict['id'], network_security_group_dict

    def _parse_security_rules(self, network_security_group):
        security_rules = {}
        # custom rules
        for sr in network_security_group.security_rules:
            security_rule_id, security_rule_dict = self._parse_security_rule(sr)
            security_rules[security_rule_id] = security_rule_dict
        # default rules
        for sr in network_security_group.default_security_rules:
            security_rule_id, security_rule_dict = self._parse_security_rule(sr, default=True)
            security_rules[security_rule_id] = security_rule_dict
        return security_rules

    def _parse_security_rule(self, rule, default=False):
        security_rule_dict = {}
        security_rule_dict['id'] = rule.id
        security_rule_dict['name'] = rule.name
        security_rule_dict['allow'] = rule.access == "Allow"
        security_rule_dict['priority'] = rule.priority
        security_rule_dict['description'] = rule.description
        security_rule_dict['provisioning_state'] = rule.provisioning_state

        security_rule_dict['protocol'] = rule.protocol
        security_rule_dict['direction'] = rule.direction

        source_address_prefixes = \
            self._merge_prefixes_or_ports(rule.source_address_prefix,
                                          rule.source_address_prefixes if rule.source_address_prefixes else
                                          (get_non_provider_id(rule.source_application_security_groups[0].id) if
                                           rule.source_application_security_groups else None))
        security_rule_dict['source_address_prefixes'] = source_address_prefixes
        # this is required for the HTML partial to interpret the source as an ASG
        if rule.source_application_security_groups:
            security_rule_dict['source_address_prefixes_is_asg'] = True
        else:
            security_rule_dict['source_address_prefixes_is_asg'] = False

        security_rule_dict['source_port_ranges'] = self._merge_prefixes_or_ports(rule.source_port_range, rule.source_port_ranges)
        security_rule_dict['source_ports'] = ['0-65535'] if '*' in security_rule_dict['source_port_ranges'] else security_rule_dict['source_port_ranges']

        security_rule_dict['destination_address_prefixes'] = self._merge_prefixes_or_ports(rule.destination_address_prefix, rule.destination_address_prefixes)

        security_rule_dict['destination_port_ranges'] = self._merge_prefixes_or_ports(rule.destination_port_range, rule.destination_port_ranges)
        security_rule_dict['destination_ports'] = ['0-65535'] if '*' in security_rule_dict['destination_port_ranges'] else security_rule_dict['destination_port_ranges']

        security_rule_dict['etag'] = rule.etag

        security_rule_dict['default'] = default

        return security_rule_dict['id'], security_rule_dict

    def _merge_prefixes_or_ports(self, port_range, port_ranges):
        port_ranges = port_ranges if port_ranges else []
        if port_range:
            port_ranges.append(port_range)
        return port_ranges


================================================
FILE: ScoutSuite/providers/azure/resources/network/virtual_networks.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id
from ScoutSuite.providers.azure.utils import get_resource_group_name


class VirtualNetworks(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_virtual_network in await self.facade.network.get_virtual_networks(self.subscription_id):
            id, virtual_network = self._parse_virtual_network(raw_virtual_network)
            self[id] = virtual_network

    def _parse_virtual_network(self, raw_virtual_network):
        virtual_network_dict = {}
        virtual_network_dict['id'] = get_non_provider_id(raw_virtual_network.id)
        virtual_network_dict['name'] = raw_virtual_network.name

        virtual_network_dict['enable_vm_protection'] = raw_virtual_network.enable_vm_protection
        virtual_network_dict['etag'] = str(raw_virtual_network.etag)
        if raw_virtual_network.tags is not None:
            virtual_network_dict['tags'] = ["{}:{}".format(key, value) for key, value in  raw_virtual_network.tags.items()]
        else:
            virtual_network_dict['tags'] = []
        virtual_network_dict['resource_group_name'] = get_resource_group_name(raw_virtual_network.id)
        virtual_network_dict['virtual_network_peerings'] = raw_virtual_network.virtual_network_peerings
        virtual_network_dict['enable_ddos_protection'] = raw_virtual_network.enable_ddos_protection
        virtual_network_dict['resource_guid'] = raw_virtual_network.resource_guid
        virtual_network_dict['provisioning_state'] = raw_virtual_network.provisioning_state
        virtual_network_dict['address_space'] = raw_virtual_network.address_space
        virtual_network_dict['ddos_protection_plan'] = raw_virtual_network.ddos_protection_plan
        virtual_network_dict['additional_properties'] = list(raw_virtual_network.additional_properties)
        virtual_network_dict['location'] = raw_virtual_network.location
        virtual_network_dict['type'] = raw_virtual_network.type
        virtual_network_dict['dhcp_options'] = raw_virtual_network.dhcp_options

        virtual_network_dict['subnets'] = {}
        virtual_network_dict['subnets_count'] = 0
        for raw_subnet in raw_virtual_network.subnets:
            subnet_dict = {}
            subnet_dict['id'] = get_non_provider_id(raw_subnet.id)
            subnet_dict['name'] = raw_subnet.name
            subnet_dict['service_association_links'] = raw_subnet.service_association_links
            subnet_dict['resource_navigation_links'] = raw_subnet.resource_navigation_links
            subnet_dict['service_endpoint_policies'] = raw_subnet.service_endpoint_policies
            subnet_dict['interface_endpoints'] = raw_subnet.interface_endpoints if \
                hasattr(raw_subnet, 'interface_endpoints') else None
            subnet_dict['purpose'] = raw_subnet.purpose
            subnet_dict['address_prefix'] = raw_subnet.address_prefix
            subnet_dict['provisioning_state'] = raw_subnet.provisioning_state
            subnet_dict['etag'] = str(raw_subnet.etag)
            subnet_dict['additional_properties'] = raw_subnet.additional_properties
            subnet_dict['route_table'] = raw_subnet.route_table
            subnet_dict['delegations'] = raw_subnet.delegations
            subnet_dict['service_endpoints'] = raw_subnet.service_endpoints
            subnet_dict['ip_configuration_profiles'] = raw_subnet.ip_configuration_profiles
            subnet_dict['ip_configurations'] = raw_subnet.ip_configurations
            subnet_dict['address_prefixes'] = raw_subnet.address_prefixes
            if raw_subnet.network_security_group:
                subnet_dict['network_security_group'] = get_non_provider_id(raw_subnet.network_security_group.id)
            else:
                subnet_dict['network_security_group'] = None
            virtual_network_dict['subnets_count'] += 1
            virtual_network_dict['subnets'][subnet_dict['id']] = subnet_dict

        return virtual_network_dict['id'], virtual_network_dict


================================================
FILE: ScoutSuite/providers/azure/resources/network/watchers.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id
from ScoutSuite.providers.azure.utils import get_resource_group_name


class Watchers(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_watcher in await self.facade.network.get_network_watchers(self.subscription_id):
            id, network_watcher = self._parse_network_watcher(raw_watcher)
            self[id] = network_watcher

    def _parse_network_watcher(self, raw_watcher):
        watcher_dict = {}
        watcher_dict['id'] = get_non_provider_id(raw_watcher.id)
        watcher_dict['name'] = raw_watcher.name
        watcher_dict['type'] = raw_watcher.type
        watcher_dict['location'] = raw_watcher.location
        if raw_watcher.tags is not None:
            watcher_dict['tags'] = ["{}:{}".format(key, value) for key, value in raw_watcher.tags.items()]
        else:
            watcher_dict['tags'] = []
        watcher_dict['resource_group_name'] = get_resource_group_name(raw_watcher.id)
        watcher_dict['etag'] = raw_watcher.etag
        watcher_dict['additional_properties'] = raw_watcher.additional_properties
        watcher_dict['provisioning_state'] = raw_watcher.provisioning_state
        return watcher_dict['id'], watcher_dict


================================================
FILE: ScoutSuite/providers/azure/resources/postgresqldatabase/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/azure/resources/postgresqldatabase/base.py
================================================
from ScoutSuite.providers.azure.resources.subscriptions import Subscriptions

from .postgresql_servers import PostgreSQLServers


class PostgreSQLServers(Subscriptions):
    _children = [
        (PostgreSQLServers, 'servers')
    ]

================================================
FILE: ScoutSuite/providers/azure/resources/postgresqldatabase/configuration_connection_throttling.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class ConfigurationConnectionThrottling(AzureResources):

    def __init__(self, facade: AzureFacade, resource_group_name: str, server_name: str, subscription_id: str):
        super().__init__(facade)
        self.resource_group_name = resource_group_name
        self.server_name = server_name
        self.subscription_id = subscription_id

    async def fetch_all(self):
        configuration = await self.facade.postgresqldatabase.get_config(self.resource_group_name, self.server_name,
                                                                        self.subscription_id, 'connection_throttling')
        self._parse_configuration(configuration)

    def _parse_configuration(self, configuration):
        self.update({
            'value': configuration.value
        })


================================================
FILE: ScoutSuite/providers/azure/resources/postgresqldatabase/configuration_log_checkpoints.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class ConfigurationLogCheckpoints(AzureResources):

    def __init__(self, facade: AzureFacade, resource_group_name: str, server_name: str, subscription_id: str):
        super().__init__(facade)
        self.resource_group_name = resource_group_name
        self.server_name = server_name
        self.subscription_id = subscription_id

    async def fetch_all(self):
        configuration = await self.facade.postgresqldatabase.get_config(self.resource_group_name, self.server_name,
                                                                        self.subscription_id, 'log_checkpoints')
        self._parse_configuration(configuration)

    def _parse_configuration(self, configuration):
        self.update({
            'value': configuration.value
        })


================================================
FILE: ScoutSuite/providers/azure/resources/postgresqldatabase/configuration_log_connections.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class ConfigurationLogConnections(AzureResources):

    def __init__(self, facade: AzureFacade, resource_group_name: str, server_name: str, subscription_id: str):
        super().__init__(facade)
        self.resource_group_name = resource_group_name
        self.server_name = server_name
        self.subscription_id = subscription_id

    async def fetch_all(self):
        configuration = await self.facade.postgresqldatabase.get_config(self.resource_group_name, self.server_name,
                                                                        self.subscription_id, 'log_connections')
        self._parse_configuration(configuration)

    def _parse_configuration(self, configuration):
        self.update({
            'value': configuration.value
        })


================================================
FILE: ScoutSuite/providers/azure/resources/postgresqldatabase/configuration_log_disconnections.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class ConfigurationLogDisconnections(AzureResources):

    def __init__(self, facade: AzureFacade, resource_group_name: str, server_name: str, subscription_id: str):
        super().__init__(facade)
        self.resource_group_name = resource_group_name
        self.server_name = server_name
        self.subscription_id = subscription_id

    async def fetch_all(self):
        configuration = await self.facade.postgresqldatabase.get_config(self.resource_group_name, self.server_name,
                                                                        self.subscription_id, 'log_disconnections')
        self._parse_configuration(configuration)

    def _parse_configuration(self, configuration):
        self.update({
            'value': configuration.value
        })


================================================
FILE: ScoutSuite/providers/azure/resources/postgresqldatabase/configuration_log_duration.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class ConfigurationLogDuration(AzureResources):

    def __init__(self, facade: AzureFacade, resource_group_name: str, server_name: str, subscription_id: str):
        super().__init__(facade)
        self.resource_group_name = resource_group_name
        self.server_name = server_name
        self.subscription_id = subscription_id

    async def fetch_all(self):
        configuration = await self.facade.postgresqldatabase.get_config(self.resource_group_name, self.server_name,
                                                                        self.subscription_id, 'log_duration')
        self._parse_configuration(configuration)

    def _parse_configuration(self, configuration):
        self.update({
            'value': configuration.value
        })


================================================
FILE: ScoutSuite/providers/azure/resources/postgresqldatabase/configuration_log_retention_days.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class ConfigurationLogRetentionDays(AzureResources):

    def __init__(self, facade: AzureFacade, resource_group_name: str, server_name: str, subscription_id: str):
        super().__init__(facade)
        self.resource_group_name = resource_group_name
        self.server_name = server_name
        self.subscription_id = subscription_id

    async def fetch_all(self):
        configuration = await self.facade.postgresqldatabase.get_config(self.resource_group_name, self.server_name,
                                                                        self.subscription_id, 'log_retention_days')
        self._parse_configuration(configuration)

    def _parse_configuration(self, configuration):
        self.update({
            'value': configuration.value
        })


================================================
FILE: ScoutSuite/providers/azure/resources/postgresqldatabase/posgresql_firewall_rules.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id


class PostgreSQLFirewallRules(AzureResources):

    def __init__(self, facade: AzureFacade, resource_group_name: str, server_name: str, subscription_id: str):
        super().__init__(facade)
        self.resource_group_name = resource_group_name
        self.server_name = server_name
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for firewall_rule in await self.facade.postgresqldatabase.get_firewall_rules(self.resource_group_name,
                                                                                     self.server_name,
                                                                                     self.subscription_id):
            id, firewall_rules = self._parse_firewall_rules(firewall_rule)
            self[id] = firewall_rules

    def _parse_firewall_rules(self, firewall_rule):
        firewall_rules_dict = {}
        firewall_rules_dict['id'] = get_non_provider_id(firewall_rule.id.lower())
        firewall_rules_dict['name'] = firewall_rule.name
        firewall_rules_dict['start_ip'] = firewall_rule.start_ip_address
        firewall_rules_dict['end_ip'] = firewall_rule.end_ip_address

        return firewall_rules_dict['id'], firewall_rules_dict


================================================
FILE: ScoutSuite/providers/azure/resources/postgresqldatabase/postgresql_servers.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureCompositeResources
from ScoutSuite.providers.azure.utils import get_resource_group_name
from ScoutSuite.providers.utils import get_non_provider_id

from .configuration_connection_throttling import ConfigurationConnectionThrottling

from .configuration_log_checkpoints import ConfigurationLogCheckpoints
from .configuration_log_connections import ConfigurationLogConnections
from .configuration_log_disconnections import ConfigurationLogDisconnections
from .configuration_log_duration import ConfigurationLogDuration
from .configuration_log_retention_days import ConfigurationLogRetentionDays
from .posgresql_firewall_rules import PostgreSQLFirewallRules




class PostgreSQLServers(AzureCompositeResources):
    _children = [
        (ConfigurationLogCheckpoints, 'log_checkpoints'),
        (ConfigurationLogConnections, 'log_connections'),
        (ConfigurationLogDisconnections, 'log_disconnections'),
        (ConfigurationLogDuration, 'log_duration'),
        (ConfigurationConnectionThrottling, 'connection_throttling'),
        (ConfigurationLogRetentionDays, 'log_retention_days'),
        (PostgreSQLFirewallRules, 'postgresql_firewall_rules'),
        (ConfigurationLogRetentionDays, 'log_retention_days')
    ]

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_server in await self.facade.postgresqldatabase.get_servers(self.subscription_id):
            id, server = self._parse_server(raw_server)
            self[id] = server

        await self._fetch_children_of_all_resources(
            resources=self,
            scopes={server_id: {'resource_group_name': server['resource_group_name'],
                                'server_name': server['name'],
                                'subscription_id': self.subscription_id}
                    for (server_id, server) in self.items()}
        )

    def _parse_server(self, raw_server):
        server = {}
        server['id'] = get_non_provider_id(raw_server.id)
        server['name'] = raw_server.name
        server['resource_group_name'] = get_resource_group_name(raw_server.id)
        server['ssl_enforcement'] = raw_server.ssl_enforcement

        if raw_server.tags is not None:
            server['tags'] = ["{}:{}".format(key, value) for key, value in raw_server.tags.items()]
        else:
            server['tags'] = []
        return server['id'], server


================================================
FILE: ScoutSuite/providers/azure/resources/rbac/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/azure/resources/rbac/base.py
================================================
from ScoutSuite.providers.azure.resources.subscriptions import Subscriptions

from .role_assignments import RoleAssignments
from .roles import Roles
from .custom_roles_report import  CustomRolesReport


class RBAC(Subscriptions):
    _children = [
        (Roles, 'roles'),
        (RoleAssignments, 'role_assignments'),
        (CustomRolesReport, 'custom_roles_report'),
    ]

    def get_user_id_list(self):
        """
        Generates and returns a unique list of user IDs which have a role assigned.
        """
        user_set = set()
        for subscription in self['subscriptions'].values():
            for role_assignment in subscription['role_assignments'].values():
                if role_assignment['principal_type'] == 'User':
                    user_set.add(role_assignment['principal_id'])
        return list(user_set)



================================================
FILE: ScoutSuite/providers/azure/resources/rbac/custom_roles_report.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class CustomRolesReport(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        custom_role_dict = {}
        custom_role_dict['id'] = self.subscription_id
        custom_role_dict['missing_custom_role_administering_resource_locks'] = True

        for raw_role in await self.facade.rbac.get_roles(self.subscription_id):
            if raw_role.role_name == 'Resource Lock Administrator':
                custom_role_dict['missing_custom_role_administering_resource_locks'] = False

        self[custom_role_dict['id']] = custom_role_dict




================================================
FILE: ScoutSuite/providers/azure/resources/rbac/role_assignments.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class RoleAssignments(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_role_assignment in await self.facade.rbac.get_role_assignments(self.subscription_id):
            id, role_assignment = self._parse_role_assignment(raw_role_assignment)
            self[id] = role_assignment

    def _parse_role_assignment(self, raw_role_assignment):
        role_assignment_dict = {}
        role_assignment_dict['id'] = raw_role_assignment.name
        role_assignment_dict['name'] = raw_role_assignment.name
        role_assignment_dict['role_definition_id'] = raw_role_assignment.role_definition_id
        role_assignment_dict['type'] = raw_role_assignment.type
        role_assignment_dict['scope'] = raw_role_assignment.scope
        role_assignment_dict['principal_id'] = raw_role_assignment.principal_id
        role_assignment_dict['principal_type'] = raw_role_assignment.principal_type
        role_assignment_dict['can_delegate'] = "None"
        role_assignment_dict['additional_properties'] = raw_role_assignment.additional_properties
        return role_assignment_dict['id'], role_assignment_dict


================================================
FILE: ScoutSuite/providers/azure/resources/rbac/roles.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class Roles(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_role in await self.facade.rbac.get_roles(self.subscription_id):
            id, role = self._parse_role(raw_role)
            self[id] = role



    def _parse_role(self, raw_role):
        role_dict = {}
        role_dict['id'] = raw_role.name
        role_dict['name'] = raw_role.role_name
        role_dict['type'] = raw_role.type
        role_dict['description'] = raw_role.description
        role_dict['role_type'] = raw_role.role_type
        role_dict['permissions'] = raw_role.permissions
        role_dict['assignable_scopes'] = raw_role.assignable_scopes
        role_dict['additional_properties'] = raw_role.additional_properties
        role_dict['assignments_count'] = 0
        role_dict['custom_subscription_owner_role'] = self._no_custom_subscription_owner_role_allowed(raw_role)
        role_dict['assignments'] = {'users': [],
                                    'groups': [],
                                    'service_principals': []}  # this will be filled in `finalize()`
        return role_dict['id'], role_dict

    def _no_custom_subscription_owner_role_allowed(self, role):
        if role.role_type =="CustomRole":
            for assignable_scope in role.assignable_scopes:
                if "subscriptions" in assignable_scope or assignable_scope == "/":
                    for permission in role.permissions:
                        for action in permission.actions:
                            if "*" in action:
                                return True
        return False



================================================
FILE: ScoutSuite/providers/azure/resources/securitycenter/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/azure/resources/securitycenter/alerts.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id


class Alerts(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_alert in await self.facade.securitycenter.get_alerts(self.subscription_id):
            id, alert = self._parse_alert(raw_alert)
            self[id] = alert

    def _parse_alert(self, alert):
        alert_dict = {}
        alert_dict['id'] = get_non_provider_id(alert.id)
        alert_dict['name'] = alert.name
        return alert_dict['id'], alert_dict


================================================
FILE: ScoutSuite/providers/azure/resources/securitycenter/auto_provisioning_settings.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id


class AutoProvisioningSettings(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_settings in await self.facade.securitycenter.get_auto_provisioning_settings(self.subscription_id):
            id, auto_provisioning_settings = self._parse_auto_provisioning_settings(
                raw_settings)
            self[id] = auto_provisioning_settings

    def _parse_auto_provisioning_settings(self, auto_provisioning_settings):
        auto_provisioning_setting_dict = {}
        auto_provisioning_setting_dict['id'] = get_non_provider_id(auto_provisioning_settings.id)
        auto_provisioning_setting_dict['name'] = auto_provisioning_settings.name
        auto_provisioning_setting_dict['auto_provision'] = auto_provisioning_settings.auto_provision

        return auto_provisioning_setting_dict['id'], auto_provisioning_setting_dict


================================================
FILE: ScoutSuite/providers/azure/resources/securitycenter/base.py
================================================
from ScoutSuite.providers.azure.resources.subscriptions import Subscriptions

from .auto_provisioning_settings import AutoProvisioningSettings
from .pricings import Pricings
# from .alerts import Alerts
from .security_contacts import SecurityContacts
# from .information_protection_policies import InformationProtectionPolicies
from .settings import Settings
from .compliance_results import ComplianceResults
from .regulatory_compliance_results import RegulatoryComplianceResults


class SecurityCenter(Subscriptions):
    _children = [
        (AutoProvisioningSettings, 'auto_provisioning_settings'),
        (Pricings, 'pricings'),
        # (Alerts, 'alerts'),  # FIXME this needs to be tested with alert results...
        (SecurityContacts, 'security_contacts'),
        # (InformationProtectionPolicies, 'information_protection_policies'),  # FIXME this isn't properly implemented
        (Settings, 'settings'),
        (ComplianceResults, 'compliance_results'),
        (RegulatoryComplianceResults, 'regulatory_compliance_results')
    ]


================================================
FILE: ScoutSuite/providers/azure/resources/securitycenter/compliance_results.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id


class ComplianceResults(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_compliance_result in await self.facade.securitycenter.get_compliance_results(self.subscription_id):
            id, compliance_result = self._parse_compliance_result(raw_compliance_result)
            self[id] = compliance_result

    def _parse_compliance_result(self, raw_compliance_result):
        compliance_result_dict = {}
        compliance_result_dict['id'] = get_non_provider_id(raw_compliance_result.id)
        compliance_result_dict['name'] = raw_compliance_result.name
        compliance_result_dict['type'] = raw_compliance_result.type
        compliance_result_dict['resource_status'] = raw_compliance_result.resource_status
        compliance_result_dict['additional_properties'] = raw_compliance_result.additional_properties
        return compliance_result_dict['id'], compliance_result_dict


================================================
FILE: ScoutSuite/providers/azure/resources/securitycenter/information_protection_policies.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class InformationProtectionPolicies(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_information_policies in await self.facade.securitycenter.get_information_protection_policies(
                self.subscription_id):
            id, information_protection_policies = self._parse_information_protection_policies(
                raw_information_policies)
            self[id] = information_protection_policies

    def _parse_information_protection_policies(self, auto_provisioning_settings):
        information_protection_policies_dict = {}
        return information_protection_policies_dict['id'], information_protection_policies_dict


================================================
FILE: ScoutSuite/providers/azure/resources/securitycenter/pricings.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id


class Pricings(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_pricing in await self.facade.securitycenter.get_pricings(self.subscription_id):
            id, pricing = self._parse_pricing(raw_pricing)
            self[id] = pricing

    def _parse_pricing(self, pricing):
        pricing_dict = {}
        pricing_dict['id'] = get_non_provider_id(pricing.id)
        pricing_dict['name'] = pricing.name
        pricing_dict['pricing_tier'] = pricing.pricing_tier

        return pricing_dict['id'], pricing_dict


================================================
FILE: ScoutSuite/providers/azure/resources/securitycenter/regulatory_compliance_results.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id


class RegulatoryComplianceResults(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_regulatory_compliance_result in await \
                self.facade.securitycenter.get_regulatory_compliance_results(self.subscription_id):
            id, regulatory_compliance_result = \
                self._parse_regulatory_compliance_result(raw_regulatory_compliance_result)
            self[id] = regulatory_compliance_result

    def _parse_regulatory_compliance_result(self, raw_regulatory_compliance_result):
        regulatory_compliance_result_dict = {}
        regulatory_compliance_result_dict['id'] = get_non_provider_id(raw_regulatory_compliance_result.id)
        regulatory_compliance_result_dict['name'] = '{} {}'.format(raw_regulatory_compliance_result.standard_name,
                                                                   raw_regulatory_compliance_result.name)
        regulatory_compliance_result_dict['reference'] = raw_regulatory_compliance_result.name
        regulatory_compliance_result_dict['standard_name'] = raw_regulatory_compliance_result.standard_name
        regulatory_compliance_result_dict['type'] = raw_regulatory_compliance_result.type
        regulatory_compliance_result_dict['description'] = raw_regulatory_compliance_result.description
        regulatory_compliance_result_dict['state'] = raw_regulatory_compliance_result.state
        regulatory_compliance_result_dict['passed_assessments'] = raw_regulatory_compliance_result.passed_assessments
        regulatory_compliance_result_dict['failed_assessments'] = raw_regulatory_compliance_result.failed_assessments
        regulatory_compliance_result_dict['skipped_assessments'] = raw_regulatory_compliance_result.skipped_assessments
        regulatory_compliance_result_dict['additional_properties'] = \
            raw_regulatory_compliance_result.additional_properties
        return regulatory_compliance_result_dict['id'], regulatory_compliance_result_dict


================================================
FILE: ScoutSuite/providers/azure/resources/securitycenter/security_contacts.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id


class SecurityContacts(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_contact in await self.facade.securitycenter.get_security_contacts(self.subscription_id):
            id, security_contact = self._parse_security_contact(raw_contact)
            self[id] = security_contact

    def _parse_security_contact(self, security_contact):
        security_contact_dict = {}
        security_contact_dict['id'] = get_non_provider_id(security_contact.id.lower())
        security_contact_dict['name'] = security_contact.name
        security_contact_dict['email'] = security_contact.email
        security_contact_dict['phone'] = security_contact.phone
        security_contact_dict['alert_notifications'] = security_contact.alert_notifications == "On"
        security_contact_dict['alerts_to_admins'] = security_contact.alerts_to_admins == "On"
        security_contact_dict['additional_properties'] = security_contact.additional_properties

        return security_contact_dict['id'], security_contact_dict


================================================
FILE: ScoutSuite/providers/azure/resources/securitycenter/settings.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id


class Settings(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_settings in await self.facade.securitycenter.get_settings(self.subscription_id):
            id, settings = self._parse_settings(
                raw_settings)
            self[id] = settings

    def _parse_settings(self, settings):
        settings_dict = {}
        settings_dict['id'] = get_non_provider_id(settings.id.lower())
        settings_dict['name'] = settings.name
        settings_dict['kind'] = settings.kind
        settings_dict['enabled'] = settings.enabled
        return settings_dict['id'], settings_dict


================================================
FILE: ScoutSuite/providers/azure/resources/sqldatabase/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/azure/resources/sqldatabase/base.py
================================================
from ScoutSuite.providers.azure.resources.subscriptions import Subscriptions

from .servers import Servers


class Servers(Subscriptions):
    _children = [
        (Servers, 'servers')
    ]


================================================
FILE: ScoutSuite/providers/azure/resources/sqldatabase/database_blob_auditing_policies.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class DatabaseBlobAuditingPolicies(AzureResources):

    def __init__(self, facade: AzureFacade, resource_group_name: str, server_name: str, database_name: str,
                 subscription_id: str):
        super().__init__(facade)
        self.resource_group_name = resource_group_name
        self.server_name = server_name
        self.database_name = database_name
        self.subscription_id = subscription_id

    async def fetch_all(self):
        policies = await self.facade.sqldatabase.get_database_blob_auditing_policies(
            self.resource_group_name, self.server_name, self.database_name, self.subscription_id)
        self._parse_policies(policies)

    def _parse_policies(self, policies):
        self.update({
            'auditing_enabled': policies.state == "Enabled",
            'retention_days': policies.retention_days
        })


================================================
FILE: ScoutSuite/providers/azure/resources/sqldatabase/database_threat_detection_policies.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class DatabaseThreatDetectionPolicies(AzureResources):

    def __init__(self, facade: AzureFacade, resource_group_name: str, server_name: str, database_name: str,
                 subscription_id: str):
        super().__init__(facade)
        self.resource_group_name = resource_group_name
        self.server_name = server_name
        self.database_name = database_name
        self.subscription_id = subscription_id

    async def fetch_all(self):
        policies = await self.facade.sqldatabase.get_database_threat_detection_policies(
            self.resource_group_name, self.server_name, self.database_name, self.subscription_id)
        self._parse_policies(policies)

    def _parse_policies(self, policies):
        self.update({
            'threat_detection_enabled': policies.state == "Enabled",
            'alerts_enabled': policies.disabled_alerts == "",
            'send_alerts_enabled': policies.email_addresses != "" and policies.email_account_admins == "Enabled",
            'retention_days': policies.retention_days
        })


================================================
FILE: ScoutSuite/providers/azure/resources/sqldatabase/databases.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureCompositeResources
from ScoutSuite.providers.azure.utils import get_resource_group_name

from .database_blob_auditing_policies import DatabaseBlobAuditingPolicies
from .database_threat_detection_policies import DatabaseThreatDetectionPolicies
from .replication_links import ReplicationLinks
from .transparent_data_encryptions import TransparentDataEncryptions


class Databases(AzureCompositeResources):
    _children = [
        (DatabaseBlobAuditingPolicies, 'auditing'),
        (DatabaseThreatDetectionPolicies, 'threat_detection'),
        (ReplicationLinks, None),
        (TransparentDataEncryptions, None)
    ]

    def __init__(self, facade: AzureFacade, resource_group_name: str, server_name: str, subscription_id: str):
        super().__init__(facade)
        self.resource_group_name = resource_group_name
        self.server_name = server_name
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for db in await self.facade.sqldatabase.get_databases(
                self.resource_group_name, self.server_name, self.subscription_id):
            # We do not want to scan 'master' database which is auto-generated by Azure and read-only:
            if db.name == 'master':
                continue

            self[db.name] = {
                'id': db.name,
                'name': db.name,
                'tags': ["{}:{}".format(key, value) for key, value in  db.tags.items()] if db.tags is not None else [],
                'resource_group_name': get_resource_group_name(db.id)
            }

        await self._fetch_children_of_all_resources(
            resources=self,
            scopes={db_id: {'resource_group_name': self.resource_group_name,
                            'server_name': self.server_name,
                            'database_name': db['name'],
                            'subscription_id': self.subscription_id}
                    for (db_id, db) in self.items()}
        )


================================================
FILE: ScoutSuite/providers/azure/resources/sqldatabase/firewall_rules.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id


class FirewallRules(AzureResources):

    def __init__(self, facade: AzureFacade, resource_group_name: str, server_name: str, subscription_id: str):
        super().__init__(facade)
        self.resource_group_name = resource_group_name
        self.server_name = server_name
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for firewall_rule in await self.facade.sqldatabase.get_firewall_rules(self.resource_group_name, self.server_name,
                                                                         self.subscription_id):
            id, firewall_rules = self._parse_firewall_rules(firewall_rule)
            self[id] = firewall_rules

    def _parse_firewall_rules(self, firewall_rule):
        firewall_rules_dict ={}
        firewall_rules_dict['id'] = get_non_provider_id(firewall_rule.id.lower())
        firewall_rules_dict['name'] = firewall_rule.name
        firewall_rules_dict['start_ip'] = firewall_rule.start_ip_address
        firewall_rules_dict['end_ip'] = firewall_rule.end_ip_address

        return firewall_rules_dict['id'], firewall_rules_dict


================================================
FILE: ScoutSuite/providers/azure/resources/sqldatabase/replication_links.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class ReplicationLinks(AzureResources):

    def __init__(self, facade: AzureFacade, resource_group_name: str, server_name: str, database_name: str,
                 subscription_id: str):
        super().__init__(facade)
        self.resource_group_name = resource_group_name
        self.server_name = server_name
        self.database_name = database_name
        self.subscription_id = subscription_id

    async def fetch_all(self):
        links = await self.facade.sqldatabase.get_database_replication_links(
            self.resource_group_name, self.server_name, self.database_name, self.subscription_id)
        self._parse_links(links)

    def _parse_links(self, links):
        links_count = len(links)
        self.update({
            'replication_configured': links_count > 0
        })


================================================
FILE: ScoutSuite/providers/azure/resources/sqldatabase/server_azure_ad_administrators.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class ServerAzureAdAdministrators(AzureResources):

    def __init__(self, facade: AzureFacade, resource_group_name: str, server_name: str, subscription_id: str):
        super().__init__(facade)
        self.resource_group_name = resource_group_name
        self.server_name = server_name
        self.subscription_id = subscription_id

    async def fetch_all(self):
        self['ad_admin'] = await self.facade.sqldatabase.get_server_azure_ad_administrators(
            self.resource_group_name, self.server_name, self.subscription_id)


================================================
FILE: ScoutSuite/providers/azure/resources/sqldatabase/server_blob_auditing_policies.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class ServerBlobAuditingPolicies(AzureResources):

    def __init__(self, facade: AzureFacade, resource_group_name: str, server_name: str, subscription_id: str):
        super().__init__(facade)
        self.resource_group_name = resource_group_name
        self.server_name = server_name
        self.subscription_id = subscription_id

    async def fetch_all(self):
        policies = await self.facade.sqldatabase.get_server_blob_auditing_policies(
            self.resource_group_name, self.server_name, self.subscription_id)
        self._parse_policies(policies)

    def _parse_policies(self, policies):
        self.update({
            'auditing_enabled': policies.state == "Enabled",
            'retention_days': policies.retention_days
        })


================================================
FILE: ScoutSuite/providers/azure/resources/sqldatabase/server_encryption_protectors.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class ServerEncryptionProtectors(AzureResources):

    def __init__(self, facade: AzureFacade, resource_group_name: str, server_name: str, subscription_id: str):
        super().__init__(facade)
        self.resource_group_name = resource_group_name
        self.server_name = server_name
        self.subscription_id = subscription_id

    async def fetch_all(self):
        protectors = await self.facade.sqldatabase.get_server_encryption_protectors(
            self.resource_group_name, self.server_name, self.subscription_id)
        self._parse_protectors(protectors)

    def _parse_protectors(self, protectors):
        self.update({
            'kind': protectors.kind,
            'server_key_type': protectors.server_key_type,
            'uri': protectors.uri,
            'TDE_protector_is_encrypted': protectors.kind == 'azurekeyvault' and
            protectors.server_key_type == 'AzureKeyVault' and protectors.uri is not None
        })


================================================
FILE: ScoutSuite/providers/azure/resources/sqldatabase/server_security_alert_policies.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class ServerSecurityAlertPolicies(AzureResources):

    def __init__(self, facade: AzureFacade, resource_group_name: str, server_name: str, subscription_id: str):
        super().__init__(facade)
        self.resource_group_name = resource_group_name
        self.server_name = server_name
        self.subscription_id = subscription_id

    async def fetch_all(self):
        policies = await self.facade.sqldatabase.get_server_security_alert_policies(
            self.resource_group_name, self.server_name, self.subscription_id)
        self._parse_policies(policies)

    def _parse_policies(self, policies):
        self.update({
            'threat_detection_enabled': policies.state == "Enabled",
            'alerts_enabled': policies.disabled_alerts == [""],
            'send_alerts_enabled': policies.email_addresses != [""] and policies.email_account_admins,
            'retention_days': policies.retention_days
        })


================================================
FILE: ScoutSuite/providers/azure/resources/sqldatabase/server_vulnerability_assessments.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class ServerVulnerabilityAssessments(AzureResources):

    def __init__(self, facade: AzureFacade, resource_group_name: str, server_name: str, subscription_id: str):
        super().__init__(facade)
        self.resource_group_name = resource_group_name
        self.server_name = server_name
        self.subscription_id = subscription_id

    async def fetch_all(self):
        server_vulnerability = await self.facade.sqldatabase.get_server_vulnerability_assessments(
            self.resource_group_name, self.server_name, self.subscription_id)
        self._parse_vulnerabilities(server_vulnerability)

    def _parse_vulnerabilities(self, vulnerability):
        self.update({
            'storage_account_name': vulnerability.name,
            'recurring_scans_enabled': vulnerability.recurring_scans.is_enabled,
            'send_scan_reports_to_not_empty': vulnerability.recurring_scans.emails != [],
            'email_subscription_admin': vulnerability.recurring_scans.email_subscription_admins
        })




================================================
FILE: ScoutSuite/providers/azure/resources/sqldatabase/servers.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureCompositeResources
from ScoutSuite.providers.azure.utils import get_resource_group_name
from ScoutSuite.providers.utils import get_non_provider_id

from .databases import Databases
from .server_azure_ad_administrators import ServerAzureAdAdministrators
from .server_blob_auditing_policies import ServerBlobAuditingPolicies
from .server_security_alert_policies import ServerSecurityAlertPolicies
from .server_vulnerability_assessments import ServerVulnerabilityAssessments
from .server_encryption_protectors import ServerEncryptionProtectors
from .firewall_rules import FirewallRules


class Servers(AzureCompositeResources):
    _children = [
        (Databases, 'databases'),
        (ServerAzureAdAdministrators, None),
        (ServerBlobAuditingPolicies, 'auditing'),
        (ServerSecurityAlertPolicies, 'threat_detection'),
        (ServerVulnerabilityAssessments, 'server_vulnerability'),
        (ServerEncryptionProtectors, 'encryption_protectors'),
        (FirewallRules, 'firewall_rules')
    ]

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_server in await self.facade.sqldatabase.get_servers(self.subscription_id):
            id, server = self._parse_server(raw_server)
            self[id] = server

        await self._fetch_children_of_all_resources(
            resources=self,
            scopes={server_id: {'resource_group_name': server['resource_group_name'],
                                'server_name': server['name'],
                                'subscription_id': self.subscription_id}
                    for (server_id, server) in self.items()}
        )

    def _parse_server(self, raw_server):
        server = {}
        server['id'] = get_non_provider_id(raw_server.id)
        server['name'] = raw_server.name
        server['resource_group_name'] = get_resource_group_name(raw_server.id)
        if raw_server.tags is not None:
            server['tags'] = ["{}:{}".format(key, value) for key, value in  raw_server.tags.items()]
        else:
            server['tags'] = []
        return server['id'], server


================================================
FILE: ScoutSuite/providers/azure/resources/sqldatabase/transparent_data_encryptions.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class TransparentDataEncryptions(AzureResources):

    def __init__(self, facade: AzureFacade, resource_group_name: str, server_name: str, database_name: str,
                 subscription_id: str):
        super().__init__(facade)
        self.resource_group_name = resource_group_name
        self.server_name = server_name
        self.database_name = database_name
        self.subscription_id = subscription_id

    async def fetch_all(self):
        encryptions = await self.facade.sqldatabase.get_database_transparent_data_encryptions(
            self.resource_group_name, self.server_name, self.database_name, self.subscription_id)
        self._parse_encryptions(encryptions)

    def _parse_encryptions(self, encryptions):
        self.update({
            'transparent_data_encryption_enabled': encryptions.status == "Enabled"
        })


================================================
FILE: ScoutSuite/providers/azure/resources/storageaccounts/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/azure/resources/storageaccounts/base.py
================================================
from ScoutSuite.providers.azure.resources.subscriptions import Subscriptions

from .storage_accounts import StorageAccounts


class StorageAccounts(Subscriptions):
    _children = [
        (StorageAccounts, 'storage_accounts')
    ]



================================================
FILE: ScoutSuite/providers/azure/resources/storageaccounts/blob_containers.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class BlobContainers(AzureResources):

    def __init__(self, facade: AzureFacade, resource_group_name: str, storage_account_name: str, subscription_id: str):
        super().__init__(facade)
        self.resource_group_name = resource_group_name
        self.storage_account_name = storage_account_name
        self.subscription_id = subscription_id

    async def fetch_all(self):
        raw_blob_containers = await self.facade.storageaccounts.get_blob_containers(self.resource_group_name,
                                                                                    self.storage_account_name,
                                                                                    self.subscription_id)
        for raw_blob_container in raw_blob_containers:
            id, blob_container = self._parse_blob_container(raw_blob_container)
            self[id] = blob_container

    def _parse_blob_container(self, raw_blob_container):
        blob_container = {}
        blob_container['id'] = raw_blob_container.name
        blob_container['public_access_allowed'] = raw_blob_container.public_access != "None"

        return blob_container['id'], blob_container


================================================
FILE: ScoutSuite/providers/azure/resources/storageaccounts/blob_services.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id


class BlobServices(AzureResources):

    def __init__(self, facade: AzureFacade, resource_group_name: str, storage_account_name: str, subscription_id: str):
        super().__init__(facade)
        self.resource_group_name = resource_group_name
        self.storage_account_name = storage_account_name
        self.subscription_id = subscription_id

    async def fetch_all(self):
        raw_blob_services = await self.facade.storageaccounts.get_blob_services(self.resource_group_name,
                                                                                    self.storage_account_name,
                                                                                    self.subscription_id)
        for raw_blob_service in raw_blob_services:
            id, blob_service = self._parse_blob_service(raw_blob_service)
            self[id] = blob_service

    def _parse_blob_service(self, raw_blob_service):
        blob_service = {}
        blob_service['id'] = get_non_provider_id(raw_blob_service.id.lower())
        blob_service['name'] = raw_blob_service.name
        blob_service['soft_delete_enabled'] = raw_blob_service.delete_retention_policy.enabled

        return blob_service['id'], blob_service


================================================
FILE: ScoutSuite/providers/azure/resources/storageaccounts/queues.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources


class Queues(AzureResources):

    def __init__(self, facade: AzureFacade, resource_group_name: str, storage_account_name: str, subscription_id: str):
        super().__init__(facade)
        self.resource_group_name = resource_group_name
        self.storage_account_name = storage_account_name
        self.subscription_id = subscription_id

    async def fetch_all(self):
        raw_queues = await self.facade.storageaccounts.get_queues(self.resource_group_name,
                                                                  self.storage_account_name,
                                                                  self.subscription_id)
        for raw_queue in raw_queues:
            id, queue = self._parse_queue(raw_queue)
            self[id] = queue

    def _parse_queue(self, raw_queue):
        pass


================================================
FILE: ScoutSuite/providers/azure/resources/storageaccounts/storage_accounts.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureCompositeResources
from ScoutSuite.providers.azure.utils import get_resource_group_name
from ScoutSuite.providers.utils import get_non_provider_id

from .blob_containers import BlobContainers
# from .queues import Queues
from .blob_services import BlobServices


class StorageAccounts(AzureCompositeResources):
    _children = [
        (BlobContainers, 'blob_containers'),
        (BlobServices, 'blob_services'),
        # (Queues, 'queues')  # FIXME - not implemented by SDK
    ]

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_storage_account in await self.facade.storageaccounts.get_storage_accounts(self.subscription_id):
            id, storage_account = self._parse_storage_account(raw_storage_account)
            self[id] = storage_account

        await self._fetch_children_of_all_resources(
            resources=self,
            scopes={storage_account_id: {'resource_group_name': storage_account['resource_group_name'],
                                         'storage_account_name': storage_account['name'],
                                         'subscription_id': self.subscription_id}
                    for (storage_account_id, storage_account) in self.items()}
        )

    def _parse_storage_account(self, raw_storage_account):
        storage_account = {}

        encryption = raw_storage_account.encryption
        raw_id = raw_storage_account.id
        storage_account['id'] = get_non_provider_id(raw_id.lower())
        storage_account['resource_group_name'] = get_resource_group_name(raw_id)
        storage_account['name'] = raw_storage_account.name
        storage_account['https_traffic_enabled'] = raw_storage_account.enable_https_traffic_only
        storage_account['public_traffic_allowed'] = self._is_public_traffic_allowed(raw_storage_account)
        storage_account['trusted_microsoft_services_enabled'] = \
            self._is_trusted_microsoft_services_enabled(raw_storage_account)
        storage_account['bypass'] = raw_storage_account.network_rule_set.bypass
        # The default value (null) is equivalent to True
        storage_account['shared_key_access_allowed'] = raw_storage_account.allow_shared_key_access != False
        storage_account['access_keys_last_rotation_date'] = \
            self._parse_access_keys_last_rotation_date(raw_storage_account.activity_logs)
        storage_account['encryption_key_source'] = raw_storage_account.encryption.key_source
        storage_account['encryption_key_customer_managed'] = self._is_encryption_key_customer_managed(raw_storage_account.encryption.key_source)
        if raw_storage_account.tags is not None:
            storage_account['tags'] = ["{}:{}".format(key, value) for key, value in  raw_storage_account.tags.items()]
        else:
            storage_account['tags'] = []

        return storage_account['id'], storage_account

    def _is_public_traffic_allowed(self, storage_account):
        return storage_account.network_rule_set.default_action == "Allow"

    def _is_trusted_microsoft_services_enabled(self, storage_account):
        if storage_account.network_rule_set.bypass:
            return "AzureServices" in storage_account.network_rule_set.bypass
        return False

    def _parse_access_keys_last_rotation_date(self, activity_logs):
        last_rotation_date = None
        for log in activity_logs:
            if log.operation_name.value == 'Microsoft.Storage/storageAccounts/regenerateKey/action':
                if last_rotation_date is None or last_rotation_date < log.event_timestamp:
                    last_rotation_date = log.event_timestamp
        return last_rotation_date

    def _is_encryption_key_customer_managed(self, key_source):
        # Microsoft Storage is the default option which is not customer-managed
        return key_source != "Microsoft.Storage"



================================================
FILE: ScoutSuite/providers/azure/resources/subscriptions.py
================================================
from ScoutSuite.providers.azure.resources.base import AzureCompositeResources


class Subscriptions(AzureCompositeResources):

    """This class represents a collection of Azure Resources that are grouped by subscription.
    Classes extending Subscriptions should implement the method _fetch_children() with a subscription ID as paramater.
    The children resources will be stored with the following structure {: {: {: {: }}}}.
    """

    async def fetch_all(self):
        """This method fetches all the Azure subscriptions that can be accessed with the given run configuration.
        It then fetches all the children defined in _children and groups them by subscription.
        """

        raw_subscriptions = await self.facade.get_subscriptions()

        if raw_subscriptions:
            self['subscriptions'] = {subscription.subscription_id: {}
                                     for subscription in raw_subscriptions}
        else:
            self['subscriptions'] = {}
        await self._fetch_children_of_all_resources(
            resources=self['subscriptions'],
            scopes={subscription_id: {'subscription_id': subscription_id} for subscription_id in self['subscriptions']})
        self._set_counts()

    def _set_counts(self):
        for _, child_name in self._children:
            self[child_name + '_count'] = sum([subscription[child_name + '_count']
                                               for subscription in self['subscriptions'].values()])


================================================
FILE: ScoutSuite/providers/azure/resources/virtualmachines/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/azure/resources/virtualmachines/base.py
================================================
from ScoutSuite.providers.azure.resources.subscriptions import Subscriptions

from .instances import Instances
from .disks import Disks
from .snapshots import Snapshots
from .images import Images


class VirtualMachines(Subscriptions):
    _children = [
        (Instances, 'instances'),
        (Disks, 'disks'),
        (Snapshots, 'snapshots'),
        (Images, 'images'),
    ]


================================================
FILE: ScoutSuite/providers/azure/resources/virtualmachines/disks.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id


class Disks(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_disk in await self.facade.virtualmachines.get_disks(self.subscription_id):
            id, disk = self._parse_disk(raw_disk)
            self[id] = disk

    def _parse_disk(self, raw_disk):
        disk_dict = {}

        disk_dict['id'] = get_non_provider_id(raw_disk.id)
        disk_dict['unique_id'] = getattr(raw_disk, 'unique_id', None)
        disk_dict['name'] = raw_disk.name
        disk_dict['type'] = raw_disk.type
        disk_dict['location'] = raw_disk.location
        disk_dict['tags'] = raw_disk.tags
        disk_dict['managed_by'] = raw_disk.managed_by
        disk_dict['sku'] = raw_disk.sku
        disk_dict['zones'] = raw_disk.zones
        disk_dict['time_created'] = raw_disk.time_created
        disk_dict['os_type'] = raw_disk.os_type
        disk_dict['hyper_vgeneration'] = raw_disk.hyper_v_generation
        disk_dict['creation_data'] = raw_disk.creation_data
        disk_dict['disk_size_gb'] = raw_disk.disk_size_gb
        disk_dict['disk_size_bytes'] = getattr(raw_disk, 'disk_size_bytes', None)
        disk_dict['provisioning_state'] = raw_disk.provisioning_state
        disk_dict['disk_iops_read_write'] = raw_disk.disk_iops_read_write
        disk_dict['disk_mbps_read_write'] = raw_disk.disk_m_bps_read_write
        disk_dict['disk_state'] = raw_disk.disk_state
        disk_dict['additional_properties'] = raw_disk.additional_properties

        if hasattr(raw_disk, 'encryption'):
            disk_dict['encryption_type'] = getattr(raw_disk.encryption, 'type', None)
        else:
            disk_dict['encryption_type'] = None

        if getattr(raw_disk, 'encryption_settings_collection', None):
            disk_dict['encryption_ade'] = raw_disk.encryption_settings_collection.enabled and \
                getattr(raw_disk.encryption_settings_collection, 'encryption_settings_version') in ['1.0','1.1']
        else:
            disk_dict['encryption_ade'] = False

        return disk_dict['id'], disk_dict




================================================
FILE: ScoutSuite/providers/azure/resources/virtualmachines/images.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id


class Images(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_image in await self.facade.virtualmachines.get_images(self.subscription_id):
            id, image = self._parse_image(raw_image)
            self[id] = image

    def _parse_image(self, raw_image):
        image_dict = {}
        image_dict['id'] = get_non_provider_id(raw_image.id)
        image_dict['name'] = raw_image.name
        image_dict['type'] = raw_image.type
        image_dict['location'] = raw_image.location
        image_dict['tags'] = raw_image.tags
        image_dict['source_virtual_machine'] = raw_image.source_virtual_machine
        image_dict['storage_profile'] = raw_image.storage_profile
        image_dict['provisioning_state'] = raw_image.provisioning_state
        image_dict['hyper_vgeneration'] = raw_image.hyper_vgeneration
        image_dict['additional_properties'] = raw_image.additional_properties
        return image_dict['id'], image_dict




================================================
FILE: ScoutSuite/providers/azure/resources/virtualmachines/instances.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id
from ScoutSuite.providers.azure.utils import get_resource_group_name

from ScoutSuite.providers.azure.utils import get_resource_group_name

class Instances(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_instance in await self.facade.virtualmachines.get_instances(self.subscription_id):
            id, instance = await self._parse_instance(raw_instance)
            self[id] = instance

    async def _parse_instance(self, raw_instance):
        instance_dict = {}

        instance_dict['id'] = get_non_provider_id(raw_instance.id.lower())
        instance_dict['name'] = raw_instance.name
        instance_dict['vm_id'] = raw_instance.vm_id
        instance_dict['zones'] = raw_instance.zones
        if raw_instance.availability_set is not None:
            #Get the resource group and availability set if set
            try:
                instance_dict['availability_set'] = raw_instance.availability_set.id.split('/')[4] + ':' + raw_instance.availability_set.id.split('/')[8]
            except Exception as e:
                instance_dict['availability_set'] = raw_instance.availability_set.id
        else:
            instance_dict['availability_set'] = None
        if raw_instance.proximity_placement_group is not None:
            #Get the resource group and proximity placement group if set  
            try:
                instance_dict['proximity_placement_group'] = raw_instance.proximity_placement_group.id.split('/')[4] + ':' + raw_instance.proximity_placement_group.id.split('/')[8]
            except Exception as e:
                instance_dict['proximity_placement_group'] = raw_instance.proximity_placement_group.id
        else:
            instance_dict['proximity_placement_group'] = None
        instance_dict['additional_properties'] = list(raw_instance.additional_properties)
        instance_dict['location'] = raw_instance.location
        instance_dict['type'] = raw_instance.type
        instance_dict['resources'] = raw_instance.resources
        if raw_instance.tags is not None:
            instance_dict['tags'] = ["{}:{}".format(key, value) for key, value in  raw_instance.tags.items()]
        else:
            instance_dict['tags'] = []
        instance_dict['resource_group_name'] = get_resource_group_name(raw_instance.id)
        instance_dict['provisioning_state'] = raw_instance.provisioning_state
        if raw_instance.plan is not None:
            instance_dict['plan'] = raw_instance.plan.name
        else:
            instance_dict['plan'] = None
        instance_dict['identity'] = raw_instance.identity

        if raw_instance.additional_capabilities is not None:
            #Get all the enabled additional capabilities ignoring not set or empty values
            instance_dict['additional_capabilities'] = [additional_capability for additional_capability, value in raw_instance.additional_capabilities.__dict__.items() if (value and value is not None)]
        else:
            instance_dict['additional_capabilities'] = None
        instance_dict['license_type'] = raw_instance.license_type

        # TODO process and display the below
        instance_dict['hardware_profile'] = raw_instance.hardware_profile.vm_size
        
        # Handle VMs without diagnostics profile configured
        if raw_instance.diagnostics_profile is not None:
            instance_dict['diagnostics_profile'] = {'Boot Diagnostics': True if raw_instance.diagnostics_profile.boot_diagnostics.enabled else None}
        
        instance_dict['os_profile'] = {}
        if raw_instance.os_profile is not None:
            instance_dict['os_profile']['Administrator Username'] = raw_instance.os_profile.admin_username
            instance_dict['os_profile']['Allow Extension Operations'] = raw_instance.os_profile.allow_extension_operations
            instance_dict['os_profile']['Computer Name'] = raw_instance.os_profile.computer_name
            instance_dict['os_profile']['Custom Data'] = raw_instance.os_profile.custom_data
            instance_dict['os_profile']['Secrets'] = ''.join(raw_instance.os_profile.secrets)
            if raw_instance.os_profile.windows_configuration:
                instance_dict['os_profile']['Unnatended Content'] = raw_instance.os_profile.windows_configuration.additional_unattend_content
                instance_dict['os_profile']['Automatic Updates'] = raw_instance.os_profile.windows_configuration.enable_automatic_updates
                instance_dict['os_profile']['VM Agent Provision'] = raw_instance.os_profile.windows_configuration.provision_vm_agent
                instance_dict['os_profile']['Windows Remote Management'] = raw_instance.os_profile.windows_configuration.win_rm
            elif raw_instance.os_profile.linux_configuration:
                instance_dict['os_profile']['Disable Password Authentication'] = raw_instance.os_profile.linux_configuration.disable_password_authentication
                instance_dict['os_profile']['VM Agent Provision'] = raw_instance.os_profile.linux_configuration.provision_vm_agent

        if raw_instance.storage_profile is not None:
            instance_dict['storage_profile'] = {}
            if raw_instance.storage_profile.image_reference is not None:
                instance_dict['storage_profile']['Publisher'] = raw_instance.storage_profile.image_reference.publisher
            instance_dict['storage_profile']['Release'] = raw_instance.storage_profile.image_reference.version
            instance_dict['storage_profile']['SKU'] = raw_instance.storage_profile.image_reference.sku
            instance_dict['storage_profile']['Offer'] = raw_instance.storage_profile.image_reference.offer
            instance_dict['storage_profile']['Exact Version'] = raw_instance.storage_profile.image_reference.exact_version
            instance_dict['storage_profile']['OS Disk Size (GB)'] = raw_instance.storage_profile.os_disk.disk_size_gb
            instance_dict['storage_profile']['OS Disk Name'] = raw_instance.storage_profile.os_disk.name
            instance_dict['storage_profile']['OS Disk VHD'] = raw_instance.storage_profile.os_disk.vhd
            if raw_instance.storage_profile.os_disk.managed_disk:
                instance_dict['storage_profile'][
                    'OS Managed Disk ID'] = raw_instance.storage_profile.os_disk.managed_disk.id.split('/')[-1]
                instance_dict['storage_profile'][
                    'OS Managed Disk Storage Account Type'] = raw_instance.storage_profile.os_disk.managed_disk.storage_account_type
            else:
                instance_dict['storage_profile']['OS Managed Disk ID'] = None
                instance_dict['storage_profile']['OS Managed Disk Storage Account Type'] = None
            if raw_instance.storage_profile.data_disks is not None and raw_instance.storage_profile.data_disks:
                instance_dict['storage_profile']['Data Disks'] = ["{} ({}GB)".format(disk.name, disk.disk_size_gb) for disk in raw_instance.storage_profile.data_disks]
        else:
            instance_dict['storage_profile'] = None

        instance_dict['network_interfaces'] = []
        for interface in raw_instance.network_profile.network_interfaces:
            instance_dict['network_interfaces'].append(get_non_provider_id(interface.id))

        instance_dict['extensions'] = await self.facade.virtualmachines.get_instance_extensions(
            subscription_id=self.subscription_id,
            instance_name=instance_dict['name'],
            resource_group=get_resource_group_name(raw_instance.id))

        instance_dict['extension_names'] = [extension.name for extension in instance_dict['extensions']]

        return instance_dict['id'], instance_dict


================================================
FILE: ScoutSuite/providers/azure/resources/virtualmachines/snapshots.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.base import AzureResources
from ScoutSuite.providers.utils import get_non_provider_id


class Snapshots(AzureResources):

    def __init__(self, facade: AzureFacade, subscription_id: str):
        super().__init__(facade)
        self.subscription_id = subscription_id

    async def fetch_all(self):
        for raw_snapshot in await self.facade.virtualmachines.get_snapshots(self.subscription_id):
            id, snapshot = self._parse_snapshot(raw_snapshot)
            self[id] = snapshot

    def _parse_snapshot(self, raw_snapshot):
        snapshot_dict = {}

        snapshot_dict['id'] = get_non_provider_id(raw_snapshot.id)
        snapshot_dict['unique_id'] = getattr(raw_snapshot, 'unique_id', None)
        snapshot_dict['name'] = raw_snapshot.name
        snapshot_dict['type'] = raw_snapshot.type
        snapshot_dict['location'] = raw_snapshot.location
        snapshot_dict['tags'] = raw_snapshot.tags
        snapshot_dict['managed_by'] = raw_snapshot.managed_by
        snapshot_dict['sku'] = raw_snapshot.sku
        snapshot_dict['time_created'] = raw_snapshot.time_created
        snapshot_dict['os_type'] = raw_snapshot.os_type
        snapshot_dict['hyper_vgeneration'] = raw_snapshot.hyper_vgeneration
        snapshot_dict['creation_data'] = raw_snapshot.creation_data
        snapshot_dict['disk_size_gb'] = raw_snapshot.disk_size_gb
        snapshot_dict['disk_size_bytes'] = getattr(raw_snapshot, 'disk_size_bytes', None)
        snapshot_dict['provisioning_state'] = raw_snapshot.provisioning_state
        snapshot_dict['incremental'] = getattr(raw_snapshot, 'incremental', None)
        snapshot_dict['additional_properties'] = raw_snapshot.additional_properties

        if hasattr(raw_snapshot, 'encryption'):
            snapshot_dict['encryption_type'] = getattr(raw_snapshot.encryption, 'type', None)
        else:
            snapshot_dict['encryption_type'] = None

        return snapshot_dict['id'], snapshot_dict



================================================
FILE: ScoutSuite/providers/azure/rules/conditions/allow-tcp.json
================================================
{
    "conditions":[
          "or",
          ["network.subscriptions.id.security_groups.id.security_rules.id.protocol", "equal", "*"],
          ["network.subscriptions.id.security_groups.id.security_rules.id.protocol", "equal", "TCP"]
      ]
}

================================================
FILE: ScoutSuite/providers/azure/rules/conditions/allow-udp.json
================================================
{
    "conditions":[
          "or",
          ["network.subscriptions.id.security_groups.id.security_rules.id.protocol", "equal", "*"],
          ["network.subscriptions.id.security_groups.id.security_rules.id.protocol", "equal", "UDP"]
      ]
}

================================================
FILE: ScoutSuite/providers/azure/rules/conditions/exposed-to-the-internet.json
================================================
{
    "conditions":[
      "and",
      ["network.subscriptions.id.security_groups.id.security_rules.id.allow", "true", ""],
      ["network.subscriptions.id.security_groups.id.security_rules.id.direction", "equal", "Inbound"],
      [
          "or",
          ["network.subscriptions.id.security_groups.id.security_rules.id.source_address_prefixes", "containAtLeastOneOf", "*"],
          ["network.subscriptions.id.security_groups.id.security_rules.id.source_address_prefixes", "containAtLeastOneOf", "Internet"]
      ]
    ]
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/aad-guest-users.json
================================================
{
    "description": "Guest Users in Use",
    "rationale": "Avoid creating guest users, as they are typically added outside your employee on-boarding/off-boarding process and could potentially be overlooked indefinitely leading to a potential vulnerability.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "1.3"
        }
    ],
    "dashboard_name": "Users",
    "path": "aad.users.id",
    "conditions": [
        "and",
        [
            "aad.users.id.user_type",
            "equal",
            "Guest"
        ]
    ],
    "id_suffix": "user_type"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/aad-users-create-security-groups-disabled.json
================================================
{
    "description": "Users Can Create Security Group Enabled",
    "rationale": "When creating security groups is enabled, all users in the directory are allowed to create new security groups and add members to those groups. Security group creation should be restricted to administrators only.",
    "remediation": "From Azure console:
  1. Go to Azure Active Directory
    2.  
  2. Go to Groups
    3.  
  3. Go to General in setting
    4.  
  4. Ensure that Users can create security groups in Azure Portals is set to No
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "1.17"
        }
    ],
    "dashboard_name": "Policies",
    "path": "aad.policies.id",
    "conditions": [
        "and",
        [
            "aad.policies.id.allowed_to_create_security_groups",
            "true",
            ""
        ]
    ],
    "id_suffix": "allowed_to_create_security_groups"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/appservice-authentication-disabled.json
================================================
{
    "description": "App Service Authentication Disabled",
    "rationale": "Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.",
    "remediation": "In the Azure console:\n
    \n    
  1. Go to App Services
    2. \n    
  2. Click on each App
    3. \n    
  3. Under Setting section, Click on Authentication / Authorization
    4. \n    
  4. Set App Service Authentication to On
    5. \n    
  5. Choose other parameters as per your requirement and Click on Save
    6. \n
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "9.1"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "9.1"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/app-service/app-service-authentication-overview",
        "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#website-contributor",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy"
    ],
    "dashboard_name": "Web Apps",
    "path": "appservice.subscriptions.id.web_apps.id",
    "conditions": [
        "and",
        [
            "appservice.subscriptions.id.web_apps.id.authentication_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "authentication_enabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/appservice-client-certificates-disabled.json
================================================
{
    "description": "Client Certificates Disabled",
    "rationale": "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, then only an authenticated client who has valid certificates can access the app.",
    "remediation": "In the Azure console:\n
    \n    
  1. Go to App Services
    2. \n    
  2. Click on each App
    3. \n    
  3. Under Setting section, Click on Configuration
    4. \n    
  4. Ensure that the option Client certificate mode located under Incoming client certificates is set to Require
    5. \n
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "9.4"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "9.4"
        }
    ],
    "references": [
        "https://learn.microsoft.com/bs-latn-ba/azure/app-service/app-service-web-configure-tls-mutual-auth"
    ],
    "dashboard_name": "Web Apps",
    "path": "appservice.subscriptions.id.web_apps.id",
    "conditions": [
        "and",
        [
            "appservice.subscriptions.id.web_apps.id.client_cert_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "client_cert_enabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/appservice-ftp-deployment-enabled.json
================================================
{
    "description": "FTP Deployment Enabled",
    "rationale": "Azure FTP deployment endpoints are public. An attacker listening to traffic on a wifi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if User Credentials for deployment are set at the subscription level rather than using the default Application Credentials which are unique per App.",
    "remediation": "Using Console:\n
    \n    
  1. Go to App Services
    2. \n    
  2. Click on an App
    3. \n    
  3. Select Settings > Configuration
    4. \n    
  4. Under Platform Settings, FTP state should be Disabled or FTPS Only
    5. \n
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.20",
            "reference": "9.11"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/app-service/deploy-ftp",
        "https://learn.microsoft.com/en-us/azure/app-service/overview-security",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system"
    ],
    "dashboard_name": "Web Apps",
    "path": "appservice.subscriptions.id.web_apps.id",
    "conditions": [
        "and",
        [
            "appservice.subscriptions.id.web_apps.id.ftp_deployment_enabled",
            "true",
            ""
        ]
    ],
    "id_suffix": "ftp_deployment_enabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/appservice-http-2-disabled.json
================================================
{
    "description": "HTTP 2.0 Disabled",
    "rationale": "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.

Newer versions may contain security enhancements and additional functionality. Using the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements and also verify the compatibility and support provided for any additional software against the update revision that is selected.

HTTP 2.0 has additional performance improvements on the head-of-line blocking problem of old HTTP version, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism, as it provides its own, more efficient, mechanisms for data streaming.",
    "remediation": "Using Console:
  1. Login to Azure Portal using https://portal.azure.com
  2. Go to \"App Services\"
  3. Click on each App
  4. Under \"Setting\" section, Click on \"Application settings\"
  5. Ensure that \"HTTP Version\" set to \"2.0\" version under \"General settings\"
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "9.10"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "9.10"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-endpoint-security"
    ],
    "dashboard_name": "Web Apps",
    "path": "appservice.subscriptions.id.web_apps.id",
    "conditions": [
        "and",
        [
            "appservice.subscriptions.id.web_apps.id.http_2_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "http_2_enabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/appservice-http-allowed.json
================================================
{
    "description": "HTTP Traffic Allowed",
    "rationale": "Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port.",
    "remediation": "In the Azure console:\n
  1. Go to App Services
    2. \n    
  2. Click on each App
    3. \n    
  3. Under Setting section, Click on SSL settings
    4. \n    
  4. Set HTTPS Only to On under Protocol Settings section
    5. \n
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "9.2"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "9.2"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https"
    ],
    "dashboard_name": "Web Apps",
    "path": "appservice.subscriptions.id.web_apps.id",
    "conditions": [
        "and",
        [
            "appservice.subscriptions.id.web_apps.id.https_only",
            "false",
            ""
        ]
    ],
    "id_suffix": "https_only"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/appservice-managed-service-identities-disabled.json
================================================
{
    "description": "Managed Service Identities Disabled",
    "rationale": "App Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.",
    "remediation": "Using Console:
  1. Login to Azure Portal using https://portal.azure.com
  2. Go to \"App Services\"
  3. Click on each App
  4. Under the \"Setting\" section, Click on \"Identity\"
  5. Ensure that \"Status\" set to On\"
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "9.5"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "9.5"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system"
    ],
    "dashboard_name": "Web Apps",
    "path": "appservice.subscriptions.id.web_apps.id",
    "conditions": [
        "and",
        [
            "appservice.subscriptions.id.web_apps.id.identity",
            "notNull",
            ""
        ],
        [
            "appservice.subscriptions.id.web_apps.id.identity.principal_id",
            "null",
            ""
        ]
    ],
    "id_suffix": "identity.managed_principal_id"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/appservice-outdated-version-dotnet.json
================================================
{
    "description": "Web App Running an Outdated .Net Framework Version",
    "rationale": "Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.",
    "remediation": "Using Command Line:\n
    \n    
  1. To see the list of supported runtimes
    2. \n    az webapp list-runtimes | grep aspnet\n    
  2. To set latest .NET Framework version for an existing app, run the following command:
    3. \n  az webapp config set --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --net-framework-version <VERSION>\n    
  3. Use .NET Framework as, 'v4.0' for .NET 4.6 and 'v3.0' for .NET 3.5.
    4. \n
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "9.6"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "9.6"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-endpoint-security"
    ],
    "dashboard_name": "Web Apps",
    "path": "appservice.subscriptions.id.web_apps.id",
    "conditions": [
        "and",
        [
            "appservice.subscriptions.id.web_apps.id.programming_language",
            "equal",
            "dotnet"
        ],
        [
            "appservice.subscriptions.id.web_apps.id.programming_language_version",
            "containNoneOf",
            [
                "v6.0",
                "6.0"
            ]
        ]
    ],
    "id_suffix": "programming_language_version"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/appservice-outdated-version-java.json
================================================
{
    "description": "Web App Running an Outdated Java Version",
    "rationale": "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to to take advantage of security fixes, if any, and/or new functionalities of the latest version.",
    "remediation": "Using Console:\n
    \n    
  1. Go to App Services
    2. \n    
  2. Click on each App
    3. \n    
  3. Under Setting section, Click on Application Settings
    4. \n    
  4. Set  Java version  to latest version available under General Settings
    5. \n    
  5. Set Java minor version to latest version available
    6. \n    
  6. Set Java web container to the latest version of web container available
    7. \n    NOTE: No action is required if Java version is set to Off \n
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "9.9"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "9.9"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-endpoint-security"
    ],
    "dashboard_name": "Web Apps",
    "path": "appservice.subscriptions.id.web_apps.id",
    "conditions": [
        "and",
        [
            "appservice.subscriptions.id.web_apps.id.programming_language",
            "equal",
            "java"
        ],
        [
            "appservice.subscriptions.id.web_apps.id.programming_language_version",
            "containNoneOf",
            [
                "8-jre8",
                "11-java11",
                "1.8",
                "11",
                "8u232"
            ]
        ]
    ],
    "id_suffix": "programming_language_version"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/appservice-outdated-version-php.json
================================================
{
    "description": "Web App Running an Outdated PHP Version",
    "rationale": "Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.",
    "remediation": "Using Console:\n
    \n    
  1. Go to App Services
    2. \n    
  2. Click on each App
    3. \n    
  3. Under Setting section, Click on Configuration
    4. \n    
  4. Set  PHP version  to latest version available under General Settings
    5. \n   NOTE: No action is required if PHP version is set to Off \n
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "9.7"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "9.7"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-endpoint-security"
    ],
    "dashboard_name": "Web Apps",
    "path": "appservice.subscriptions.id.web_apps.id",
    "conditions": [
        "and",
        [
            "appservice.subscriptions.id.web_apps.id.programming_language",
            "equal",
            "php"
        ],
        [
            "appservice.subscriptions.id.web_apps.id.programming_language_version",
            "containNoneOf",
            [
                "7.2",
                "7.3",
                "7.4"
            ]
        ]
    ],
    "id_suffix": "programming_language_version"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/appservice-outdated-version-python.json
================================================
{
    "description": "Web App Running an Outdated Python Version",
    "rationale": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.",
    "remediation": "Using Console:\n
    \n    
  1. Go to App Services
    2. \n    
  2. Click on each App
    3. \n    
  3. Under Setting section, Click on Application Settings
    4. \n    
  4. Set  Python version  to latest version available under General Settings
    5. \n  NOTE: No action is required if Python version is set to Off\n
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "9.8"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "9.8"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings"
    ],
    "dashboard_name": "Web Apps",
    "path": "appservice.subscriptions.id.web_apps.id",
    "conditions": [
        "and",
        [
            "appservice.subscriptions.id.web_apps.id.programming_language",
            "equal",
            "python"
        ],
        [
            "appservice.subscriptions.id.web_apps.id.programming_language_version",
            "containNoneOf",
            [
                "3.6",
                "3.7",
                "3.8",
                "3.9"
            ]
        ]
    ],
    "id_suffix": "programming_language_version"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/appservice-tls-v1-supported.json
================================================
{
    "description": "Insecure TLS Version Supported",
    "rationale": "The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App Service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.",
    "remediation": "In the Azure console:\n
    \n    
  1. Go to App Services
    2. \n    
  2. Click on each App
    3. \n    
  3. Under Setting section, Click on SSL settings
    4. \n    
  4. Set  Minimum TLS Version to 1.2 under Protocol Settings section
    5. \n
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "9.3"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "9.3"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-versions"
    ],
    "dashboard_name": "Web Apps",
    "path": "appservice.subscriptions.id.web_apps.id",
    "conditions": [
        "and",
        [
            "appservice.subscriptions.id.web_apps.id.minimum_tls_version_supported",
            "notEqual",
            "1.2"
        ]
    ],
    "id_suffix": "minimum_tls_supported"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/appservice-webapp-using-outdated-progamming-language-version.json
================================================
{
    "description": "(WIP) Web App Not Using Latest Programming Language Version",
    "rationale": "",
    "remediation": "",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "9.6"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "9.7"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "9.8"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "9.9"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings"
    ],
    "dashboard_name": "Web Apps",
    "path": "appservice.subscriptions.id.web_apps.id",
    "conditions": [
        "and",
        [
            "or",
            [
                "appservice.subscriptions.id.web_apps.id.programming_language",
                "equal",
                "dotnet"
            ],
            [
                "appservice.subscriptions.id.web_apps.id.programming_language_version",
                "notEqual",
                "v4.0"
            ]
        ]
    ],
    "id_suffix": "programming_language_version"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/keyvault-not-recoverable.json
================================================
{
    "description": "Key Vault Not Recoverable",
    "rationale": "There could be scenarios where users accidently run delete/purge commands on key vault or attacker/malicious user does it deliberately to cause disruption. Deleting or purging a key vault leads to immediate data loss as keys encrypting data and secrets/certificates allowing access/services will become non-accessible.",
    "remediation": "From Azure CLI: 
 az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.KeyVault /vaults/ --set properties.enablePurgeProtection=true properties.enableSoftDelete=true
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "8.5"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli",
        "https://blogs.technet.microsoft.com/kv/2017/05/10/azure-key-vault-recovery-options/",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-8-define-backup-and-recovery-strategy"
    ],
    "dashboard_name": "Key Vaults",
    "path": "keyvault.subscriptions.id.vaults.id",
    "conditions": [
        "and",
        [
            "keyvault.subscriptions.id.vaults.id.recovery_protection_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "recovery_protection_enabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/keyvault-public-traffic-allowed.json
================================================
{
    "description": "Key Vaults Allowing Public Network Access",
    "rationale": "Restricting default network access helps to provide a new layer of security, since key vaults accept connections from clients on any network. To limit access to selected networks, the default action must be changed.",
    "remediation": "In the Azure console: 
     
  1. Go to Key Vaults
    2.  
  2. For each key vault, click on the settings menu called Networking.
  3. Go to the tab named Firewalls and virtual networks.
    4.  
  4. Ensure that you have elected to disable public access, or allow public access from specific virtual networks and IP addresses.
    5.  
  5. If necessary, add rules to allow traffic from specific networks.
    6.  
  6. Click Save to apply your changes.
    7.  
",
    "compliance": [
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/key-vault/general/network-security",
        "https://learn.microsoft.com/en-gb/security/benchmark/azure/baselines/key-vault-security-baseline?context=%2Fazure%2Fkey-vault%2Fgeneral%2Fcontext%2Fcontext#ns-2-secure-cloud-services-with-network-controls"
    ],
    "dashboard_name": "Key Vaults",
    "path": "keyvault.subscriptions.id.vaults.id",
    "conditions": [
        "and",
        [
            "keyvault.subscriptions.id.vaults.id.public_access_allowed",
            "true",
            ""
        ]
    ],
    "id_suffix": "public_access_allowed"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/keyvault-rbac-authorization-disabled.json
================================================
{
    "description": "Key Vault Role Based Access Control Disabled",
    "rationale": "Azure RBAC provides finer-grained access management of Azure resources than vault access policy. It allows an administrator to set separate permissions on individual keys, secrets and certificates on different scope levels, from a management group level all the way to individual resources. It also allows an administrator to take advantage of privileged identity management functionality such as assigning Just in Time access (JIT) to resources.",
    "remediation": "In the Azure console:
  1. Go to Key Vaults
    2.  
  2. For each key vault, go to Access configuration
    3.  
  3. Set Permission model to Azure role-based access control (recommended)
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "2.0.0",
            "reference": "8.6"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy",
        "https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide"
    ],
    "dashboard_name": "Key Vaults",
    "path": "keyvault.subscriptions.id.vaults.id",
    "conditions": [
        "and",
        [
            "keyvault.subscriptions.id.vaults.id.rbac_authorization_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "rbac_authorization_enabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/logging-monitoring-diagnostic-setting-does-not-exist.json
================================================
{
    "description": "Diagnostic Setting Does Not Exist",
    "rationale": "A diagnostic setting controls how a diagnostic log is exported. By default, logs are retained only for 90 days. Diagnostic settings should be defined so that logs can be exported and stored for a longer duration in order to analyze security activities within an Azure subscription.",
    "remediation": "In the Azure console: 
     
  1. Go to Diagnostic settings
    2.  
  2. Click on Add diagnostic setting.
    3.  
  3.  
  4. Add rules to allow traffic from specific network.
    5. Configure the setting including the export location (This may be Log Analytics/Storage account or Event Hub) 
  5. Click on Save
    6.  
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "5.1.1"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/platform-logs-overview#export-the-activity-log-with-a-log-profile",
        "https://learn.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az_monitor_log_profiles_create",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-5-centralize-security-log-management-and-analysis"
    ],
    "dashboard_name": "Diagnostic Settings",
    "path": "loggingmonitoring.subscriptions.id.diagnostic_settings.id",
    "conditions": [
        "and",
        [
            "loggingmonitoring.subscriptions.id.diagnostic_settings.id.diagnostic_exist",
            "false",
            ""
        ]
    ],
    "id_suffix": "diagnostic_exist"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/logging-monitoring-log-alert-not-exist-create-policy-assignment.json
================================================
{
    "description": "Activity Log Alert Does Not Exist for Create Policy Assignment",
    "rationale": "Monitoring for \"Create Policy Assignment\" events gives insight into changes done in \"azure policy -assignments\" and can reduce the time it takes to detect unsolicited changes.",
    "remediation": "In the Azure console: 
  1. Go to Monitor service on Azure Security Center
  2. Select Alerts blade
  3. Click On New alert Rule
  4. Under Scope, click Select resource
  5. Select the appropriate subscription under Filter by subscription
  6. Select Policy Assignment under Filter by resource type
  7. Select All for Filter by location
  8. Click on the subscription from the entries populated under Resource
  9. Verify Selection preview shows All Policy assignment (policyAssignments) and your selected subscription name
  10. Under Condition click Select Condition
  11. Select Create policy assignment signal
  12. Click Done
  13. Under Action group, select appropriate action group
  14. Under Alert rule details, enter rule name and description
  15. Select appropriate resource group
  16. Check Enable alert rule upon creation checkbox
  17. Click Create alert rule
    18.  
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "5.2.1"
        }
    ],
    "references": [
        "https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement/",
        "https://learn.microsoft.com/en-in/azure/azure-monitor/alerts/alerts-activity-log",
        "https://learn.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate",
        "https://learn.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
    ],
    "dashboard_name": "Alert Rules",
    "path": "loggingmonitoring.subscriptions.id.log_alerts.id",
    "conditions": [
        "or",
        [
            "loggingmonitoring.subscriptions.id.log_alerts.id.create_policy_assignment_exist",
            "false",
            ""
        ],
        [
            "loggingmonitoring.subscriptions.id.log_alerts.id.create_policy_assignment_exist",
            "null",
            ""
        ]
    ],
    "id_suffix": "create_policy_assignment_exist"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/logging-monitoring-log-alert-not-exist-nsg.json
================================================
{
    "description": "Activity Log Alert Does Not Exist for _ARG_0_",
    "rationale": "Monitoring for \"_ARG_0_\" events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
    "remediation": "In the Azure console: 
  1. Go to Monitor service on Azure Security Center
  2. Select Alerts blade
  3. Click On New alert Rule
  4. Under Scope, click Select resource
  5. Select the appropriate subscription under Filter by subscription
  6. Select Policy Assignment under Filter by resource type
  7. Select All for Filter by location
  8. Click on the subscription from the entries populated under Resource
  9. Verify Selection preview shows All Policy assignment (policyAssignments) and your selected subscription name
  10. Under Condition click Select Condition
  11. Select Create policy assignment signal
  12. Click Done
  13. Under Action group, select appropriate action group
  14. Under Alert rule details, enter rule name and description
  15. Select appropriate resource group
  16. Check Enable alert rule upon creation checkbox
  17. Click Create alert rule
    18.  
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "_ARG_1_"
        }
    ],
    "references": [
        "https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement/",
        "https://learn.microsoft.com/en-in/azure/azure-monitor/alerts/alerts-activity-log",
        "https://learn.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate",
        "https://learn.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
    ],
    "dashboard_name": "Alert Rules",
    "path": "loggingmonitoring.subscriptions.id.log_alerts.id",
    "conditions": [
        "or",
        [
            "loggingmonitoring.subscriptions.id.log_alerts.id._ARG_2_",
            "false",
            ""
        ],
        [
            "loggingmonitoring.subscriptions.id.log_alerts.id._ARG_2_",
            "null",
            ""
        ]
    ],
    "key": "_ARG_2_",
    "arg_names": [
        "Event",
        "Associated CIS rule",
        "Dictionary Value"
    ],
    "id_suffix": "_ARG_2_"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/logging-monitoring-log-alert-not-exist-security-solution.json
================================================
{
    "description": "Activity Log Alert Does Not Exist for _ARG_0_",
    "rationale": "Monitoring for \"_ARG_0_\" events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.",
    "remediation": "In the Azure console: 
  1. Go to Monitor service on Azure Security Center
  2. Select Alerts blade
  3. Click On New alert Rule
  4. Under Scope, click Select resource
  5. Select the appropriate subscription under Filter by subscription
  6. Select Policy Assignment under Filter by resource type
  7. Select All for Filter by location
  8. Click on the subscription from the entries populated under Resource
  9. Verify Selection preview shows All Policy assignment (policyAssignments) and your selected subscription name
  10. Under Condition click Select Condition
  11. Select Create policy assignment signal
  12. Click Done
  13. Under Action group, select appropriate action group
  14. Under Alert rule details, enter rule name and description
  15. Select appropriate resource group
  16. Check Enable alert rule upon creation checkbox
  17. Click Create alert rule
    18.  
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "_ARG_1_"
        }
    ],
    "references": [
        "https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement/",
        "https://learn.microsoft.com/en-in/azure/azure-monitor/alerts/alerts-activity-log",
        "https://learn.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate",
        "https://learn.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
    ],
    "dashboard_name": "Alert Rules",
    "path": "loggingmonitoring.subscriptions.id.log_alerts.id",
    "conditions": [
        "or",
        [
            "loggingmonitoring.subscriptions.id.log_alerts.id._ARG_2_",
            "false",
            ""
        ],
        [
            "loggingmonitoring.subscriptions.id.log_alerts.id._ARG_2_",
            "null",
            ""
        ]
    ],
    "key": "_ARG_2_",
    "arg_names": [
        "Event",
        "Associated CIS rule",
        "Dictionary Value"
    ],
    "id_suffix": "_ARG_2_"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/logging-monitoring-logging-key-vault-disabled.json
================================================
{
    "description": "Logging for Azure Key Vault Is Disabled",
    "rationale": "Monitoring how and when key vaults are accessed, and by whom enables an audit trail of interactions with confidential information, keys and certificates managed by Azure Keyvault. Enabling logging for Key Vault saves information in an Azure storage account that the user provides. This creates a new container named insights-logs-auditevent automatically for the specified storage account, andthis same storage account can be used for collecting logs for multiple key vaults.",
    "remediation": "Follow Microsoft Azure documentation and setup Azure Key Vault Logging.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "5.1.5"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/key-vault/general/logging?tabs=Vault",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
    ],
    "dashboard_name": "Key Vaults",
    "path": "loggingmonitoring.subscriptions.id.resources_logging.id",
    "conditions": [
        "and",
        [
            "loggingmonitoring.subscriptions.id.resources_logging.id.diagnostic_key_vault.audit_event_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "diagnostic_key_vault_audit_event_enabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/logging-monitoring-profile-does-not-capture-all-activities.json
================================================
{
    "description": "Audit Profile Does Not Capture All Activities",
    "rationale": "A log profile controls how the activity log is exported. Configuring the log profile to collect logs for the categories \"write\", \"delete\" and \"action\" ensures that all the control/management plane activities performed on the subscription are exported.",
    "remediation": "On Azure portal there is no provision to check or set categories.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "5.1.2"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az-monitor-log-profiles-update",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
    ],
    "dashboard_name": "Profile",
    "path": "loggingmonitoring.subscriptions.id.log_profiles.id",
    "conditions": [
        "and",
        [
            "loggingmonitoring.subscriptions.id.log_profiles.id.captures_all_activities",
            "false",
            ""
        ]
    ],
    "id_suffix": "captures_all_activities"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/mysql-database-servers-ssl-enforcement-disabled.json
================================================
{
    "description": "Enforce SSL Connection Is Disabled for MySQL Database Server",
    "rationale": "SSL connectivity helps to provide a new layer of security, by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.",
    "remediation": "From Azure Console: 
  1. Login to Azure Portal using https://portal.azure.com
  2. Go to Azure Database for MySQL server
  3. For each database, click on Connection security
  4. In SSL settings.
  5. Click Enabled to Enforce SSL connection
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.3.2"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security",
        "https://learn.microsoft.com/en-us/azure/mysql/howto-configure-ssl",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit"
    ],
    "dashboard_name": "MySQL Servers",
    "path": "mysqldatabase.subscriptions.id.servers.id",
    "conditions": [
        "and",
        [
            "mysqldatabase.subscriptions.id.servers.id.ssl_enforcement",
            "equal",
            "Disabled"
        ]
    ],
    "id_suffix": "ssl_enforcement"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/network-security-groups-rule-inbound-internet-all.json
================================================
{
    "description": "Security Group Rules Allowing All Inbound Access",
    "rationale": "It was detected that all ports in the security group are open, and accessible from the Internet, which creates a wider attack surface for resources assigned to it. Open ports should be reduced to the minimum needed to correctly operate and, when possible, source address restrictions should be implemented.",
    "dashboard_name": "NSGs",
    "display_path": "network.subscriptions.id.security_groups.id",
    "path": "network.subscriptions.id.security_groups.id.security_rules.id",
    "conditions": [
        "and",
        [
            "network.subscriptions.id.security_groups.id.security_rules.id.destination_port_ranges",
            "containAtLeastOneOf",
            [
                "*",
                "0-65535",
                "1-65535"
            ]
        ],
        [
            "_INCLUDE_(conditions/exposed-to-the-internet.json)",
            "",
            ""
        ],
        [
            "_INCLUDE_(conditions/allow-tcp.json)",
            "",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/network-security-groups-rule-inbound-service-mssql.json
================================================
{
    "description": "Security Group Rules Allowing Inbound MsSQL Access",
    "rationale": "MsSQL (1433) inbound access should not be allowed to a network security group.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "6.3"
        }
    ],
    "dashboard_name": "NSGs",
    "display_path": "network.subscriptions.id.security_groups.id",
    "path": "network.subscriptions.id.security_groups.id.security_rules.id",
    "conditions": [
        "and",
        [
            "network.subscriptions.id.security_groups.id.security_rules.id.destination_ports",
            "portsInPortList",
            "1433"
        ],
        [
            "_INCLUDE_(conditions/exposed-to-the-internet.json)",
            "",
            ""
        ],
        [
            "_INCLUDE_(conditions/allow-tcp.json)",
            "",
            ""
        ]
    ],
    "key": "network-security-groups-rule-inbound-MsSQL"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/network-security-groups-rule-inbound-service-udp.json
================================================
{
    "description": "Security Group Rules Allowing Inbound UDP Access",
    "rationale": "UDP inbound access should not be allowed to a network security group.",
    "remediation": "Disable direct UDP access to your Azure Virtual Machines from the Internet. After direct UDP access from the Internet is disabled, you have other options you can use to access UDP based services running on these virtual machines:
  1. Point-to-site VPN
  2. Site-to-site VPN
  3. ExpressRoute
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "6.6"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal",
        "https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal",
        "https://learn.microsoft.com/en-us/azure/expressroute/",
        "https://learn.microsoft.com/en-us/azure/security/fundamentals/network-best-practices",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic"
    ],
    "dashboard_name": "NSGs",
    "display_path": "network.subscriptions.id.security_groups.id",
    "path": "network.subscriptions.id.security_groups.id.security_rules.id",
    "conditions": [
        "and",
        [
            "_INCLUDE_(conditions/exposed-to-the-internet.json)",
            "",
            ""
        ],
        [
            "_INCLUDE_(conditions/allow-udp.json)",
            "",
            ""
        ]
    ],
    "key": "network-security-groups-rule-inbound-UDP"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/network-security-groups-rule-inbound-service.json
================================================
{
    "description": "Security Group Rules Allowing Inbound _ARG_0_ Access",
    "rationale": "_ARG_0_ (port _ARG_1_) inbound access should not be allowed to a network security group.",
    "remediation": "Disable direct _ARG_0_ access to your Azure Virtual Machines from the Internet. After direct UDP access from the Internet is disabled, you have other options you can use to access UDP based services running on these virtual machines:
  1. Point-to-site VPN
  2. Site-to-site VPN
  3. ExpressRoute
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "_ARG_2_"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "_ARG_2_"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal",
        "https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal",
        "https://learn.microsoft.com/en-us/azure/expressroute/",
        "https://learn.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#disable-rdpssh-access-to-azure-virtual-machines",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security"
    ],
    "dashboard_name": "NSGs",
    "display_path": "network.subscriptions.id.security_groups.id",
    "path": "network.subscriptions.id.security_groups.id.security_rules.id",
    "conditions": [
        "and",
        [
            "network.subscriptions.id.security_groups.id.security_rules.id.destination_ports",
            "portsInPortList",
            "_ARG_1_"
        ],
        [
            "_INCLUDE_(conditions/exposed-to-the-internet.json)",
            "",
            ""
        ],
        [
            "_INCLUDE_(conditions/allow-tcp.json)",
            "",
            ""
        ]
    ],
    "key": "network-security-groups-rule-inbound-_ARG_0_",
    "arg_names": [
        "Protocol (ex: SSH, RDP, etc.)",
        "Protocol's port",
        "Associated CIS rule"
    ]
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/network-watcher-not-enabled.json
================================================
{
    "description": "Network Watchers Not Enabled",
    "rationale": "Network watchers should be enabled.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "6.5"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "6.5"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview",
        "https://docs.azure.cn/zh-cn/cli/network/watcher?view=azure-cli-latest",
        "https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-create",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-asset-management#am-2-ensure-security-team-has-access-to-asset-inventory-and-metadata"
    ],
    "dashboard_name": "Network Configurations",
    "display_path": "network.subscriptions.id.watchers",
    "path": "network.subscriptions.id.watchers",
    "conditions": [
        "and",
        [
            "network.subscriptions.id.watchers",
            "empty",
            ""
        ]
    ],
    "id_suffix": "network_watchers_disabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/network-watcher-not-provisioned.json
================================================
{
    "description": "Network Watchers Not Provisioned",
    "rationale": "Network watchers should be provisioned to work.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "6.5"
        }
    ],
    "dashboard_name": "Network",
    "display_path": "network.subscriptions.id.watchers.id",
    "path": "network.subscriptions.id.watchers.id",
    "conditions": [
        "and",
        [
            "network.subscriptions.id.watchers.id.provisioning_state",
            "notEqual",
            "Succeeded"
        ]
    ],
    "id_suffix": "network_watchers_not_provisioned"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/postgresql-database-servers-allow-any-ip.json
================================================
{
    "description": "PostgreSQL Database Allow Ingress 0.0.0.0/0 (Any IP)",
    "rationale": "If access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, setup firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.",
    "remediation": "From Azure Console: 
  1. Login to Azure Portal using https://portal.azure.com
  2. Go to Azure Database for PostgreSQL server
  3. For each database, click on Connection security
  4. In Firewall rukes
  5. Ensure  Allow access to Azure services is set to 'OFF'
  6. Click Save to apply the changed rule.
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.3.9"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules",
        "https://learn.microsoft.com/en-us/azure/postgresql/howto-manage-firewall-using-cli",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-4-protect-applications-and-services-from-external-network-attacks"
    ],
    "dashboard_name": "PostgreSQL Firewall Rules",
    "display_path": "postgresqldatabase.subscriptions.id.servers.id",
    "path": "postgresqldatabase.subscriptions.id.servers.id.postgresql_firewall_rules.id",
    "conditions": [
        "and",
        [
            "postgresqldatabase.subscriptions.id.servers.id.postgresql_firewall_rules.id.start_ip",
            "equal",
            "0.0.0.0"
        ]
    ],
    "id_suffix": "start_ip"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/postgresql-database-servers-connection-throttling-not-on.json
================================================
{
    "description": "Server Parameter Connection Throttling Not Set to 'ON'",
    "rationale": "Enabling connection_throttling helps the PostgreSQL Database to Set the verbosity of logged messages which in turn generates query and error logs with respect to concurrent connections, that could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.",
    "remediation": "From Azure Console: 
  1. Login to Azure Portal using https://portal.azure.com
  2. Go to Azure Database for PostgreSQL server
  3. For each database, click on Server parameters
  4. Search for connection_throttling.
  5. Click ON and save.
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.3.7"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver",
        "https://learn.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
    ],
    "dashboard_name": "PostgreSQL Servers",
    "path": "postgresqldatabase.subscriptions.id.servers.id",
    "conditions": [
        "and",
        [
            "postgresqldatabase.subscriptions.id.servers.id.connection_throttling.value",
            "equal",
            "off"
        ]
    ],
    "id_suffix": "server_connection_throttling_value"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/postgresql-database-servers-log-checkpoints-not-on.json
================================================
{
    "description": "Server Parameter Log Checkpoints Not Set to 'ON'",
    "rationale": "Enabling log_checkpoints helps the PostgreSQL Database to Log each checkpoint in turn generates query and error logs. However, access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.",
    "remediation": "From Azure Console: 
  1. Login to Azure Portal using https://portal.azure.com
  2. Go to Azure Database for PostgreSQL server
  3. For each database, click on Server parameters
  4. Search for log_checkpoints.
  5. Click ON and save.
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.3.3"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver",
        "https://learn.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
    ],
    "dashboard_name": "PostgreSQL Servers",
    "path": "postgresqldatabase.subscriptions.id.servers.id",
    "conditions": [
        "and",
        [
            "postgresqldatabase.subscriptions.id.servers.id.log_checkpoints.value",
            "equal",
            "off"
        ]
    ],
    "id_suffix": "server_log_checkpoints_value"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/postgresql-database-servers-log-connections-not-on.json
================================================
{
    "description": "Server Parameter Log Connections Not Set to 'ON'",
    "rationale": "Enabling log_connections helps PostgreSQL Database to log attempted connection to the server, as well as successful completion of client authentication. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.",
    "remediation": "From Azure Console: 
  1. Login to Azure Portal using https://portal.azure.com
  2. Go to Azure Database for PostgreSQL server
  3. For each database, click on Server parameters
  4. Search for log_connection.
  5. Click ON and save.
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.3.4"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver",
        "https://learn.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
    ],
    "dashboard_name": "PostgreSQL Servers",
    "path": "postgresqldatabase.subscriptions.id.servers.id",
    "conditions": [
        "and",
        [
            "postgresqldatabase.subscriptions.id.servers.id.log_connections.value",
            "equal",
            "off"
        ]
    ],
    "id_suffix": "server_log_connections_value"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/postgresql-database-servers-log-disconnections-not-on.json
================================================
{
    "description": "Server Parameter Log Disconnections Not Set to 'ON'",
    "rationale": "Enabling log_disconnectionshelps PostgreSQL Database to Logs end of a session, including duration, which in turn generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.",
    "remediation": "From Azure Console: 
  1. Login to Azure Portal using https://portal.azure.com
  2. Go to Azure Database for PostgreSQL server
  3. For each database, click on Server parameters
  4. Search for log_disconnection.
  5. Click ON and save.
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.3.5"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver",
        "https://learn.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
    ],
    "dashboard_name": "PostgreSQL Servers",
    "path": "postgresqldatabase.subscriptions.id.servers.id",
    "conditions": [
        "and",
        [
            "postgresqldatabase.subscriptions.id.servers.id.log_disconnections.value",
            "equal",
            "off"
        ]
    ],
    "id_suffix": "server_log_disconnections_value"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/postgresql-database-servers-log-duration-not-on.json
================================================
{
    "description": "Server Parameter Log Duration Not Set to 'ON'",
    "rationale": "Enabling log_duration helps the PostgreSQL Database to Logs the duration of each completed SQL statement which in turn generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.",
    "remediation": "From Azure Console: 
  1. Login to Azure Portal using https://portal.azure.com
  2. Go to Azure Database for PostgreSQL server
  3. For each database, click on Server parameters
  4. Search for log_duration.
  5. Click ON and save.
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.3.6"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver",
        "https://learn.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
    ],
    "dashboard_name": "PostgreSQL Servers",
    "path": "postgresqldatabase.subscriptions.id.servers.id",
    "conditions": [
        "and",
        [
            "postgresqldatabase.subscriptions.id.servers.id.log_duration.value",
            "equal",
            "off"
        ]
    ],
    "id_suffix": "server_log_duration_value"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/postgresql-database-servers-log-retention-days-less-than-4.json
================================================
{
    "description": "Server Parameter Log Retention Days Less Than 4",
    "rationale": "Enabling log_retention_days helps PostgreSQL Database to Sets number of days a log file is retained which in turn generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.",
    "remediation": "From Azure Console: 
  1. Login to Azure Portal using https://portal.azure.com
  2. Go to Azure Database for PostgreSQL server
  3. For each database, click on Server parameters
  4. Search for retention_days.
  5. Enter value in range 4-7 (inclusive) and save.
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.3.8"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver",
        "https://learn.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
    ],
    "dashboard_name": "PostgreSQL Servers",
    "path": "postgresqldatabase.subscriptions.id.servers.id",
    "conditions": [
        "and",
        [
            "postgresqldatabase.subscriptions.id.servers.id.log_retention_days.value",
            "lessThan",
            "4"
        ]
    ],
    "id_suffix": "server_log_retention_days_value"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/postgresql-database-servers-ssl-enforcement-disabled.json
================================================
{
    "description": "Enforce SSL Connection Is Disabled for PostgreSQL Database Server",
    "rationale": "SSL connectivity helps to provide a new layer of security, by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.",
    "remediation": "From Azure Console: 
  1. Login to Azure Portal using https://portal.azure.com
  2. Go to Azure Database for PostgreSQL server
  3. For each database, click on Connection security
  4. In SSL settings.
  5. Click Enabled to Enforce SSL connection
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.3.1"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit"
    ],
    "dashboard_name": "PostgreSQL Servers",
    "path": "postgresqldatabase.subscriptions.id.servers.id",
    "conditions": [
        "and",
        [
            "postgresqldatabase.subscriptions.id.servers.id.ssl_enforcement",
            "equal",
            "Disabled"
        ]
    ],
    "id_suffix": "ssl_enforcement"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/rbac-administering-resource-locks-assigned.json
================================================
{
    "description": "No Administering Resource Locks Role",
    "rationale": "Given the resource lock functionality is outside of standard Role Based Access Control(RBAC), it would be prudent to create a resource lock administrator role to prevent inadvertent unlocking of resources.",
    "remediation": "From Azure Console: 
  1. In the Azure portal, open a subscription or resource group where you want the custom role to be assignable.
  2. Select Access control (IAM)
    3.  
  3.  Click  Add
  4. Select Add custom role
  5. \n    Select Add custom role\n
  6. \n    In the Custom Role Name field enter Resource Lock Administrator\n
    7. \n
  7. \n    In the Description field enter Can Administer Resource Locks\n
    8. \n
  8. \n    For Baseline permissions select  Start from scratch\n
    9. \n
  9. \n    Click next\n
    10. \n
  10. \n    In the Permissions select Add permissions\n
    11. \n
  11. In the Search for a permission box, type in Microsoft.Authorization/locks to search for permissions.
    12. \n
  12.  Select the check box next to the permission called Microsoft.Authorization/locks
    13. \n
  13. Click add
    14. \n
  14. Click Review+create
    15. \n
  15. Click Create
    16. \n
  16. Assign the newly created role to the appropriate user
    17.  
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "1.23"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles",
        "https://learn.microsoft.com/en-us/azure/role-based-access-control/check-access"
    ],
    "dashboard_name": "Roles",
    "path": "rbac.subscriptions.id.custom_roles_report.id",
    "conditions": [
        "and",
        [
            "rbac.subscriptions.id.custom_roles_report.id.missing_custom_role_administering_resource_locks",
            "true",
            ""
        ]
    ],
    "id_suffix": "missing_custom_role_administering_resource_locks"
}


================================================
FILE: ScoutSuite/providers/azure/rules/findings/rbac-custom-subscription-owner-role-not-allowed.json
================================================
{
    "description": "Custom Subscription Owner Role Not Allowed",
    "rationale": "Classic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions which were not intended.",
    "remediation": "From Azure Command Line Interface 2.0: 
  1. az role definition list
  2. Check for entries with assignableScope of / or a  subscription, and an action of *
    3.  
  3.  Verify the usage and impact of removing the role identified:
  4. az role definition delete --name \"rolename\"
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "1.21"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/add-change-subscription-administrator",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access"
    ],
    "dashboard_name": "Roles",
    "path": "rbac.subscriptions.id.roles.id",
    "conditions": [
        "and",
        [
            "rbac.subscriptions.id.roles.id.custom_subscription_owner_role",
            "true",
            ""
        ]
    ],
    "id_suffix": "custom_subscription_owner_role"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/securitycenter-auto-provisioning-off.json
================================================
{
    "description": "No Automatic Provisioning of Monitoring Agent",
    "rationale": "When Automatic provisioning of monitoring agentis turned on, Azure Security Center provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.",
    "remediation": "From Azure console:
  1. Go to Security Center
  2. Click on Pricing & Settings
  3. Click on subscription
  4. Click on Data Collection
  5. Set Automatic provisioning to On
  6. Click Save
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "2.2"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "2.9"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/security-center/security-center-data-security",
        "https://learn.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection",
        "https://learn.microsoft.com/en-us/previous-versions/azure/reference/mt704062(v=azure.100)?redirectedfrom=MSDN",
        "https://learn.microsoft.com/en-us/previous-versions/azure/reference/mt704063(v=azure.100)?redirectedfrom=MSDN",
        "https://learn.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list",
        "https://learn.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessments"
    ],
    "dashboard_name": "Security Center",
    "path": "securitycenter.subscriptions.id.auto_provisioning_settings.id",
    "conditions": [
        "and",
        [
            "securitycenter.subscriptions.id.auto_provisioning_settings.id.auto_provision",
            "false",
            ""
        ]
    ],
    "id_suffix": "auto_provision"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/securitycenter-security-contacts-email-not-set.json
================================================
{
    "description": "No Security Contact Email Set",
    "rationale": "Azure Security Center emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the 'Additional email addresses' field ensures that your organization's Security Team is included in these alerts. This ensures that the proper people are aware of any potential compromise in order to mitigate the risk in a timely fashion.",
    "remediation": "From Azure console:
  1. Go to Security Center
  2. Click on Pricing & Settings
  3. Click on the appropriate Management Group, Subscription, or Workspace
  4. Click on Email notifications
  5. Enter a valid security contact email address (or multiple addresses separated by commas) in the Additional email addresses field
  6. Click Save
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "2.16"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "2.11"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details",
        "https://learn.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-3-define-security-posture-management-strategy"
    ],
    "dashboard_name": "Security contacts",
    "path": "securitycenter.subscriptions.id.security_contacts.id",
    "conditions": [
        "and",
        [
            "securitycenter.subscriptions.id.security_contacts.id.email",
            "equal",
            ""
        ]
    ],
    "id_suffix": "email"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/securitycenter-security-contacts-no-admin-email-notifications.json
================================================
{
    "description": "\"Sending Email to Security Contact on Alert\" Is \"Off\"",
    "rationale": "Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion.",
    "remediation": "From Azure console:
  1. Go to Security Center
  2. Click on Pricing & Settings
  3. Click on the appropriate Management Group, Subscription, or Workspace
  4. Click on Email notifications
  5.  In the drop down of the All users with the following roles field select Owner
  6. Click Save
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "2.19"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "2.13"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details",
        "https://learn.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-3-define-security-posture-management-strategy"
    ],
    "dashboard_name": "Security contacts",
    "path": "securitycenter.subscriptions.id.security_contacts.id",
    "conditions": [
        "and",
        [
            "securitycenter.subscriptions.id.security_contacts.id.alerts_to_admins",
            "false",
            ""
        ]
    ],
    "id_suffix": "alerts_to_admins"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/securitycenter-security-contacts-no-email-notifications.json
================================================
{
    "description": "\"Sending Email to Administrators on Alert\" Is \"Off\"",
    "rationale": "Enabling securityalert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.",
    "remediation": "From Azure console:
  1. Go to Security Center
  2. Click on Pricing & Settings
  3. Click on the appropriate Management Group, Subscription, or Workspace
  4. Click on Email notifications
  5. Under 'Notification types', check the check box next to Notify about alerts with the following severity (or higher): and select High from the drop down menu
  6. Click Save
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "2.18"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "2.12"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details",
        "https://learn.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-3-define-security-posture-management-strategy"
    ],
    "dashboard_name": "Security contacts",
    "path": "securitycenter.subscriptions.id.security_contacts.id",
    "conditions": [
        "and",
        [
            "securitycenter.subscriptions.id.security_contacts.id.alert_notifications",
            "false",
            ""
        ]
    ],
    "id_suffix": "alert_notifications"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/securitycenter-security-contacts-not-set.json
================================================
{
    "description": "No Security Contact Set",
    "rationale": "Set at least one security contact.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "2.16"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "2.17"
        }
    ],
    "dashboard_name": "Security Center",
    "path": "securitycenter.subscriptions.id.security_contacts",
    "conditions": [
        "and",
        [
            "securitycenter.subscriptions.id.security_contacts",
            "empty",
            ""
        ]
    ],
    "id_suffix": "security_contact_not_set"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/securitycenter-security-contacts-phone-not-set.json
================================================
{
    "description": "No Security Contact Phone Set",
    "rationale": "Set at least one security contact phone number.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "2.17"
        }
    ],
    "dashboard_name": "Security contacts",
    "path": "securitycenter.subscriptions.id.security_contacts.id",
    "conditions": [
        "and",
        [
            "securitycenter.subscriptions.id.security_contacts.id.phone",
            "equal",
            ""
        ]
    ],
    "id_suffix": "phone"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/securitycenter-settings-MCAS-integration-disabled.json
================================================
{
    "description": "Microsoft Cloud App Security (MCAS) Is Disabled",
    "rationale": "Security Center offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Security Center detects unusual or potentially harmful operations in the Azure subscription environment. Several of the preceding analytics are powered by Microsoft Cloud App Security.",
    "remediation": "From Azure console:
  1. Go to Azure Security Center
  2. Select Security policy blade
  3. Click on Edit Settings to alter the the security policy for a subscription
  4. Select the Threat Detection blade
  5. Check/Enable option Allow Microsoft Cloud App Security to access my data
  6. Select Save
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "2.8"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-in/azure/security-center/azure-defender#azure-management-layer-azure-resource-manager-preview",
        "https://learn.microsoft.com/en-us/rest/api/securitycenter/settings/list",
        "https://learn.microsoft.com/en-us/rest/api/securitycenter/settings/update"
    ],
    "dashboard_name": "Security Settings",
    "path": "securitycenter.subscriptions.id.settings.id",
    "conditions": [
        "and",
        [
            "securitycenter.subscriptions.id.settings.id.name",
            "equal",
            "MCAS"
        ],
        [
            "securitycenter.subscriptions.id.settings.id.enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "enabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/securitycenter-settings-WDATP-integration-disabled.json
================================================
{
    "description": "Windows Defender ATP (WDATP) Is Disabled",
    "rationale": "WDATP integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within security center. This integration helps to spot abnormalities, detect and respond to advanced attacks on Windows server endpoints monitored by Azure Security Center. Windows Defender ATP in Security Center supports detection on Windows Server 2016, 2012 R2, and 2008 R2 SP1 operating systems in a Standard service subscription.",
    "remediation": "From Azure console:
  1. Go to Azure Security Center
  2. Select Security policy blade
  3. Click on Edit Settings to alter the the security policy for a subscription
  4. Select the Threat Detection blade
  5. Check/Enable option Allow Windows Defender ATP to access my data
  6. Select Save
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "2.7"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-in/azure/security-center/security-center-wdatp",
        "https://learn.microsoft.com/en-us/rest/api/securitycenter/settings/list",
        "https://learn.microsoft.com/en-us/rest/api/securitycenter/settings/update"
    ],
    "dashboard_name": "Security Settings",
    "path": "securitycenter.subscriptions.id.settings.id",
    "conditions": [
        "and",
        [
            "securitycenter.subscriptions.id.settings.id.name",
            "equal",
            "WDATP"
        ],
        [
            "securitycenter.subscriptions.id.settings.id.enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "enabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/securitycenter-standard-tier-not-enabled.json
================================================
{
    "description": "Standard Tier Not Enabled",
    "rationale": "Enabling Azure Defender allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
    "remediation": "From Azure console:
  1. Go to Security Center
  2. Click on Pricing & Settings
  3. Click on the subscription name
  4. Select Azure Defender plans blade
  5. On the line in the table for the resource type Select On under Plan
  6. Click Save
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "2.1"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "2.1 to 2.6"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/rest/api/securitycenter/pricings/list",
        "https://learn.microsoft.com/en-us/azure/security-center/security-center-alerts-overview"
    ],
    "dashboard_name": "Pricings",
    "display_path": "securitycenter.subscriptions.id.pricings.id",
    "path": "securitycenter.subscriptions.id.pricings.id",
    "conditions": [
        "and",
        [
            "securitycenter.subscriptions.id.pricings.id.pricing_tier",
            "notEqual",
            "Standard"
        ]
    ],
    "id_suffix": "pricing_tier"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/sqldatabase-allow-any-ip.json
================================================
{
    "description": "SQL Database Allow Ingress 0.0.0.0/0 (Any IP)",
    "rationale": "SQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters. In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific datacenters.",
    "remediation": "In the Azure console:
  1. Go to SQL servers
  2. For each SQL server
  3. Click on Firewall/Virtual Networks
  4. Set Allow access to Azure services to 'OFF'
  5. Set firewall rules to limit access to only authorized connections
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "6.3"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017",
        "https://learn.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-6.13.0&viewFallbackFrom=azurermps-5.2.0",
        "https://learn.microsoft.com/en-us/azure/azure-sql/database/firewall-configure",
        "https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current"
    ],
    "dashboard_name": "Firewall Rules",
    "display_path": "sqldatabase.subscriptions.id.servers.id",
    "path": "sqldatabase.subscriptions.id.servers.id.firewall_rules.id",
    "conditions": [
        "and",
        [
            "sqldatabase.subscriptions.id.servers.id.firewall_rules.id.start_ip",
            "equal",
            "0.0.0.0"
        ]
    ],
    "id_suffix": "start_ip"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/sqldatabase-databases-auditing-low-retention.json
================================================
{
    "description": "Short Auditing Retention Period for SQL Databases",
    "rationale": "Auditing retention period should be greater than _ARG_0_ days. Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.",
    "remediation": "From Azure Console:\n
    \n    
  1. Go to SQL servers
    2. \n    
  2. For each server instance
    3. \n    
  3. Click on Auditing
    4. \n    
  4. Select Storage Details 
    5. \n    
  5. Ensure Retention (days) setting greater than 90 days
    6. \n
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.1.3"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "4.2"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/sql-database/sql-database-auditing",
        "https://learn.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0",
        "https://learn.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditing?view=azurermps-5.2.0",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention"
    ],
    "dashboard_name": "SQL Databases",
    "display_path": "sqldatabase.subscriptions.id.servers.id",
    "path": "sqldatabase.subscriptions.id.servers.id.databases.id",
    "conditions": [
        "and",
        [
            "sqldatabase.subscriptions.id.servers.id.databases.id.auditing.retention_days",
            "notEqual",
            "0"
        ],
        [
            "sqldatabase.subscriptions.id.servers.id.databases.id.auditing.retention_days",
            "lessThan",
            "_ARG_0_"
        ]
    ],
    "id_suffix": "db_low_auditing_retention"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/sqldatabase-databases-no-auditing.json
================================================
{
    "description": "Auditing Disabled for SQL Databases",
    "rationale": "Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.",
    "remediation": "From Azure Console:\n
    \n    
  1. Go to SQL servers
    2. \n    
  2. For each server instance
    3. \n    
  3. Click on Auditing
    4. \n    
  4. Set Auditing to On
    5. \n
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.1.1"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "4.2"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-on-sql-servers",
        "https://learn.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0",
        "https://learn.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-5.2.0",
        "https://learn.microsoft.com/en-us/azure/sql-database/sql-database-auditing",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
    ],
    "dashboard_name": "SQL Databases",
    "display_path": "sqldatabase.subscriptions.id.servers.id",
    "path": "sqldatabase.subscriptions.id.servers.id.databases.id",
    "conditions": [
        "and",
        [
            "sqldatabase.subscriptions.id.servers.id.databases.id.auditing.auditing_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "db_auditing_disabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/sqldatabase-databases-no-threat-detection.json
================================================
{
    "description": "Threat Detection Disabled for SQL Databases",
    "rationale": "Enable threat detection for all of SQL databases.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "4.2"
        }
    ],
    "dashboard_name": "SQL Databases",
    "display_path": "sqldatabase.subscriptions.id.servers.id",
    "path": "sqldatabase.subscriptions.id.servers.id.databases.id",
    "conditions": [
        "and",
        [
            "sqldatabase.subscriptions.id.servers.id.databases.id.threat_detection.threat_detection_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "db_threat_detection_disabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/sqldatabase-databases-no-transparent-data-encryption.json
================================================
{
    "description": "Data Encryption Disabled for SQL Databases",
    "rationale": "Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.",
    "remediation": "From Azure Console: 
  1. Go to SQL databases
    2. \n
  2. For each DB instance
    3. \n
  3. Click on Transparent data encryption
    4. \n
  4. Set Data encryption to On
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.1.2"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "4.2"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest"
    ],
    "dashboard_name": "SQL Databases",
    "display_path": "sqldatabase.subscriptions.id.servers.id",
    "path": "sqldatabase.subscriptions.id.servers.id.databases.id",
    "conditions": [
        "and",
        [
            "sqldatabase.subscriptions.id.servers.id.databases.id.transparent_data_encryption_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "transparent_data_encryption_enabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/sqldatabase-databases-threat-detection-disabled-alerts.json
================================================
{
    "description": "Threat Detection Alerts Disabled for SQL Databases",
    "rationale": "Enable alerts related to threat detections.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "4.2"
        }
    ],
    "dashboard_name": "SQL Databases",
    "display_path": "sqldatabase.subscriptions.id.servers.id",
    "path": "sqldatabase.subscriptions.id.servers.id.databases.id",
    "conditions": [
        "and",
        [
            "sqldatabase.subscriptions.id.servers.id.databases.id.threat_detection.alerts_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "db_threat_detection_alerts_disabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/sqldatabase-databases-threat-detection-low-retention.json
================================================
{
    "description": "Short Threat Detection Period for SQL Databases",
    "rationale": "Threat detection retention period should be greater than _ARG_0_ days.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "4.2"
        }
    ],
    "dashboard_name": "SQL Databases",
    "display_path": "sqldatabase.subscriptions.id.servers.id",
    "path": "sqldatabase.subscriptions.id.servers.id.databases.id",
    "conditions": [
        "and",
        [
            "sqldatabase.subscriptions.id.servers.id.databases.id.threat_detection.retention_days",
            "notEqual",
            "0"
        ],
        [
            "sqldatabase.subscriptions.id.servers.id.databases.id.threat_detection.retention_days",
            "lessThan",
            "_ARG_0_"
        ]
    ],
    "id_suffix": "db_low_threat_detection_retention"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/sqldatabase-databases-threat-detection-send-alerts-disabled.json
================================================
{
    "description": "Send Threat Detection Alerts Disabled for SQL Databases",
    "rationale": "Specify email addresses and ensure that alerts are sent to them.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "4.2.4"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "4.2.5"
        }
    ],
    "dashboard_name": "SQL Databases",
    "display_path": "sqldatabase.subscriptions.id.servers.id",
    "path": "sqldatabase.subscriptions.id.servers.id.databases.id",
    "conditions": [
        "and",
        [
            "sqldatabase.subscriptions.id.servers.id.databases.id.threat_detection.send_alerts_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "db_send_threat_detection_alerts_disabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/sqldatabase-servers-TDE-not-encrypted-with-customer-managed-key.json
================================================
{
    "description": "SQL Server TDE Protector Not Encrypted with Customer-Managed Key",
    "rationale": "Customer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azure\u2019s cloud-based external key management system is the first key management service where TDE has integrated support for Customer-managed keys. With Customer-managed key support, the database encryption key is protected by an asymmetric key stored inthe Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.",
    "remediation": "From Azure console: 
 Go to SQL servers
For the desired server instance
  1. Click on Transparent data encryption
  2. Set  Use your own key to YES
  3. Browse through your key vaults to Select an existing key or create a new key in Key Vault
  4. Check Make selected key the default TDE protector
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.5"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=sql-server-ver15",
        "https://azure.microsoft.com/en-in/blog/preview-sql-transparent-data-encryption-tde-with-bring-your-own-key-support/",
        "https://winterdom.com/2017/09/07/azure-sql-tde-protector-keyvault",
        "https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=sql-server-ver15"
    ],
    "dashboard_name": "SQL Databases",
    "display_path": "sqldatabase.subscriptions.id.servers.id",
    "path": "sqldatabase.subscriptions.id.servers.id",
    "conditions": [
        "and",
        [
            "sqldatabase.subscriptions.id.servers.id.encryption_protectors.TDE_protector_is_encrypted",
            "false",
            ""
        ]
    ],
    "id_suffix": "server_encryption_protectors_TDE_protector_is_encrypted"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/sqldatabase-servers-auditing-low-retention.json
================================================
{
    "description": "Short Auditing Retention Period for SQL Servers",
    "rationale": "Auditing retention period should be greater than _ARG_0_ days.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "4.1"
        }
    ],
    "dashboard_name": "SQL Servers",
    "display_path": "sqldatabase.subscriptions.id.servers.id",
    "path": "sqldatabase.subscriptions.id.servers.id",
    "conditions": [
        "and",
        [
            "sqldatabase.subscriptions.id.servers.id.auditing.retention_days",
            "notEqual",
            "0"
        ],
        [
            "sqldatabase.subscriptions.id.servers.id.auditing.retention_days",
            "lessThan",
            "_ARG_0_"
        ]
    ],
    "id_suffix": "server_low_auditing_retention"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/sqldatabase-servers-no-ad-admin-configured.json
================================================
{
    "description": "Azure Active Directory Admin Not Configured for SQL Servers",
    "rationale": "Azure Active Directory authentication is a mechanism to connect to Microsoft Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). With Azure AD authentication, identities of database users and other Microsoft services can be managed in one central location. Central ID management provides a single place to manage database users and simplifies permission management.",
    "remediation": "From Azure console:
  1. Go to SQL servers
  2. For each SQL server, click on Active Directory admin
  3. Click on Set admin
  4. Select an admin
  5. Click Save
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "4.1"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.4"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell",
        "https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-overview",
        "https://learn.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserveractivedirectoryadministrator?view=azurermps-6.13.0&viewFallbackFrom=azurermps-5.2.0",
        "https://learn.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserveractivedirectoryadministrator?view=azurermps-6.13.0&viewFallbackFrom=azurermps-5.2.0",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system"
    ],
    "dashboard_name": "SQL Databases",
    "display_path": "sqldatabase.subscriptions.id.servers.id",
    "path": "sqldatabase.subscriptions.id.servers.id",
    "conditions": [
        "and",
        [
            "sqldatabase.subscriptions.id.servers.id.ad_admin",
            "empty",
            ""
        ]
    ],
    "id_suffix": "ad_admin"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/sqldatabase-servers-no-auditing.json
================================================
{
    "description": "Auditing Disabled for SQL Servers",
    "rationale": "Enable auditing for all SQL servers.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "4.1"
        }
    ],
    "dashboard_name": "SQL Servers",
    "display_path": "sqldatabase.subscriptions.id.servers.id",
    "path": "sqldatabase.subscriptions.id.servers.id",
    "conditions": [
        "and",
        [
            "sqldatabase.subscriptions.id.servers.id.auditing.auditing_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "server_auditing_disabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/sqldatabase-servers-no-threat-detection.json
================================================
{
    "description": "Advanced Threat Protection (ATP) Disabled for SQL Servers",
    "rationale": "SQL Server \"Advanced Data Security\" (ADS) provides a new layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. Users will receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.2.1"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "4.1"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/sql-database/sql-advanced-threat-protection",
        "https://learn.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql"
    ],
    "dashboard_name": "SQL Servers",
    "display_path": "sqldatabase.subscriptions.id.servers.id",
    "path": "sqldatabase.subscriptions.id.servers.id",
    "conditions": [
        "and",
        [
            "sqldatabase.subscriptions.id.servers.id.threat_detection.threat_detection_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "server_threat_detection_disabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/sqldatabase-servers-threat-detection-disabled-alerts.json
================================================
{
    "description": "Advanced Threat Protection Disabled Types for SQL Servers",
    "rationale": "Enabling all threat protection types protects against SQL injection, database vulnerabilities, and any other anomalous activities.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.2.2"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "4.1"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/sql-database/sql-advanced-threat-protection",
        "https://learn.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql"
    ],
    "dashboard_name": "SQL Servers",
    "display_path": "sqldatabase.subscriptions.id.servers.id",
    "path": "sqldatabase.subscriptions.id.servers.id",
    "conditions": [
        "and",
        [
            "sqldatabase.subscriptions.id.servers.id.threat_detection.alerts_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "server_threat_detection_alerts_disabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/sqldatabase-servers-threat-detection-low-retention.json
================================================
{
    "description": "Short Threat Detection Retention Period for SQL Servers",
    "rationale": "Threat detection retention period should be greater than _ARG_0_ days.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "4.1"
        }
    ],
    "dashboard_name": "SQL Servers",
    "display_path": "sqldatabase.subscriptions.id.servers.id",
    "path": "sqldatabase.subscriptions.id.servers.id",
    "conditions": [
        "and",
        [
            "sqldatabase.subscriptions.id.servers.id.threat_detection.retention_days",
            "notEqual",
            "0"
        ],
        [
            "sqldatabase.subscriptions.id.servers.id.threat_detection.retention_days",
            "lessThan",
            "_ARG_0_"
        ]
    ],
    "id_suffix": "server_low_threat_detection_retention"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/sqldatabase-servers-threat-detection-send-alerts-disabled.json
================================================
{
    "description": "Send Advanced Threat Protection Alerts Disabled for SQL Servers",
    "rationale": "Providing the email address and enable Administrator and subscription owner to receive alerts ensures that any detection of anomalous activities is reported as soon as possible, making it more likely to mitigate any potential risk sooner.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.2.3"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.2.4"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "4.1.4"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "4.1.5"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/sql-database/sql-advanced-threat-protection",
        "https://learn.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql"
    ],
    "dashboard_name": "SQL Servers",
    "display_path": "sqldatabase.subscriptions.id.servers.id",
    "path": "sqldatabase.subscriptions.id.servers.id",
    "conditions": [
        "and",
        [
            "sqldatabase.subscriptions.id.servers.id.threat_detection.send_alerts_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "server_send_threat_detection_alerts_disabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/sqldatabase-servers-vulnerability-assessments-disabled.json
================================================
{
    "description": "Vulnerability Assessment (VA) Is Disabled on SQL Servers",
    "rationale": "Enabling Advanced Data Security on a SQL server does not enables Vulnerability Assessment capability for individual SQL databases unless storage account is set to store the scanning data and reports.",
    "remediation": "In the Azure console: 
     
  1. Go to SQL servers
  2. For each server instance
  3. Click on Advanced Data Security
  4. Set  Advanced Data Security to On if not already
  5. In Section Vulnerability Assessment Settings, Click Storage Accounts
  6. Choose Storage Account (Existing or Create New). Click Ok
  7. Click Save
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.2.5"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment",
        "https://learn.microsoft.com/en-us/rest/api/sql/servervulnerabilityassessments/listbyserver",
        "https://learn.microsoft.com/en-in/powershell/module/Az.Sql/Update-AzSqlServerVulnerabilityAssessmentSetting?view=azps-5.5.0&viewFallbackFrom=azps-2.6.0",
        "https://learn.microsoft.com/en-in/powershell/module/Az.Sql/Get-AzSqlServerVulnerabilityAssessmentSetting?view=azps-5.5.0&viewFallbackFrom=azps-2.6.0",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessments"
    ],
    "dashboard_name": "SQL Servers",
    "display_path": "sqldatabase.subscriptions.id.servers.id",
    "path": "sqldatabase.subscriptions.id.servers.id",
    "conditions": [
        "and",
        [
            "sqldatabase.subscriptions.id.servers.id.server_vulnerability.storage_account_name",
            "null",
            ""
        ]
    ],
    "id_suffix": "server_vulnerability_storage_account_name"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/sqldatabase-servers-vulnerability-email-notif-to-admins-owners-not-set.json
================================================
{
    "description": "Send Email Notifications to Admins and Subscription Owners Is Not Set on SQL Servers",
    "rationale": "ADS -VA scan reports and alerts will be sent to admins and subscription owners by enabling setting 'Also send email notifications to admins and subscription owners'. This may help in reducing time required for identifying risks and taking corrective measures.",
    "remediation": "In the Azure console: 
     
  1. Go to SQL servers
  2. For each server instance
  3. Click on Advanced Data Security
  4. Set  Advanced Data Security to On if not already
  5. In Section Vulnerability Assessment Settings, set Storage Accounts if not already
  6. Check/enable 'Also send email notifications to admins and subscription owners'
  7. Click Save
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.2.8"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment",
        "https://learn.microsoft.com/en-us/rest/api/sql/servervulnerabilityassessments/listbyserver",
        "https://learn.microsoft.com/en-in/powershell/module/Az.Sql/Update-AzSqlServerVulnerabilityAssessmentSetting?view=azps-5.5.0&viewFallbackFrom=azps-2.6.0",
        "https://learn.microsoft.com/en-in/powershell/module/Az.Sql/Get-AzSqlServerVulnerabilityAssessmentSetting?view=azps-5.5.0&viewFallbackFrom=azps-2.6.0",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessments"
    ],
    "dashboard_name": "SQL Servers",
    "display_path": "sqldatabase.subscriptions.id.servers.id",
    "path": "sqldatabase.subscriptions.id.servers.id",
    "conditions": [
        "and",
        [
            "sqldatabase.subscriptions.id.servers.id.server_vulnerability.email_subscription_admin",
            "false",
            ""
        ]
    ],
    "id_suffix": "server_vulnerability_email_subscription_admin"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/sqldatabase-servers-vulnerability-recurring-scans-disabled.json
================================================
{
    "description": "Periodic Recurring Scans Is Disabled on SQL Servers",
    "rationale": "ADS -VA setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.",
    "remediation": "In the Azure console: 
     
  1. Go to SQL servers
  2. For each server instance
  3. Click on Advanced Data Security
  4. Set  Advanced Data Security to On if not already
  5. In Section Vulnerability Assessment Settings, set Storage Accounts if not already
  6. Toggle 'Periodic recurring scans' ton ON
  7. Click Save
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.2.6"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment",
        "https://learn.microsoft.com/en-us/rest/api/sql/servervulnerabilityassessments/listbyserver",
        "https://learn.microsoft.com/en-in/powershell/module/Az.Sql/Update-AzSqlServerVulnerabilityAssessmentSetting?view=azps-5.5.0&viewFallbackFrom=azps-2.6.0",
        "https://learn.microsoft.com/en-in/powershell/module/Az.Sql/Get-AzSqlServerVulnerabilityAssessmentSetting?view=azps-5.5.0&viewFallbackFrom=azps-2.6.0",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessments"
    ],
    "dashboard_name": "SQL Servers",
    "display_path": "sqldatabase.subscriptions.id.servers.id",
    "path": "sqldatabase.subscriptions.id.servers.id",
    "conditions": [
        "and",
        [
            "sqldatabase.subscriptions.id.servers.id.server_vulnerability.recurring_scans_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "server_vulnerability_recurring_scans_enabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/sqldatabase-servers-vulnerability-send-scan-reports-to-not-configured.json
================================================
{
    "description": "Send Scan Report to Is Not Configured on SQL Servers",
    "rationale": "ADS -VA scan reports and alerts will be sent to email ids configured at 'Send scan reports to'. This may help in reducing time required for identifying risks and taking corrective measures.",
    "remediation": "In the Azure console: 
     
  1. Go to SQL servers
  2. For each server instance
  3. Click on Advanced Data Security
  4. Set  Advanced Data Security to On if not already
  5. In Section Vulnerability Assessment Settings, set Storage Accounts if not already
  6. Configure email ids for concerned data owners/stakeholders at 'Send scan reports to'
  7. Click Save
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "4.2.7"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment",
        "https://learn.microsoft.com/en-us/rest/api/sql/servervulnerabilityassessments/listbyserver",
        "https://learn.microsoft.com/en-in/powershell/module/Az.Sql/Update-AzSqlServerVulnerabilityAssessmentSetting?view=azps-5.5.0&viewFallbackFrom=azps-2.6.0",
        "https://learn.microsoft.com/en-in/powershell/module/Az.Sql/Get-AzSqlServerVulnerabilityAssessmentSetting?view=azps-5.5.0&viewFallbackFrom=azps-2.6.0",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessments"
    ],
    "dashboard_name": "SQL Servers",
    "display_path": "sqldatabase.subscriptions.id.servers.id",
    "path": "sqldatabase.subscriptions.id.servers.id",
    "conditions": [
        "and",
        [
            "sqldatabase.subscriptions.id.servers.id.server_vulnerability.send_scan_reports_to_not_empty",
            "false",
            ""
        ]
    ],
    "id_suffix": "server_vulnerability_send_scan_reports_to_not_empty"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/storageaccount-access-keys-not-rotated.json
================================================
{
    "description": "Access Keys Not Rotated",
    "rationale": "When a storage account is created, Azure generates two 512-bit storage access keys, which are used for authentication when the storage account is accessed. Rotating these keys periodically ensures that any inadvertent access or exposure does not result in these keys being compromised.

The access keys storage accounts should be rotated at least every _ARG_0_ days.",
    "remediation": "Follow Microsoft Azure documentation for regenerating storage account access keys.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "3.2"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "3.2"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/storage/common/storage-create-storage-account",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access"
    ],
    "dashboard_name": "Storage Accounts",
    "path": "storageaccounts.subscriptions.id.storage_accounts.id",
    "conditions": [
        "and",
        [
            "storageaccounts.subscriptions.id.storage_accounts.id.shared_key_access_allowed",
            "true",
            ""
        ],
        [
            "or",
            [
                "storageaccounts.subscriptions.id.storage_accounts.id.access_keys_last_rotation_date",
                "equal",
                "None"
            ],
            [
                "storageaccounts.subscriptions.id.storage_accounts.id.access_keys_last_rotation_date",
                "olderThan",
                [
                    "_ARG_0_",
                    "days"
                ]
            ]
        ]
    ],
    "id_suffix": "access_keys_rotated"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/storageaccount-account-allowing-clear-text.json
================================================
{
    "description": "Secure Transfer (HTTPS) Not Enforced",
    "rationale": "The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection.

For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client.

Because Azure storage does not support HTTPS for custom domain names, this option is not applied when using a custom domain name.",
    "remediation": "In the Azure console:
  1. Go to Storage Accounts
    2.  
  2. For each storage account, go to Configuration
    3.  
  3. Set Secure transfer required to Enabled
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "3.1"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "3.1"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/storage/common/storage-security-guide",
        "https://learn.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer",
        "https://learn.microsoft.com/en-us/azure/storage/blobs/security-recommendations#encryption-in-transit",
        "https://learn.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_list",
        "https://learn.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit"
    ],
    "dashboard_name": "Accounts",
    "path": "storageaccounts.subscriptions.id.storage_accounts.id",
    "conditions": [
        "and",
        [
            "storageaccounts.subscriptions.id.storage_accounts.id.https_traffic_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "https_traffic_enabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/storageaccount-encrypted-not-customer-managed.json
================================================
{
    "description": "Storage Not Encrypted with Customer Managed Key",
    "rationale": "By default, data in the storage account is encrypted using Microsoft Managed Keys at rest.

If sensitive information is stored, it should be encrypted using either Server-side Customer-Managed keys or Client-side Encryption. In the case of Client-side Encryption, it is difficult to decipher if the customer loses the key.

",
    "remediation": "In the Azure console:
  1. Go to Storage Accounts
    2.  
  2. For each storage account, go to Encryption
    3.  
  3. Set Customer Managed Keys 
  4. Select the Encryption key and enter the appropriate setting value
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "3.9"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption",
        "https://learn.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-rest"
    ],
    "dashboard_name": "Accounts",
    "path": "storageaccounts.subscriptions.id.storage_accounts.id",
    "conditions": [
        "and",
        [
            "storageaccounts.subscriptions.id.storage_accounts.id.encryption_key_customer_managed",
            "equal",
            "False"
        ]
    ],
    "id_suffix": "encryption_key_customer_managed"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/storageaccount-public-blob-container.json
================================================
{
    "description": "Blob Containers Allowing Public Access",
    "rationale": "Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature.

It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers.",
    "remediation": "First, follow Microsoft documentation and created shared access signature tokens for your blob containers.

Then, in the Azure console:
  1. Go to Storage Accounts
    2.  
  2. For each storage account, go to Containers under Blob Service
    3.  
  3. For each container, click Access policy
    4.  
  4. Set Public access level to Private (no anonymous access)
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "3.6"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "3.5"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/storage/blobs/storage-manage-access-to-resources",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access"
    ],
    "dashboard_name": "Blob Containers",
    "display_path": "storageaccounts.subscriptions.id.storage_accounts.id",
    "path": "storageaccounts.subscriptions.id.storage_accounts.id.blob_containers.id",
    "conditions": [
        "and",
        [
            "storageaccounts.subscriptions.id.storage_accounts.id.blob_containers.id.public_access_allowed",
            "true",
            ""
        ]
    ],
    "id_suffix": "public_access_allowed"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/storageaccount-public-traffic-allowed.json
================================================
{
    "description": "Storage Accounts Allowing Public Traffic",
    "rationale": "Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.",
    "remediation": "In the Azure console: 
     
  1. Go to Storage Accounts
    2.  
  2. For each storage account, click on the settings menu called Firewalls and virtual networks.
    3.  
  3. Ensure that you have elected to allow access from Selected networks.
    4.  
  4. Add rules to allow traffic from specific network.
    5.  
  5. Click Save to apply your changes.
    6.  
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "3.7"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "3.6"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy"
    ],
    "dashboard_name": "Storage Accounts",
    "path": "storageaccounts.subscriptions.id.storage_accounts.id",
    "conditions": [
        "and",
        [
            "storageaccounts.subscriptions.id.storage_accounts.id.public_traffic_allowed",
            "true",
            ""
        ]
    ],
    "id_suffix": "public_traffic_allowed"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/storageaccount-soft-delete-enabled.json
================================================
{
    "description": "Storage Account Soft Delete Disabled",
    "rationale": "Enabling this configuration for azure storage ensures that even if blobs/data were deleted from the storage account, Blobs/data objects remain recoverable for a particular time which set in the \"Retention policies\" ",
    "remediation": "In the Azure console:
  1. Go to Storage Accounts
    2.  
  2. For each storage account, navigate to Data protection
    3.  
  3. Ensure that soft delete is Enabled
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "3.8"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete"
    ],
    "dashboard_name": "Accounts",
    "display_path": "storageaccounts.subscriptions.id.storage_accounts.id",
    "path": "storageaccounts.subscriptions.id.storage_accounts.id.blob_services.id",
    "conditions": [
        "and",
        [
            "storageaccounts.subscriptions.id.storage_accounts.id.blob_services.id.soft_delete_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "soft_delete_enabled"
}


================================================
FILE: ScoutSuite/providers/azure/rules/findings/storageaccount-trusted-microsoft-services.json
================================================
{
    "description": "Trusted Microsoft Services Enabled",
    "rationale": "Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account.

If the Allow trusted Microsoft services exception is enabled the following services are granted access to the storage account:
 
     
  • Azure Backup
    •  
  • Azure Site Recovery
    •  
  • Azure DevTest Labs
    •  
  • Azure Event Grid
    •  
  • Azure Event Hubs
    •  
  • Azure Networking
    •  
  • Azure Monitor
    •  
  • Azure SQL Data Warehouse (when registered in the subscription)
    •  
",
    "remediation": "In the Azure console: 
     
  1. Go to Storage Accounts
    2.  
  2. For each storage account, click on the settings menu called Firewalls and virtual networks.
    3.  
  3. Ensure that you have elected to allow access from Selected networks.
    4.  
  4. Enable check box for Allow trusted Microsoft services to access this storage account.
    5.  
  5. Click Save to apply your changes.
    6.  
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "3.8"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "3.7"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic"
    ],
    "dashboard_name": "Storage Accounts",
    "path": "storageaccounts.subscriptions.id.storage_accounts.id",
    "conditions": [
        "and",
        [
            "storageaccounts.subscriptions.id.storage_accounts.id.trusted_microsoft_services_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "trusted_microsoft_services_enabled"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/virtual-machines-disk-encryption.json
================================================
{
    "description": "Disks Lacking Encryption",
    "rationale": "Encrypting disks ensures that their entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads.",
    "remediation": "Ensure that disks are encrypted, where possible.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "7.2"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "7.3"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "7.1"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "7.2"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "7.3"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview",
        "https://learn.microsoft.com/en-us/azure/security-center/security-center-apply-disk-encryption"
    ],
    "dashboard_name": "Disks",
    "path": "virtualmachines.subscriptions.id.disks.id",
    "conditions": [
        "and",
        [
            "virtualmachines.subscriptions.id.disks.id.encryption_type",
            "null",
            ""
        ],
        [
            "virtualmachines.subscriptions.id.disks.id.encryption_ade",
            "false",
            ""
        ]
    ],
    "id_suffix": "encryption_type"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/virtual-machines-extensions-installed.json
================================================
{
    "description": "Virtual Machine Extensions Installed",
    "rationale": "Azure virtual machine extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. These extensions run with administrative privileges and could potentially access anything on a virtual machine. The Azure Portal and community provide several such extensions.",
    "remediation": "From Azure console: 
     
  1. Go to Virtual machines
  2. For each virtual machine, go to Settings
  3. Click on Extensions
  4. If there are unapproved extensions, uninstall them.
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.0.0",
            "reference": "7.4"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.1.0",
            "reference": "7.4"
        },
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "7.4"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/virtual-machines/windows/extensions-features",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-endpoint-security"
    ],
    "dashboard_name": "Instances",
    "path": "virtualmachines.subscriptions.id.instances.id",
    "conditions": [
        "and",
        [
            "virtualmachines.subscriptions.id.instances.id.extension_names",
            "containAtLeastOneDifferentFrom",
            [ 
                "AzureDiskEncryption",
                "AzureDiskEncryptionForLinux"
            ]
        ]
    ],
    "id_suffix": "extensions"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/virtual-machines-managed-disks.json
================================================
{
    "description": "Virtual Machines Not Utilizing Managed Disks",
    "rationale": "Managed disks are by default encrypted on the underlying hardware so no additional encryption is required for basic protection, it is available if additional encryption is required. Managed disks are by design more resilient that storage accounts.",
    "remediation": "From Azure console:
  1.  Using the search feature, go to Virtual Machines
  2. Select the virtual machine you would like to convert
  3. Select  Disks in the menu for the VM
  4. At the top select Migrate to managed disks
  5. You may follow the prompts to convert the disk and finish by selecting 'Migrate' to start the process
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "7.1"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy"
    ],
    "dashboard_name": "Instances",
    "path": "virtualmachines.subscriptions.id.instances.id",
    "conditions": [
        "and",
        [
            "virtualmachines.subscriptions.id.instances.id.storage_profile.OS Managed Disk ID",
            "equal",
            "None"
        ]
    ],
    "id_suffix": "OS Managed Disk ID"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/virtual-machines-os-data-encrypted-cmk.json
================================================
{
    "description": "OS and Data Disks Not Encrypted with CMK",
    "rationale": "Encrypting the IaaS VM's OS disk (boot volume), Data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning.",
    "remediation": "From Azure console: 
  1. Go to Virtual machines
  2. For each virtual machine, go to Settings
  3. Click on Disks
  4. Click the X to detach the disk from the VM
  5. Now search for Disks and locate the unattached disk
  6. Click the disk then select Encryption
  7. Change your encryption type, then select your encryption set
  8. Click Save
  9. Go back to the VM and re-attach the dsk
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "7.2"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss",
        "https://learn.microsoft.com/en-us/azure/security-center/asset-inventory?toc=%2Fazure%2Fsecurity%2Ftoc.json",
        "https://learn.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-rest",
        "https://learn.microsoft.com/en-us/rest/api/compute/disks/delete",
        "https://learn.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest"
    ],
    "dashboard_name": "Disks",
    "path": "virtualmachines.subscriptions.id.disks.id",
    "conditions": [
        "and",
        [
            "or",
            [
                "virtualmachines.subscriptions.id.disks.id.encryption_type",
                "null",
                ""
            ],
            [
                "virtualmachines.subscriptions.id.disks.id.encryption_type",
                "equal",
                "EncryptionAtRestWithPlatformKey"
            ]
        ],
        [
            "virtualmachines.subscriptions.id.disks.id.encryption_ade",
            "false",
            ""
        ]
    ],
    "id_suffix": "encryption_type"
}

================================================
FILE: ScoutSuite/providers/azure/rules/findings/virtual-machines-unattached-disks-encrypted-cmk.json
================================================
{
    "description": "Unattached Disks Not Encrypted with CMK",
    "rationale": "Managed disks are encrypted by default with Platform-managed keys. Using Customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks which may lead to sensitive information disclosure and tampering.",
    "remediation": "If data stored in the disk is no longer useful, refer to Azure documentation to delete unattached data disks at : 
  1. https://learn.microsoft.com/en-us/rest/api/compute/disks/delete
  2. https://learn.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete

 If data stored in the disk is important, To encrypt the disk refer azure documentation at: 
  1. https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal
  2. https://learn.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "7.3"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss",
        "https://learn.microsoft.com/en-us/azure/security-center/asset-inventory?toc=%2Fazure%2Fsecurity%2Ftoc.json",
        "https://learn.microsoft.com/en-us/rest/api/compute/disks/delete",
        "https://learn.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete",
        "https://learn.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings",
        "https://learn.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest"
    ],
    "dashboard_name": "Disks",
    "path": "virtualmachines.subscriptions.id.disks.id",
    "conditions": [
        "and",
        [
            "virtualmachines.subscriptions.id.disks.id.disk_state",
            "equal",
            "Unattached"
        ],
        [
            "or",
            [
                "virtualmachines.subscriptions.id.disks.id.encryption_type",
                "null",
                ""
            ],
            [
                "virtualmachines.subscriptions.id.disks.id.encryption_type",
                "equal",
                "EncryptionAtRestWithPlatformKey"
            ]
        ],
        [
            "virtualmachines.subscriptions.id.disks.id.encryption_ade",
            "false",
            ""
        ]
    ],
    "id_suffix": "encryption_type"
}

================================================
FILE: ScoutSuite/providers/azure/rules/rulesets/cis-1.0.0.json
================================================
{
    "about": "This ruleset covers most of the recommendations from the CIS Microsoft Azure Foundation v1.0.0.",
    "rules": {
        "network-security-groups-rule-inbound-service-mssql.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "network-security-groups-rule-inbound-service.json": [
            {
                "args": [
                    "RDP",
                    "3389",
                    "6.1"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "SSH",
                    "22",
                    "6.2"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "network-watcher-not-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "network-watcher-not-provisioned.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "securitycenter-auto-provisioning-off.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "securitycenter-security-contacts-email-not-set.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "securitycenter-security-contacts-no-admin-email-notifications.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "securitycenter-security-contacts-no-email-notifications.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "securitycenter-security-contacts-not-set.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "securitycenter-security-contacts-phone-not-set.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "securitycenter-standard-tier-not-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-databases-auditing-low-retention.json": [
            {
                "args": [
                    "90"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-databases-no-auditing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-databases-no-threat-detection.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-databases-no-transparent-data-encryption.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-databases-threat-detection-disabled-alerts.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-databases-threat-detection-low-retention.json": [
            {
                "args": [
                    "90"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-databases-threat-detection-send-alerts-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-auditing-low-retention.json": [
            {
                "args": [
                    "90"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-no-ad-admin-configured.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-no-auditing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-no-threat-detection.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-threat-detection-disabled-alerts.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-threat-detection-low-retention.json": [
            {
                "args": [
                    "90"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-threat-detection-send-alerts-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "storageaccount-access-keys-not-rotated.json": [
            {
                "args": [
                    "90"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "storageaccount-account-allowing-clear-text.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "storageaccount-public-blob-container.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "virtual-machines-disk-encryption.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "virtual-machines-extensions-installed.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ]
    }
}


================================================
FILE: ScoutSuite/providers/azure/rules/rulesets/cis-1.1.0.json
================================================
{
    "about": "This ruleset covers most of the recommendations from the CIS Microsoft Azure Foundation v1.1.0.",
    "rules": {
        "appservice-outdated-version-dotnet.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "appservice-outdated-version-java.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "appservice-outdated-version-php.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "appservice-outdated-version-python.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ]
    }
}


================================================
FILE: ScoutSuite/providers/azure/rules/rulesets/cis-1.2.0.json
================================================
{
    "about": "This ruleset covers most of the recommendations from the CIS Microsoft Azure Foundation v1.2.0.",
    "appservice-ftp-deployment-enabled.json": [
        {
            "enabled": true,
            "level": "warning"
        }
    ],
    "appservice-outdated-version-java.json": [
        {
            "enabled": true,
            "level": "warning"
        }
    ],
    "appservice-outdated-version-php.json": [
        {
            "enabled": true,
            "level": "warning"
        }
    ],
    "appservice-outdated-version-python.json": [
        {
            "enabled": true,
            "level": "warning"
        }
    ],
    "appservice-tls-v1-supported.json": [
        {
            "enabled": true,
            "level": "warning"
        }
    ],
    "logging-monitoring-diagnostic-setting-does-not-exist.json": [
        {
            "enabled": false,
            "level": "warning"
        }
    ],
    "logging-monitoring-log-alert-not-exist-security-solution.json": [
        {
            "args": [
                "Create/Update Security Solution",
                "5.2.6",
                "create_update_security_solution_exist"
            ],
            "enabled": true,
            "level": "warning"
        },
        {
            "args": [
                "Delete Security Solution",
                "5.2.7",
                "delete_security_solution_exist"
            ],
            "enabled": true,
            "level": "warning"
        }
    ],
    "logging-monitoring-logging-key-vault-disabled.json": [
        {
            "enabled": false,
            "level": "warning"
        }
    ],
    "logging-monitoring-profile-does-not-capture-all-activities.json": [
        {
            "enabled": true,
            "level": "warning"
        }
    ],
    "rules": {
        "aad-users-create-security-groups-disabled.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "appservice-authentication-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "appservice-client-certificates-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "appservice-http-2-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "appservice-http-allowed.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "appservice-managed-service-identities-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "appservice-outdated-version-dotnet.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "keyvault-not-recoverable.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "logging-monitoring-log-alert-not-exist-create-policy-assignment.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "logging-monitoring-log-alert-not-exist-nsg.json": [
            {
                "args": [
                    "Create/Update Network Security Group",
                    "5.2.2",
                    "create_update_NSG_exist"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "Delete Network Security Group",
                    "5.2.3",
                    "delete_NSG_exist"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "Create/Update Network Security Group Rule",
                    "5.2.4",
                    "create_update_NSG_rule_exist"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "Delete Network Security Group Rule",
                    "5.2.5",
                    "delete_NSG_rule_exist"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "Create/Update/Delete SQL Server Firewall Rule",
                    "5.2.8",
                    "create_delete_firewall_rule_exist"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "mysql-database-servers-ssl-enforcement-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "network-security-groups-rule-inbound-service-udp.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "postgresql-database-servers-allow-any-ip.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "postgresql-database-servers-connection-throttling-not-on.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "postgresql-database-servers-log-checkpoints-not-on.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "postgresql-database-servers-log-connections-not-on.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "postgresql-database-servers-log-disconnections-not-on.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "postgresql-database-servers-log-duration-not-on.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "postgresql-database-servers-log-retention-days-less-than-4.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "postgresql-database-servers-ssl-enforcement-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "rbac-administering-resource-locks-assigned.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "rbac-custom-subscription-owner-role-not-allowed.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "securitycenter-settings-MCAS-integration-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "securitycenter-settings-WDATP-integration-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-allow-any-ip.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-databases-no-auditing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-databases-no-transparent-data-encryption.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-databases-threat-detection-low-retention.json": [
            {
                "args": [
                    "90"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-TDE-not-encrypted-with-customer-managed-key.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-vulnerability-assessments-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-vulnerability-email-notif-to-admins-owners-not-set.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-vulnerability-recurring-scans-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-vulnerability-send-scan-reports-to-not-configured.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "storageaccount-encrypted-not-customer-managed.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "storageaccount-soft-delete-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "virtual-machines-managed-disks.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "virtual-machines-os-data-encrypted-cmk.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "virtual-machines-unattached-disks-encrypted-cmk.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ]
    }
}


================================================
FILE: ScoutSuite/providers/azure/rules/rulesets/default.json
================================================
{
    "about": "This ruleset consists of numerous rules that are considered standard by NCC Group. The rules enabled range from violations of well-known security best practices to gaps resulting from less-known security implications of provider-specific mechanisms. Additional rules exist, some of them requiring extra-parameters to be configured, and some of them being applicable to a limited number of users.",
    "rules": {
        "aad-guest-users.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "aad-users-create-security-groups-disabled.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "appservice-authentication-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "appservice-client-certificates-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "appservice-ftp-deployment-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "appservice-http-2-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "appservice-http-allowed.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "appservice-managed-service-identities-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "appservice-outdated-version-dotnet.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "appservice-outdated-version-java.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "appservice-outdated-version-php.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "appservice-outdated-version-python.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "appservice-tls-v1-supported.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "appservice-webapp-using-outdated-progamming-language-version.json": [
            {
                "enabled": false,
                "level": "warning"
            }
        ],
        "keyvault-not-recoverable.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "keyvault-public-traffic-allowed.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "keyvault-rbac-authorization-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "logging-monitoring-diagnostic-setting-does-not-exist.json": [
            {
                "enabled": false,
                "level": "warning"
            }
        ],
        "logging-monitoring-log-alert-not-exist-create-policy-assignment.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "logging-monitoring-log-alert-not-exist-nsg.json": [
            {
                "args": [
                    "Create/Update Network Security Group",
                    "5.2.2",
                    "create_update_NSG_exist"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "Delete Network Security Group",
                    "5.2.3",
                    "delete_NSG_exist"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "Create/Update Network Security Group Rule",
                    "5.2.4",
                    "create_update_NSG_rule_exist"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "Delete Network Security Group Rule",
                    "5.2.5",
                    "delete_NSG_rule_exist"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "Create/Update/Delete SQL Server Firewall Rule",
                    "5.2.8",
                    "create_delete_firewall_rule_exist"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "logging-monitoring-log-alert-not-exist-security-solution.json": [
            {
                "args": [
                    "Create/Update Security Solution",
                    "5.2.6",
                    "create_update_security_solution_exist"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "Delete Security Solution",
                    "5.2.7",
                    "delete_security_solution_exist"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "logging-monitoring-logging-key-vault-disabled.json": [
            {
                "enabled": false,
                "level": "warning"
            }
        ],
        "logging-monitoring-profile-does-not-capture-all-activities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "mysql-database-servers-ssl-enforcement-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "network-security-groups-rule-inbound-internet-all.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "network-security-groups-rule-inbound-service-mssql.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "network-security-groups-rule-inbound-service-udp.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "network-security-groups-rule-inbound-service.json": [
            {
                "args": [
                    "RDP",
                    "3389",
                    "6.1"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "SSH",
                    "22",
                    "6.2"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "network-watcher-not-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "network-watcher-not-provisioned.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "postgresql-database-servers-allow-any-ip.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "postgresql-database-servers-connection-throttling-not-on.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "postgresql-database-servers-log-checkpoints-not-on.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "postgresql-database-servers-log-connections-not-on.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "postgresql-database-servers-log-disconnections-not-on.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "postgresql-database-servers-log-duration-not-on.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "postgresql-database-servers-log-retention-days-less-than-4.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "postgresql-database-servers-ssl-enforcement-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "rbac-administering-resource-locks-assigned.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "rbac-custom-subscription-owner-role-not-allowed.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "securitycenter-auto-provisioning-off.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "securitycenter-security-contacts-email-not-set.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "securitycenter-security-contacts-no-admin-email-notifications.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "securitycenter-security-contacts-no-email-notifications.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "securitycenter-security-contacts-not-set.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "securitycenter-security-contacts-phone-not-set.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "securitycenter-settings-MCAS-integration-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "securitycenter-settings-WDATP-integration-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "securitycenter-standard-tier-not-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-allow-any-ip.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-databases-auditing-low-retention.json": [
            {
                "args": [
                    "90"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-databases-no-auditing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-databases-no-threat-detection.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-databases-no-transparent-data-encryption.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-databases-threat-detection-disabled-alerts.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-databases-threat-detection-low-retention.json": [
            {
                "args": [
                    "90"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-databases-threat-detection-send-alerts-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-TDE-not-encrypted-with-customer-managed-key.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-auditing-low-retention.json": [
            {
                "args": [
                    "90"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-no-ad-admin-configured.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-no-auditing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-no-threat-detection.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-threat-detection-disabled-alerts.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-threat-detection-low-retention.json": [
            {
                "args": [
                    "90"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-threat-detection-send-alerts-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-vulnerability-assessments-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-vulnerability-email-notif-to-admins-owners-not-set.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-vulnerability-recurring-scans-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "sqldatabase-servers-vulnerability-send-scan-reports-to-not-configured.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "storageaccount-access-keys-not-rotated.json": [
            {
                "args": [
                    "90"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "storageaccount-account-allowing-clear-text.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "storageaccount-encrypted-not-customer-managed.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "storageaccount-public-blob-container.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "storageaccount-public-traffic-allowed.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "storageaccount-soft-delete-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "storageaccount-trusted-microsoft-services.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "virtual-machines-disk-encryption.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "virtual-machines-extensions-installed.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "virtual-machines-managed-disks.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "virtual-machines-os-data-encrypted-cmk.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "virtual-machines-unattached-disks-encrypted-cmk.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ]
    }
}


================================================
FILE: ScoutSuite/providers/azure/rules/rulesets/filters.json
================================================
{
    "about": "Default set of filters for Scout",
    "rules": {}
}


================================================
FILE: ScoutSuite/providers/azure/services.py
================================================
from ScoutSuite.providers.azure.authentication_strategy import AzureCredentials
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.azure.resources.aad.base import AAD
from ScoutSuite.providers.azure.resources.rbac.base import RBAC
from ScoutSuite.providers.azure.resources.keyvault.base import KeyVaults
from ScoutSuite.providers.azure.resources.network.base import Networks
from ScoutSuite.providers.azure.resources.securitycenter.base import SecurityCenter
from ScoutSuite.providers.azure.resources.sqldatabase.base import Servers
from ScoutSuite.providers.azure.resources.storageaccounts.base import StorageAccounts
from ScoutSuite.providers.azure.resources.virtualmachines.base import VirtualMachines
from ScoutSuite.providers.base.services import BaseServicesConfig
from ScoutSuite.providers.azure.resources.appservice.base import AppServices
from ScoutSuite.providers.azure.resources.mysqldatabase.base import MySQLServers
from ScoutSuite.providers.azure.resources.postgresqldatabase.base import PostgreSQLServers
from ScoutSuite.providers.azure.resources.loggingmonitoring.base import LoggingMonitoring

# Try to import proprietary services
try:
    from ScoutSuite.providers.azure.resources.private_appgateway.base import ApplicationGateways
except ImportError:
    pass
try:
    from ScoutSuite.providers.azure.resources.private_rediscache.base import RedisCaches
except ImportError:
    pass
try:
    from ScoutSuite.providers.azure.resources.private_loadbalancer.base import LoadBalancers
except ImportError:
    pass


class AzureServicesConfig(BaseServicesConfig):

    def __init__(self,
                 credentials: AzureCredentials = None,
                 subscription_ids=[], all_subscriptions=None,
                 programmatic_execution=None,
                 **kwargs):

        super().__init__(credentials)

        facade = AzureFacade(credentials,
                             subscription_ids, all_subscriptions,
                             programmatic_execution)

        self.aad = AAD(facade)
        self.rbac = RBAC(facade)
        self.securitycenter = SecurityCenter(facade)
        self.sqldatabase = Servers(facade)
        self.storageaccounts = StorageAccounts(facade)
        self.keyvault = KeyVaults(facade)
        self.network = Networks(facade)
        self.virtualmachines = VirtualMachines(facade)
        self.appservice = AppServices(facade)
        self.mysqldatabase = MySQLServers(facade)
        self.postgresqldatabase = PostgreSQLServers(facade)
        self.loggingmonitoring = LoggingMonitoring(facade)

        # Instantiate proprietary services
        try:
            self.appgateway = ApplicationGateways(facade)
        except NameError as _:
            pass
        try:
            self.loadbalancer = LoadBalancers(facade)
        except NameError as _:
            pass
        try:
            self.rediscache = RedisCaches(facade)
        except NameError as _:
            pass

    def _is_provider(self, provider_name):
        return provider_name == 'azure'

    async def fetch(self, services: list, regions: list, excluded_regions: list):
        await super().fetch(services, regions, excluded_regions)

        # This is a unique case where we'll want to fetch additional resources (in the AAD service) in the
        # event the RBAC service was included. There's no existing cross-service fetching logic (only cross-service
        # processing), hence why we needed to add this.
        if 'rbac' in services and 'aad' in services:
            user_list = self.rbac.get_user_id_list()
            await self.aad.fetch_additional_users(user_list)


================================================
FILE: ScoutSuite/providers/azure/utils.py
================================================
import re


def get_resource_group_name(id):
    return re.findall("/resourceGroups/(.*?)/", id)[0]


================================================
FILE: ScoutSuite/providers/base/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/base/authentication_strategy.py
================================================
from abc import ABCMeta, abstractmethod


class AuthenticationStrategy(metaclass=ABCMeta):
    """
    This class represents an authentication strategy.
    """

    @abstractmethod
    def authenticate(self, **kwargs):
        """
        Given parameters, this authenticates the user to a provider and returns a credentials object.
        """
        raise NotImplementedError()


class AuthenticationException(Exception):
    def __init__(self, message, errors=None):
        super().__init__(message)
        self.errors = errors


================================================
FILE: ScoutSuite/providers/base/authentication_strategy_factory.py
================================================
_strategies = {
    'aws': 'AWSAuthenticationStrategy',
    'gcp': 'GCPAuthenticationStrategy',
    'azure': 'AzureAuthenticationStrategy',
    'aliyun': 'AliyunAuthenticationStrategy',
    'oci': 'OracleAuthenticationStrategy',
    'kubernetes': 'KubernetesAuthenticationStrategy',
    'do': 'DigitalOceanAuthenticationStrategy'
}


def import_authentication_strategy(provider):
    strategy_class = _strategies[provider]
    module = __import__(f'ScoutSuite.providers.{provider}.authentication_strategy', fromlist=[strategy_class])
    authentication_strategy = getattr(module, strategy_class)
    return authentication_strategy


def get_authentication_strategy(provider: str):
    """
        Returns an authentication strategy implementation for a provider.
        :param provider: The authentication strategy 
    """
    authentication_strategy = import_authentication_strategy(provider)
    return authentication_strategy()


================================================
FILE: ScoutSuite/providers/base/configs/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/base/configs/browser.py
================================================
import copy

from ScoutSuite.core.console import print_exception


########################################
# Functions
########################################

def combine_paths(path1, path2):
    path = path1
    for p in path2:
        if p == '..':
            del (path[-1])
        else:
            path.append(p)
    return path


def get_object_at(object, path, attribute_name=None):
    """
    Get arbitrary object given a dictionary and path (list of keys).

    :param object:
    :param path:
    :param attribute_name:
    :return:
    """
    o = object
    for p in path:
        if type(o) is dict:
            o = o[p]
        else:
            o = getattr(o, p)

    if attribute_name:
        if type(o) is dict:
            return o[attribute_name]
        else:
            return getattr(o, attribute_name)
    else:
        return o


def get_value_at(all_info, current_path, key, to_string=False):
    """
    Get value located at a given path.

    :param all_info:        All of the services' data
    :param current_path:    The value of the `path` variable defined in the finding file
    :param key:             The key that is being requested
    :param to_string:       Whether or not the returned value should be casted as a string
    :return:                The value in `all_info` indicated by the `key` in `current_path`
    """
    keys = key.split('.')
    if keys[-1] == 'id':
        target_obj = current_path[len(keys) - 1]
    else:
        if key == 'this':
            target_path = current_path
        elif '.' in key:
            target_path = []
            for i, key in enumerate(keys):
                try:
                    # If 'id', replace by value
                    if key == 'id':
                        target_path.append(current_path[i])
                    # If empty key and value is an index, keep the index
                    elif key == '' and i < len(current_path) and current_path[i].isdigit():
                        target_path.append(int(current_path[i]))
                    # Otherwise, use key
                    else:
                        target_path.append(key)
                except Exception as e:
                    print_exception(f'Unable to get index \"{i}\" from path \"{current_path}\": {e}',
                                    additional_details={'current_path': current_path,
                                                        'target_path': target_path,
                                                        'key': key,
                                                        'i': i})
                    return None
            if len(keys) > len(current_path):
                target_path = target_path + keys[len(target_path):]
        else:
            target_path = copy.deepcopy(current_path)
            target_path.append(key)
        target_obj = all_info
        for p in target_path:
            try:
                if type(target_obj) == list and type(target_obj[0]) == dict:
                    target_obj = target_obj[int(p)]
                elif type(target_obj) == list and type(p) == int:
                    target_obj = target_obj[p]
                elif type(target_obj) == list and p.isdigit():
                    target_obj = target_obj[int(p)]
                elif type(target_obj) == list:
                    target_obj = p
                elif p == '':
                    pass
                elif target_obj is None:
                    pass
                else:
                    target_obj = target_obj.get(p)
            except Exception as e:
                print_exception(f'Unable to get \"{p}\" from target object \"{target_obj}\" in path \"{target_path}\": {e}',
                                additional_details={'current_path': current_path,
                                                    'target_obj': target_obj,
                                                    'p': p})
                return None
    if to_string:
        return str(target_obj)
    else:
        return target_obj


================================================
FILE: ScoutSuite/providers/base/provider.py
================================================
import copy
import json

from ScoutSuite import __version__ as scout_version
from ScoutSuite.core.console import print_exception, print_info, print_error
from ScoutSuite.output.html import ScoutReport
from ScoutSuite.providers.base.configs.browser import get_object_at


class BaseProvider:
    """
    Base class for the different providers.

    Root object that holds all of the necessary provider-specific resources and Scout configuration items.

    For each supported cloud provider, a child class will be created which implements the necessary code.
    In addition, each method of children classes will call the base provider in order to execute code required for
    all cloud providers
    """

    def __init__(self, report_dir=None, timestamp=None,
                 services=None, skipped_services=None,
                 result_format='json', **kwargs):
        """

        :account_id         account ID
        :last_run           Information about the last run
        :metadata           Metadata used to generate the HTML report
        :ruleset            Ruleset used to perform the analysis
        :services           AWS configuration sorted by service
        """
        services = [] if services is None else services
        skipped_services = [] if skipped_services is None else skipped_services

        self.last_run = None
        self.metadata = None

        self._load_metadata()

        if not hasattr(self, 'services'):
            self.services = self.services_config(self.credentials)
        supported_services = vars(self.services).keys()

        # Ensures "credentials" is not included
        supported_services = list(supported_services)
        supported_services.remove('credentials')

        self.service_list = self._build_services_list(supported_services, services, skipped_services)

    def get_report_name(self):
        """
        Returns the name of the report using the provider's configuration
        """
        return 'base'

    def preprocessing(self, ip_ranges=None, ip_ranges_name_key=None):
        """
        Used for adding cross-services configs.
        """
        # Preprocessing dictated by metadata
        self._process_metadata_callbacks()

    def postprocessing(self, current_time, ruleset, run_parameters):
        """
        Sets post-run information.
        """
        self._update_metadata()
        self._update_last_run(current_time, ruleset, run_parameters)

    async def fetch(self, regions=None, excluded_regions=None, partition_name=None):
        """
        Fetch resources for each service

        :param regions:
        :param excluded_regions:
        :param partition_name:
        :return:
        """
        regions = [] if regions is None else regions
        excluded_regions = [] if excluded_regions is None else excluded_regions
        # TODO: determine partition name based on regions and warn if multiple partitions...
        await self.services.fetch(self.service_list, regions, excluded_regions)

        # TODO implement this properly
        """
        This is quite ugly but the legacy Scout expects the configurations to be dictionaries.
        Eventually this should be moved to objects/attributes, but that will require significant re-write.
        """
        report = ScoutReport(self.provider_code, 'placeholder')
        self.services = report.encoder.to_dict(self.services)

    def _load_metadata(self):
        """
        Load the metadata as defined in the child class metadata_path attribute

        :return: None
        """
        # Load metadata
        with open(self.metadata_path) as f:
            self.metadata = json.load(f)

    @staticmethod
    def _build_services_list(supported_services, services, skipped_services):

        # Ensure services and skipped services exist, otherwise log exception
        error = False
        for service in services + skipped_services:
            if service not in supported_services:
                print_error(f'Service \"{service}\" does not exist, skipping')
                error = True
        if error:
            print_info('Available services are: {}'.format(str(list(supported_services)).strip('[]')))

        return [s for s in supported_services if (services == [] or s in services) and s not in skipped_services]

    def _update_last_run(self, current_time, ruleset, run_parameters):

        last_run = {
            'time': current_time.strftime("%Y-%m-%d %H:%M:%S%z"),
            'run_parameters': run_parameters,
            'version': scout_version,
            'ruleset_name': ruleset.name,
            'ruleset_about': ruleset.about,
            'summary': {}
        }

        for service in self.services:
            last_run['summary'][service] = {'checked_items': 0,
                                            'flagged_items': 0,
                                            'max_level': 'warning',
                                            'rules_count': 0,
                                            'resources_count': 0}
            if self.services[service] is None:
                # Not supported yet
                continue
            elif 'findings' in self.services[service]:
                for finding in self.services[service]['findings'].values():
                    last_run['summary'][service]['rules_count'] += 1
                    last_run['summary'][service]['checked_items'] += finding['checked_items']
                    last_run['summary'][service]['flagged_items'] += finding['flagged_items']
                    items = finding.get('items', [])
                    if last_run['summary'][service]['max_level'] != 'danger' and len(items) > 0:
                        last_run['summary'][service]['max_level'] = finding['level']
            # Total number of resources
            for key in self.services[service]:
                if key != 'regions_count' and key.endswith('_count'):
                    last_run['summary'][service]['resources_count'] += self.services[service][key]
        self.last_run = last_run

    def _update_metadata(self):
        service_map = {}
        for service_group in self.metadata:
            for service in self.metadata[service_group]:
                if service not in self.service_list:
                    continue
                if 'hidden' in self.metadata[service_group][service] and \
                        self.metadata[service_group][service]['hidden'] == True:
                    continue
                if 'resources' not in self.metadata[service_group][service]:
                    continue
                service_map[service] = service_group
                for resource in self.metadata[service_group][service]['resources']:
                    # full_path = path if needed
                    if 'full_path' not in self.metadata[service_group][service]['resources'][resource]:
                        self.metadata[service_group][service]['resources'][resource]['full_path'] = \
                            self.metadata[service_group][service]['resources'][resource]['path']
                    # Script is the full path minus "id" (TODO: change that)
                    if 'script' not in self.metadata[service_group][service]['resources'][resource]:
                        self.metadata[service_group][service]['resources'][resource]['script'] = '.'.join(
                            [x for x in
                             self.metadata[service_group][service]['resources'][resource]['full_path'].split(
                                 '.') if x != 'id'])

                    # Update counts
                    self.metadata[service_group][service]['resources'][resource]['count'] = \
                        self.recursive_get_count(resource,
                                                 self.services[service])

    def recursive_get_count(self, resource, resources):
        """
        Recursively look for counts of a specific resource in a resource tree.
        """
        count = 0
        resource_count = '%s_count' % resource
        if isinstance(resources, dict):
            if resource_count in resources.keys():
                count += resources[resource_count]
            else:
                for k in resources.keys():
                    count += self.recursive_get_count(resource, resources[k])
        return count

    def manage_object(self, object, attr, init, callback=None):
        """
        This is a quick-fix copy of Opinel's manage_dictionary in order to support the new ScoutSuite object which isn't
        a dict
        """
        if type(object) == dict:
            if not str(attr) in object:
                object[str(attr)] = init
                self.manage_object(object, attr, init)
        else:
            if not hasattr(object, attr):
                setattr(object, attr, init)
                self.manage_object(object, attr, init)
        if callback:
            callback(getattr(object, attr))
        return object

    def _process_metadata_callbacks(self):
        """
        Iterates through each type of resource and, when callbacks have been
        configured in the config metadata, recurse through each resource and calls
        each callback.

        :param self.config:                  The entire AWS configuration object
        :return:                            None
        """
        # Service-level summaries
        for service_group in self.metadata:
            for service in self.metadata[service_group]:
                if service == 'summaries' or service not in self.service_list:
                    continue
                # Reset external attack surface
                if 'summaries' in self.metadata[service_group][service]:
                    for summary in self.metadata[service_group][service]['summaries']:
                        if summary == 'external attack surface' and \
                                service in self.services and \
                                'external_attack_surface' in self.services[service]:
                            self.services[service].pop('external_attack_surface')
                # Reset all global summaries
                if hasattr(self, 'service_groups'):
                    del self.service_groups
                # Resources
                for resource_type in self.metadata[service_group][service]['resources']:
                    if 'callbacks' in self.metadata[service_group][service]['resources'][resource_type]:
                        current_path = ['services', service]
                        target_path = self.metadata[service_group][service]['resources'][resource_type][
                                          'path'].replace('.id', '').split('.')[2:]
                        callbacks = self.metadata[service_group][service]['resources'][resource_type][
                            'callbacks']
                        self._new_go_to_and_do(self.services[service],
                                               target_path,
                                               current_path,
                                               callbacks)
                # Summaries
                if 'summaries' in self.metadata[service_group][service]:
                    for summary in self.metadata[service_group][service]['summaries']:
                        if 'callbacks' in self.metadata[service_group][service]['summaries'][summary]:
                            current_path = ['services', service]
                            for callback in self.metadata[service_group][service]['summaries'][summary]['callbacks']:
                                callback_name = callback[0]
                                callback_args = copy.deepcopy(callback[1])
                                target_path = callback_args.pop('path').replace('.id', '').split('.')[2:]
                                callbacks = [[callback_name, callback_args]]
                                self._new_go_to_and_do(self.services[service],
                                                       target_path,
                                                       current_path,
                                                       callbacks)
        # Group-level summaries
        for service_group in self.metadata:
            if 'summaries' in self.metadata[service_group]:
                for summary in self.metadata[service_group]['summaries']:
                    for callback in self.metadata[service_group]['summaries'][summary]['callbacks']:
                        callback_name = callback[0]
                        target_path = self.metadata[service_group]['summaries'][summary]['path'].split('.')
                        # quick fix as legacy Scout expects "self" to be a dict
                        target_object = self
                        for p in target_path:
                            self.manage_object(target_object, p, {})
                            if type(target_object) == dict:
                                target_object = target_object[p]
                            else:
                                target_object = getattr(target_object, p)
                        if callback_name == 'merge':
                            for service in self.metadata[service_group]:
                                if service == 'summaries':
                                    continue
                                if 'summaries' in self.metadata[service_group][service] and \
                                        summary in self.metadata[service_group][service]['summaries']:
                                    try:
                                        source = get_object_at(self,
                                                               self.metadata[service_group][service]['summaries'][
                                                                   summary]['path'].split('.'))
                                    except Exception as e:
                                        source = {}
                                    try:
                                        target_object.update(source)
                                    except Exception as e:
                                        if target_object:
                                            raise e

        return None

    def _go_to_and_do(self, current_config, path, current_path, callback, callback_args=None):
        """
        Recursively go to a target and execute a callback
        """
        try:
            key = path.pop(0)
            if not current_config and hasattr(self, 'config'):
                current_config = self.config
            if not current_path:
                current_path = []
            keys = key.split('.')
            if len(keys) > 1:
                while True:
                    key = keys.pop(0)
                    if not len(keys):
                        break
                    current_path.append(key)
                    current_config = current_config[key]
            if key in current_config:
                current_path.append(key)
                current_config_key = current_config[key]
                for (i, value) in enumerate(list(current_config_key)):
                    if len(path) == 0:
                        if type(current_config_key == dict) and type(value) != dict and type(value) != list:
                            callback(current_config_key[value], path, current_path, value, callback_args)
                        else:
                            callback(current_config, path, current_path, value, callback_args)
                    else:
                        tmp = copy.deepcopy(current_path)
                        try:
                            tmp.append(value)
                            self._go_to_and_do(current_config_key[value], copy.deepcopy(path), tmp, callback,
                                               callback_args)
                        except:
                            tmp.pop()
                            tmp.append(i)
                            self._go_to_and_do(current_config_key[i], copy.deepcopy(path), tmp, callback,
                                               callback_args)

        except Exception as e:
            print_exception(e, {'current path': f'{current_path}',
                                'key': '{}'.format(key if 'key' in locals() else 'not defined'),
                                'value': '{}'.format(value if 'value' in locals() else 'not defined'),
                                'path': f'{path}',
                                }
                            )

    def _new_go_to_and_do(self, current_config, path, current_path, callbacks):
        """
        Recursively go to a target and execute a callback
        """
        try:
            key = path.pop(0)
            if not current_config:
                current_config = self.config
            if not current_path:
                current_path = []
            keys = key.split('.')
            if len(keys) > 1:
                while True:
                    key = keys.pop(0)
                    if not len(keys):
                        break
                    current_path.append(key)
                    current_config = current_config[key]
            if key in current_config:
                current_path.append(key)
                for (i, value) in enumerate(list(current_config[key])):
                    if len(path) == 0:
                        for callback_info in callbacks:
                            callback_name = callback_info[0]
                            try:
                                callback = getattr(self, callback_name)

                                callback_args = callback_info[1]
                                if type(current_config[key] == dict) and type(value) != dict and type(value) != list:
                                    callback(current_config[key][value],
                                             path,
                                             current_path,
                                             value,
                                             callback_args)
                                else:
                                    callback(current_config, path, current_path, value, callback_args)
                            except Exception as e:
                                print_exception(f'Error when calling callback {callback_name} with value {value}: {e}',
                                                {'callback': callback_name,
                                                 'callback arguments': callback_args,
                                                 'current path': f'{current_path}',
                                                 'key': '{}'.format(key if 'key' in locals() else 'not defined'),
                                                 'value': '{}'.format(
                                                     value if 'value' in locals() else 'not defined'),
                                                 'path': f'{path}'})
                    else:
                        tmp = copy.deepcopy(current_path)
                        try:
                            tmp.append(value)
                            self._new_go_to_and_do(current_config[key][value], copy.deepcopy(path), tmp,
                                                   callbacks)
                        except:
                            tmp.pop()
                            tmp.append(i)
                            self._new_go_to_and_do(current_config[key][i], copy.deepcopy(path), tmp, callbacks)
        except Exception as e:
            print_exception(e, {'current path': f'{current_path}',
                                'key': '{}'.format(key if 'key' in locals() else 'not defined'),
                                'value': '{}'.format(value if 'value' in locals() else 'not defined'),
                                'path': f'{path}',
                                }
                            )


================================================
FILE: ScoutSuite/providers/base/resources/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/base/resources/base.py
================================================
"""
This module provides some abstract classes for representing a hierarchical structure.
Especially since all cloud providers (AWS, Azure and GCP for now) organize their resources (virtual machines,
databases, load balancers, user accounts and so on...) with some kind of hierarchy, these classes may be
used to reflect that.
"""

import abc
import asyncio
from ScoutSuite.core.console import print_exception


async def call(child_name, child):
    """Calls the child class and implements async error handling."""
    try:
        task = asyncio.ensure_future(child())
        await task
    except Exception as e:
        print_exception(f'Failed to call {child.__name__}() for resource {child_name}: {e}')


class Resources(dict, metaclass=abc.ABCMeta):
    """This is the base class of a hierarchical structure. Everything is basically `Resources`.
    It stores in its internal dictionary instances of a given type of resources, with instance ids as keys and
    instance configurations (which store other nested resources) as values.
    """

    def __init__(self, service_facade):
        self.facade = service_facade

        super().__init__()

    @abc.abstractmethod
    async def fetch_all(self, **kwargs):
        """Fetches, parses and stores instances of a given type of resources from a cloud provider API.

        :param kwargs:
        :return:
        """
        raise NotImplementedError()


class CompositeResources(Resources, metaclass=abc.ABCMeta):
    """This class represents a node in the hierarchical structure. As inherited from `Resources`, it still \
    stores instances of a given type of resources internally but also stores some kind of nested resources \
    referred to as its 'children'.
    """

    @property
    @abc.abstractmethod
    def _children(self):
        """A class that inherits from 'CompositeResources' should define a private '_children' attribute, typically a
        list of `Resources` classes. That is enforced by this abstract property.
        """
        raise NotImplementedError

    async def _fetch_children_of_all_resources(self, resources: dict, scopes: dict):
        """ This method iterates through a collection of resources and fetches all children of each resource, in a
        concurrent way.

        :param resources: list of (composite) resources
        :param scopes: dict that maps resource parent keys to scopes (dict) that should be used to retrieve children
        of each resource.
        """
        if len(resources) == 0:
            return

        tasks = {
            asyncio.ensure_future(
                self._fetch_children(
                    resource_parent=resource_parent, scope=scopes[resource_parent_key])
            ) for (resource_parent_key, resource_parent) in resources.items()
        }
        await asyncio.wait(tasks)

    async def _fetch_children(self, resource_parent: object, scope: dict = {}):
        """This method fetches all children of a given resource (the so called 'resource_parent') by calling fetch_all
        method on each child defined in '_children' and then stores the fetched resources in `resource_parent` under
        the key associated with the child. It also creates a "_count" entry for each child.

        :param resource_parent: The resource in which the children will be stored.
        :param scope: The scope passed to the children constructors.
        """
        children = [(child_class(self.facade, **scope), child_name)
                    for (child_class, child_name) in self._children]

        tasks = []
        for (child, child_name) in children:
            task = asyncio.create_task(call(child_name, child.fetch_all))
            tasks.append(task)
            
        await asyncio.wait(tasks)

        # Update parent content:
        for child, child_name in children:
            if child_name is None:
                resource_parent.update(child)
            else:
                if resource_parent.get(child_name) is None:
                    resource_parent[child_name] = {}
                    resource_parent[child_name + '_count'] = 0

                resource_parent[child_name].update(child)
                resource_parent[child_name + '_count'] += len(child)


================================================
FILE: ScoutSuite/providers/base/services.py
================================================
import asyncio

from ScoutSuite.core.console import print_exception, print_debug, print_info
from ScoutSuite.providers.aws.utils import get_partition_name
from ScoutSuite.utils import format_service_name


class BaseServicesConfig:

    def __init__(self, credentials):
        self.credentials = credentials

    def _is_provider(self, provider_name):
        return False

    async def fetch(self, services: list, regions: list, excluded_regions: list):

        if not services:
            print_debug('No services to scan')
        else:
            # Remove "credentials" as it isn't a service
            if 'credentials' in services:
                services.remove('credentials')

            # Print services that are going to get skipped:
            for service in vars(self):
                if service not in services and service != 'credentials':
                    print_debug('Skipping the {} service'.format(format_service_name(service)))

            # Then, fetch concurrently all services:
            if services:
                tasks = {
                    asyncio.ensure_future(
                        self._fetch(service, regions, excluded_regions)
                    ) for service in services
                }
                await asyncio.wait(tasks)

    async def _fetch(self, service, regions=None, excluded_regions=None):
        try:
            print_info('Fetching resources for the {} service'.format(format_service_name(service)))
            service_config = getattr(self, service)
            # call fetch method for the service
            if 'fetch_all' in dir(service_config):
                method_args = {}

                if regions:
                    method_args['regions'] = regions
                if excluded_regions:
                    method_args['excluded_regions'] = excluded_regions

                if self._is_provider('aws'):
                    if service != 'iam':
                        method_args['partition_name'] = get_partition_name(self.credentials.session)

                await service_config.fetch_all(**method_args)                
                if hasattr(service_config, 'finalize'):
                    await service_config.finalize()
            else:
                print_debug(f'No method to fetch service {service}.')
        except Exception as e:
            print(e) # for debugging
            print_exception(f'Could not fetch {format_service_name(service)} configuration: {e}')


================================================
FILE: ScoutSuite/providers/do/authentication_strategy.py
================================================
from ScoutSuite.providers.do import utils
from ScoutSuite.providers.base.authentication_strategy import AuthenticationException
from ScoutSuite.providers.base.authentication_strategy import AuthenticationStrategy
from ScoutSuite.core.console import print_warning
from pydo import Client
import logging
import boto3


class DoCredentials:
    def __init__(self, client, session=None):
        self.client = client
        self.session = session


class DigitalOceanAuthenticationStrategy(AuthenticationStrategy):

    def authenticate(self, token=None, access_key=None, access_secret=None, **kwargs):
        """
        Handles authentication to DigitalOcean.
        """
        try:
            self.client = Client(token)
            # a simple request here to make sure the authentication is successful
            self.client.account.get()

            if not (access_key and access_secret):
                print_warning(
                    f"Missing credentials for spaces: Skipping DO Spaces service"
                )
                return DoCredentials(client=self.client)
            else:
                # Set logging level to error for libraries as otherwise generates a lot of warnings
                logging.getLogger("botocore").setLevel(logging.ERROR)
                logging.getLogger("botocore.auth").setLevel(logging.ERROR)
                logging.getLogger("urllib3").setLevel(logging.ERROR)

                session = boto3.Session(
                    aws_access_key_id=access_key,
                    aws_secret_access_key=access_secret,
                )
                # make sure the DO spaces authentication is successful
                region = "blr1"
                spaces_client = utils.get_client("s3", session, region)
                spaces_client.list_buckets()
                return DoCredentials(client=self.client, session=session)

        except Exception as e:
            raise AuthenticationException(e)


================================================
FILE: ScoutSuite/providers/do/facade/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/do/facade/base.py
================================================
from ScoutSuite.providers.do.facade.droplet import DropletFacade
from ScoutSuite.providers.do.facade.networking import Networkingfacade
from ScoutSuite.providers.do.facade.database import DatabasesFacade
from ScoutSuite.providers.do.facade.spaces import SpacesFacade
from ScoutSuite.providers.do.facade.kubernetes import KubernetesDoFacade
from ScoutSuite.providers.do.authentication_strategy import DoCredentials


class DoFacade:
    def __init__(self, credentials: DoCredentials):
        self._credentials = credentials
        self._instantiate_facades()

    def _instantiate_facades(self):
        self.droplet = DropletFacade(self._credentials)
        self.networking = Networkingfacade(self._credentials)
        self.database = DatabasesFacade(self._credentials)
        self.spaces = SpacesFacade(self._credentials)
        self.kubernetes = KubernetesDoFacade(self._credentials)


================================================
FILE: ScoutSuite/providers/do/facade/database.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.do.authentication_strategy import DoCredentials
from ScoutSuite.providers.utils import run_concurrently


class DatabasesFacade:
    def __init__(self, credentials: DoCredentials):
        self._credentials = credentials
        self._client = credentials.client

    async def get_databases(self):
        try:
            databases = await run_concurrently(
                lambda: self._client.databases.list_clusters()["databases"]
            )
            return databases
        except Exception as e:
            print_exception(f"Failed to get databases: {e}")
            return []

    async def get_databaseusers(self, db_uuid):
        try:
            db_users = await run_concurrently(
                lambda: self._client.databases.list_users(db_uuid)["users"]
            )
            return db_users
        except Exception as e:
            print_exception(f"Failed to get db users: {e}")
            return []

    async def get_eviction_policy(self, db_uuid):
        try:
            eviction_policy = await run_concurrently(
                lambda: self._client.databases.get_eviction_policy(db_uuid)[
                    "eviction_policy"
                ]
            )
            return eviction_policy
        except Exception as e:
            print_exception(f"Failed to get Redis eviction policy: {e}")
            return []

    async def get_connection_pools(self, db_uuid):
        try:
            connection_pools = await run_concurrently(
                lambda: self._client.databases.list_connection_pools(db_uuid)["pools"]
            )
            return connection_pools
        except Exception as e:
            print_exception(f"Failed to get Postgres connection pools: {e}")
            return []

    async def get_firewalls(self, db_uuid):
        try:
            firewall_rules = await run_concurrently(
                lambda: self._client.databases.list_firewall_rules(db_uuid)
            )
            return firewall_rules
        except Exception as e:
            print_exception(f"Failed to get db firewalls: {e}")
            return []

    async def get_resources(self, tag):
        try:
            resources = await run_concurrently(
                lambda: self._client.tags.get(tag)["tag"]["resources"]
            )
            return resources
        except Exception as e:
            print_exception(f"Failed to get tag resources: {e}")
            return []


================================================
FILE: ScoutSuite/providers/do/facade/droplet.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.do.authentication_strategy import DoCredentials
from ScoutSuite.providers.utils import run_concurrently
from ScoutSuite.providers.do.facade.utils import DOFacadeUtils


class DropletFacade:
    def __init__(self, credentials: DoCredentials):
        self._credentials = credentials
        self._client = credentials.client
        self.current_page = 1
        self.per_page = 50

    async def get_droplets(self):
        try:
            droplets = await DOFacadeUtils.get_all_from_pagination(
                self._client.droplets.list, self.current_page, self.per_page, "droplets"
            )
            return droplets["droplets"]
        except Exception as e:
            print_exception(f"Failed to get droplets: {e}")
            return []

    async def get_droplet_fwconfig(self, id):
        try:
            filters = {"droplet_id": id}
            droplet_fwconfig = await DOFacadeUtils.get_all_from_pagination(
                self._client.droplets.list_firewalls,
                self.current_page,
                self.per_page,
                "firewalls",
                filters,
            )
            return droplet_fwconfig
        except Exception as e:
            print_exception(f"Failed to get droplet firewall config: {e}")
            return []

    # TODO not required for now
    # async def get_droplet_details(self, id):
    #     try:
    #         droplets = await run_concurrently(lambda: self._client.droplets.list()['droplets'])
    #         return droplets
    #     except Exception as e:
    #         print_exception(f'Failed to get do droplets: {e}')
    #         return []


================================================
FILE: ScoutSuite/providers/do/facade/kubernetes.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.do.authentication_strategy import DoCredentials
from ScoutSuite.providers.utils import run_concurrently


class KubernetesDoFacade:
    def __init__(self, credentials: DoCredentials):
        self._credentials = credentials
        self._client = credentials.client

    async def get_kubernetes(self):
        try:
            kubernetes = await run_concurrently(
                lambda: self._client.kubernetes.list_clusters()["kubernetes_clusters"]
            )
            return kubernetes
        except Exception as e:
            print_exception(f"Failed to get kubernetes clusters: {e}")
            return []

    

================================================
FILE: ScoutSuite/providers/do/facade/networking.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.do.authentication_strategy import DoCredentials
from ScoutSuite.providers.do.facade.utils import DOFacadeUtils
from ScoutSuite.providers.utils import run_concurrently


class Networkingfacade:
    def __init__(self, credentials: DoCredentials):
        self._credentials = credentials
        self._client = credentials.client
        self.current_page = 1
        self.per_page = 50

    async def get_firewalls(self):
        try:
            firewalls = await DOFacadeUtils.get_all_from_pagination(
                self._client.firewalls.list,
                self.current_page,
                self.per_page,
                "firewalls",
            )
            return firewalls["firewalls"]
        except Exception as e:
            print_exception(f"Failed to get firewalls: {e}")
            return []

    async def get_domains(self):
        try:
            domains = await DOFacadeUtils.get_all_from_pagination(
                self._client.domains.list, self.current_page, self.per_page, "domains"
            )
            return domains["domains"]
        except Exception as e:
            print_exception(f"Failed to get domains: {e}")
            return []

    async def get_load_balancers(self):
        try:
            load_balancers = await DOFacadeUtils.get_all_from_pagination(
                self._client.load_balancers.list,
                self.current_page,
                self.per_page,
                "load_balancers",
            )
            return load_balancers["load_balancers"]
        except Exception as e:
            print_exception(f"Failed to get load balancers: {e}")
            return []


================================================
FILE: ScoutSuite/providers/do/facade/spaces.py
================================================
from botocore.exceptions import ClientError
import boto3
from ScoutSuite.core.console import print_exception, print_debug, print_warning
from ScoutSuite.providers.aws.facade.utils import AWSFacadeUtils
from ScoutSuite.providers.utils import run_concurrently, get_and_set_concurrently
from ScoutSuite.providers.do.authentication_strategy import DoCredentials


class SpacesFacade:
    def __init__(self, credentials: DoCredentials):
        self._credentials = credentials
        self._client = credentials.client
        self.session = credentials.session

    async def get_all_buckets(self):
        buckets = []
        # TODO no api avaialible to get do regions that support spaces.
        region_list = ["nyc3", "sfo2", "sfo3", "ams3", "fra1", "sgp1", "syd1", "blr1"]
        for region in region_list:
            region_buckets = await self.get_buckets(region)
            buckets.extend(region_buckets)
        return buckets

    async def get_buckets(self, region=None):
        try:
            buckets = []
            exception = None
            try:
                client = self.get_client("s3", self.session, region)
                buckets = await run_concurrently(
                    lambda: client.list_buckets()["Buckets"]
                )
            except Exception as e:
                exception = e
            else:
                exception = None  # Fix for https://github.com/nccgroup/ScoutSuite/issues/916#issuecomment-728783965
            if not buckets:
                if exception:
                    print_exception(f"Failed to list buckets: {exception}")
                return []
        except Exception as e:
            print_exception(f"Failed to list buckets: {e}")
            return []
        else:
            # We need first to retrieve bucket locations before retrieving bucket details
            await get_and_set_concurrently(
                [self._get_and_set_s3_bucket_location], buckets, region=region
            )

            # Then we can retrieve bucket details concurrently
            await get_and_set_concurrently(
                [
                    self._get_and_set_s3_acls,
                    self._get_CORS
                ],
                buckets,
            )
            return buckets

    async def _get_CORS(self, bucket: {}, region=None):
        client = self.get_client("s3", self.session, bucket["region"])        
        try:
            # Attempt to get the CORS configuration
            response = client.get_bucket_cors(Bucket=bucket["Name"])
            if 'CORSRules' in response:
                bucket["CORS"] = response['CORSRules']
            else:
                print("CORS rules are not set for this bucket.")
        except ClientError as e:
            if e.response['Error']['Code'] == 'InvalidAccessKeyId':
                print("The AWS Access Key Id provided does not exist in our records.")
        except Exception as e:
            print(f"An unexpected error occurred: {str(e)}")

    async def _get_and_set_s3_bucket_location(self, bucket: {}, region=None):
        client = self.get_client("s3", self.session, region)
        try:
            location = await run_concurrently(
                lambda: client.get_bucket_location(Bucket=bucket["Name"])
            )
        except Exception as e:
            if "NoSuchBucket" in str(e) or "InvalidToken" in str(e):
                print_warning(
                    "Failed to get bucket location for {}: {}".format(bucket["Name"], e)
                )
            else:
                print_exception(
                    "Failed to get bucket location for {}: {}".format(bucket["Name"], e)
                )
            location = None

        if location:
            region = (
                location["LocationConstraint"]
                if location["LocationConstraint"]
                else "us-east-1"
            )

            # Fixes issue #59: location constraint can be either EU or eu-west-1 for Ireland...
            if region == "EU":
                region = "eu-west-1"
        else:
            region = None

        bucket["region"] = region

    async def _get_and_set_s3_acls(self, bucket: {}, key_name=None):
        bucket_name = bucket["Name"]
        client = self.get_client("s3", self.session, bucket["region"])
        try:
            grantees = {}
            if key_name:
                grants = await run_concurrently(
                    lambda: client.get_object_acl(Bucket=bucket_name, Key=key_name)
                )
            else:
                grants = await run_concurrently(
                    lambda: client.get_bucket_acl(Bucket=bucket_name)
                )
            for grant in grants["Grants"]:
                if "ID" in grant["Grantee"]:
                    grantee = grant["Grantee"]["ID"]
                    display_name = (
                        grant["Grantee"]["DisplayName"]
                        if "DisplayName" in grant["Grantee"]
                        else grant["Grantee"]["ID"]
                    )
                elif "URI" in grant["Grantee"]:
                    grantee = grant["Grantee"]["URI"].split("/")[-1]
                    display_name = self._s3_group_to_string(grant["Grantee"]["URI"])
                else:
                    grantee = display_name = "Unknown"
                permission = grant["Permission"]
                grantees.setdefault(grantee, {})
                grantees[grantee]["DisplayName"] = display_name
                if "URI" in grant["Grantee"]:
                    grantees[grantee]["URI"] = grant["Grantee"]["URI"]
                grantees[grantee].setdefault("permissions", self._init_s3_permissions())
                self._set_s3_permissions(grantees[grantee]["permissions"], permission)
            bucket["grantees"] = grantees
        except Exception as e:
            if "NoSuchBucket" in str(e) or "InvalidToken" in str(e):
                print_warning(f"Failed to get ACL configuration for {bucket_name}: {e}")
            else:
                print_exception(
                    f"Failed to get ACL configuration for {bucket_name}: {e}"
                )
            bucket["grantees"] = {}

    @staticmethod
    def get_client(service: str, session: boto3.session.Session, region: str = None):
        """
        Instantiates an AWS API client

        :param service: Service targeted, e.g. ec2
        :param session: The aws session
        :param region:  Region desired, e.g. us-east-2

        :return:
        """

        try:
            return (
                session.client(
                    service,
                    region_name=region,
                    endpoint_url="https://" + region + ".digitaloceanspaces.com",
                )
                if region
                else session.client(service)
            )
        except Exception as e:
            print_exception(f"Failed to create client for the {service} service: {e}")
            return None

    @staticmethod
    def _init_s3_permissions():
        permissions = {
            "read": False,
            "write": False,
            "read_acp": False,
            "write_acp": False,
        }
        return permissions

    @staticmethod
    def _set_s3_permissions(permissions: str, name: str):
        if name == "READ" or name == "FULL_CONTROL":
            permissions["read"] = True
        if name == "WRITE" or name == "FULL_CONTROL":
            permissions["write"] = True
        if name == "READ_ACP" or name == "FULL_CONTROL":
            permissions["read_acp"] = True
        if name == "WRITE_ACP" or name == "FULL_CONTROL":
            permissions["write_acp"] = True

    @staticmethod
    def _s3_group_to_string(uri: str):
        if uri == "http://acs.amazonaws.com/groups/global/AuthenticatedUsers":
            return "Authenticated users"
        elif uri == "http://acs.amazonaws.com/groups/global/AllUsers":
            return "Everyone"
        elif uri == "http://acs.amazonaws.com/groups/s3/LogDelivery":
            return "Log delivery"
        else:
            return uri

    @staticmethod
    def _status_to_bool(value: str):
        """Converts a string to True if it is equal to 'Enabled' or to False otherwise."""
        return value == "Enabled"


================================================
FILE: ScoutSuite/providers/do/facade/utils.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.do.authentication_strategy import DoCredentials
from ScoutSuite.providers.utils import run_concurrently


class DOFacadeUtils:

    @staticmethod
    async def get_all_from_pagination(
        list_client, current_page, per_page, object_name, filters=None
    ):
        final_output = {}
        next_page = True
        while next_page:
            if filters:
                resp = await run_concurrently(
                    lambda: list_client(**filters, per_page=per_page, page=current_page)
                )
            else:
                resp = await run_concurrently(
                    lambda: list_client(per_page=per_page, page=current_page)
                )
            if object_name in final_output.keys():
                final_output[object_name].extend(resp[object_name])
            else:
                final_output[object_name] = resp[object_name]

            pages = resp.get("links").get("pages", {})
            next_page = "next" in pages.keys()
            current_page += 1
        return final_output


================================================
FILE: ScoutSuite/providers/do/metadata.json
================================================
{
  "Droplets": {
    "droplet": {
      "resources": {
        "droplets": {
          "cols": 2,
          "path": "services.droplet.droplets"
        }
      }
    }
  },
  "Storage": {
    "spaces": {
      "resources": {
        "buckets": {
          "cols": 2,
          "path": "services.spaces.buckets"
        }
      }
    }
  },
  "Network": {
    "networking": {
      "resources": {
        "firewalls": {
          "cols": 2,
          "path": "services.networking.firewalls"
        },
        "domains": {
          "cols": 2,
          "path": "services.networking.domains"
        },
        "load_balancers": {
          "cols": 2,
          "path": "services.networking.load_balancers"
        }
      }
    }
  },
  "Kubernetes": {
    "kubernetes": {
      "resources": {
        "kubernetes": {
          "cols": 2,
          "path": "services.kubernetes.kubernetes"
        }
      }
    }
  },
  "Databases": {
    "database": {
      "resources": {
        "databases": {
          "cols": 2,
          "path": "services.database.databases"
        }
      }
    }
  }
}


================================================
FILE: ScoutSuite/providers/do/provider.py
================================================
import os
from ScoutSuite.providers.do.services import DigitalOceanServicesConfig
from ScoutSuite.providers.base.provider import BaseProvider


class DigitalOceanProvider(BaseProvider):
    """
    Implements provider for DigitalOcean
    """

    def __init__(
        self,
        report_dir=None,
        timestamp=None,
        services=None,
        skipped_services=None,
        **kwargs,
    ):

        services = [] if services is None else services
        skipped_services = [] if skipped_services is None else skipped_services

        self.metadata_path = (
            "%s/metadata.json" % os.path.split(os.path.abspath(__file__))[0]
        )

        self.provider_code = "do"
        self.provider_name = "DigitalOcean"
        self.environment = "default"

        self.services_config = DigitalOceanServicesConfig

        self.credentials = kwargs["credentials"]
        self.account_id = self.credentials.client.account.get()
        self.account_id = self.account_id["account"]["uuid"]

        super().__init__(report_dir, timestamp, services, skipped_services)

    def get_report_name(self):
        """
        Returns the name of the report using the provider's configuration
        """
        if self.account_id:
            return f"do-{self.account_id}"
        else:
            return "do"

    def preprocessing(self, ip_ranges=None, ip_ranges_name_key=None):

        super().preprocessing()


================================================
FILE: ScoutSuite/providers/do/resources/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/do/resources/base.py
================================================
"""This module provides implementations for Resources and CompositeResources for DO."""

import abc

from ScoutSuite.providers.base.resources.base import Resources, CompositeResources


class DoResources(Resources, metaclass=abc.ABCMeta):
    """This is the base class for DO resources."""

    pass


class DoCompositeResources(DoResources, CompositeResources, metaclass=abc.ABCMeta):
    """This class represents a collection of composite Resources (resources that include nested resources referred as
    their children). Classes extending DoCompositeResources have to define a '_children' attribute which consists of
    a list of tuples describing the children. The tuples are expected to respect the following format:
    (, ). 'child_name' is used to indicate the name under which the child resources will be
    stored in the parent object.
    """

    pass


================================================
FILE: ScoutSuite/providers/do/resources/database/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/do/resources/database/base.py
================================================
from ScoutSuite.providers.do.facade.base import DoFacade
from ScoutSuite.providers.do.resources.base import DoCompositeResources
from ScoutSuite.providers.do.resources.database.databases import Databases


class Databases(DoCompositeResources):
    _children = [(Databases, "databases")]

    def __init__(self, facade: DoFacade):
        super().__init__(facade)
        self.service = "database"

    async def fetch_all(self, **kwargs):
        await self._fetch_children(resource_parent=self)


================================================
FILE: ScoutSuite/providers/do/resources/database/databases.py
================================================
from ScoutSuite.providers.do.resources.base import DoResources
from ScoutSuite.providers.do.facade.base import DoFacade


class Databases(DoResources):
    def __init__(self, facade: DoFacade):
        super().__init__(facade)

    async def fetch_all(self):
        clusters = await self.facade.database.get_databases()
        if clusters:
            for cluster in clusters:
                id, cluster = await self._parse_cluster(cluster)
                self[id] = cluster

    async def _parse_cluster(self, raw_cluster):
        cluster_dict = {}

        cluster_dict["id"] = raw_cluster["id"]
        cluster_dict["name"] = raw_cluster["name"]
        cluster_dict["engine"] = raw_cluster["engine"]
        cluster_dict["version"] = raw_cluster["version"]
        if raw_cluster["engine"] != "mongodb":
            cluster_dict["semantic_version"] = raw_cluster["semantic_version"]
        cluster_dict["tags"] = raw_cluster["tags"]
        cluster_dict["databases"] = str(raw_cluster["db_names"])

        trusted_sources = set()
        cluster_databases = await self.facade.database.get_firewalls(raw_cluster["id"])
        if cluster_databases:
            for cluster_rule in cluster_databases["rules"]:
                trusted_sources.add(f"{cluster_rule['type']}s:{cluster_rule['value']}")

        cluster_dict["trusted_sources"] = (
            trusted_sources if trusted_sources else "False"
        )

        if raw_cluster["engine"] == "mysql":
            legacy_encryption_users = set()
            db_users = await self.facade.database.get_databaseusers(raw_cluster["id"])
            if db_users:
                for db_user in db_users:
                    if (
                        db_user["mysql_settings"]["auth_plugin"]
                        == "mysql_native_password"
                    ):
                        legacy_encryption_users.add(db_user["name"])
            if legacy_encryption_users == "None":
                cluster_dict["legacy_encryption_users"] = "True"
            else:
                cluster_dict["legacy_encryption_users"] = (
                    str(legacy_encryption_users) if legacy_encryption_users else "False"
                )
        elif raw_cluster["engine"] == "redis":
            cluster_dict["eviction_policy"] = (
                await self.facade.database.get_eviction_policy(raw_cluster["id"])
            )

        elif raw_cluster["engine"] == "pg":
            connection_pools = await self.facade.database.get_connection_pools(
                raw_cluster["id"]
            )
            cluster_dict["connection_pools"] = (
                connection_pools if connection_pools else "False"
            )
        return cluster_dict["id"], cluster_dict


================================================
FILE: ScoutSuite/providers/do/resources/droplet/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/do/resources/droplet/base.py
================================================
from ScoutSuite.providers.do.facade.base import DoFacade
from ScoutSuite.providers.do.resources.base import DoCompositeResources
from ScoutSuite.providers.do.resources.droplet.droplets import Droplets


class Droplets(DoCompositeResources):
    _children = [(Droplets, "droplets")]

    def __init__(self, facade: DoFacade):
        super().__init__(facade)
        self.service = "droplet"

    async def fetch_all(self, **kwargs):
        await self._fetch_children(resource_parent=self)


================================================
FILE: ScoutSuite/providers/do/resources/droplet/droplets.py
================================================
from ScoutSuite.providers.do.resources.base import DoResources
from ScoutSuite.providers.do.facade.base import DoFacade


class Droplets(DoResources):
    def __init__(self, facade: DoFacade):
        super().__init__(facade)

    async def fetch_all(self):

        droplets = await self.facade.droplet.get_droplets()
        if droplets:
            for droplet in droplets:
                id, droplet = await self._parse_droplet(droplet)
                self[id] = droplet

    async def _parse_droplet(self, raw_droplet):
        droplet_dict = {}

        droplet_dict["id"] = raw_droplet["id"]
        droplet_dict["name"] = raw_droplet["name"]
        droplet_dict["memory"] = raw_droplet["memory"]
        droplet_dict["vcpus"] = raw_droplet["vcpus"]
        droplet_dict["disk"] = raw_droplet["disk"]
        droplet_dict["locked"] = raw_droplet["locked"]
        droplet_dict["status"] = raw_droplet["status"]
        droplet_dict["kernel"] = raw_droplet["kernel"]
        droplet_dict["created_at"] = raw_droplet["created_at"]
        droplet_dict["features"] = raw_droplet["features"]
        droplet_dict["backup_ids"] = str(raw_droplet["backup_ids"])
        droplet_dict["next_backup_window"] = raw_droplet["next_backup_window"]
        droplet_dict["snapshot_ids"] = str(raw_droplet["snapshot_ids"])
        droplet_dict["image"] = raw_droplet["image"]["slug"]
        droplet_dict["image_type"] = raw_droplet["image"]["type"]
        droplet_dict["volume_ids"] = str(raw_droplet["volume_ids"])
        droplet_dict["size"] = raw_droplet["size"]["slug"]
        droplet_dict["size_slug"] = raw_droplet["size_slug"]
        droplet_dict["networks"] = str(raw_droplet["networks"])
        droplet_dict["region"] = raw_droplet["region"]["slug"]
        droplet_dict["tags"] = raw_droplet["tags"]
        droplet_dict["vpc_uuid"] = raw_droplet["vpc_uuid"]
        droplet_dict["firewalls"] = None

        droplet_fwconfig = await self.facade.droplet.get_droplet_fwconfig(
            raw_droplet["id"]
        )
        public_ports = {}

        if droplet_fwconfig:
            if droplet_fwconfig["firewalls"]:
                droplet_dict["firewalls"] = ""
                for firewall in droplet_fwconfig["firewalls"]:
                    droplet_dict["firewalls"] = (
                        droplet_dict["firewalls"] + " , " + firewall["id"]
                        if droplet_dict["firewalls"]
                        else firewall["id"]
                    )

                    for rules in firewall["inbound_rules"]:
                        if (
                            "0.0.0.0/0" in rules["sources"]["addresses"]
                            or "::/0" in rules["sources"]["addresses"]
                        ):
                            public_ports[rules["ports"]] = rules["sources"]["addresses"]

        droplet_dict["all_ports_exposed"] = (
            "True"
            if ("0" in public_ports.keys() or not droplet_fwconfig["firewalls"])
            else "False"
        )
        droplet_dict["port_22_exposed"] = (
            "True"
            if ("22" in public_ports.keys() or droplet_dict["all_ports_exposed"])
            else "False"
        )

        droplet_dict["public_ports_enabled"] = "True" if public_ports else "False"
        droplet_dict["public_port_detail"] = (
            f"Port {','.join(public_ports.keys())} exposed to public internet due to this configuration {str(public_ports)}"
            if public_ports
            else ""
        )
        droplet_dict["features_monitoring"] = (
            "True"
            if ("monitoring" in droplet_dict["features"])
            else "False"
        )
        return droplet_dict["id"], droplet_dict


================================================
FILE: ScoutSuite/providers/do/resources/kubernetes/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/do/resources/kubernetes/base.py
================================================
from ScoutSuite.providers.do.facade.base import DoFacade
from ScoutSuite.providers.do.resources.base import DoCompositeResources
from ScoutSuite.providers.do.resources.kubernetes.kubernetes import Kubernetes


class Kubernetes(DoCompositeResources):
    _children = [(Kubernetes, "kubernetes")]

    def __init__(self, facade: DoFacade):
        super().__init__(facade)
        self.service = "kubernetes"

    async def fetch_all(self, **kwargs):
        await self._fetch_children(resource_parent=self)


================================================
FILE: ScoutSuite/providers/do/resources/kubernetes/kubernetes.py
================================================
from ScoutSuite.providers.do.resources.base import DoResources
from ScoutSuite.providers.do.facade.base import DoFacade


class Kubernetes(DoResources):
    def __init__(self, facade: DoFacade):
        super().__init__(facade)

    async def fetch_all(self):
        clusters = await self.facade.kubernetes.get_kubernetes()
        if clusters:
            for cluster in clusters:
                id, cluster = await self._parse_cluster(cluster)
                self[id] = cluster

    async def _parse_cluster(self, raw_cluster):
        cluster_dict = {}

        cluster_dict["id"] = raw_cluster["id"]
        cluster_dict["name"] = raw_cluster["name"]
        cluster_dict["ha"] = raw_cluster["ha"]
        cluster_dict["auto_upgrade"] = raw_cluster["auto_upgrade"]
        cluster_dict["surge_upgrade"] = raw_cluster["surge_upgrade"]

        return cluster_dict["id"], cluster_dict


================================================
FILE: ScoutSuite/providers/do/resources/networking/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/do/resources/networking/base.py
================================================
from ScoutSuite.providers.do.facade.base import DoFacade
from ScoutSuite.providers.do.resources.base import DoCompositeResources
from ScoutSuite.providers.do.resources.networking.firewalls import Firewalls
from ScoutSuite.providers.do.resources.networking.domains import Domains
from ScoutSuite.providers.do.resources.networking.load_balancers import LoadBalancers


class Networking(DoCompositeResources):
    _children = [
        (Firewalls, "firewalls"),
        (Domains, "domains"),
        (LoadBalancers, "load_balancers"),
    ]

    def __init__(self, facade: DoFacade):
        super().__init__(facade)
        self.service = "networking"

    async def fetch_all(self, **kwargs):
        await self._fetch_children(resource_parent=self)


================================================
FILE: ScoutSuite/providers/do/resources/networking/domains.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.do.resources.base import DoResources
from ScoutSuite.providers.do.facade.base import DoFacade
import re


class Domains(DoResources):
    def __init__(self, facade: DoFacade):
        super().__init__(facade)

    async def fetch_all(self):
        domains = await self.facade.networking.get_domains()
        if domains:
            for domain in domains:
                name, domain = await self._parse_domain(domain)
                if domain:
                    self[name] = domain
    async def _parse_domain(self, raw_domain):
        domain_dict = {}
        domain_dict["name"] = raw_domain["name"]
        zone_file = raw_domain["zone_file"]

        spf_pattern = re.compile(r'.*TXT.*v=spf.*', re.IGNORECASE)
        domain_dict["spf_record"] = "True" if bool(re.search(spf_pattern, zone_file)) else "False"
        dmarc_pattern = re.compile(r'.*TXT.*v=DMARC.*', re.IGNORECASE)
        domain_dict["dmarc_record"] = "True" if bool(re.search(dmarc_pattern, zone_file)) else "False"
        dkim_pattern = re.compile(r'.*TXT.*v=DKIM.*', re.IGNORECASE)
        domain_dict["dkim_record"] = "True" if bool(re.search(dkim_pattern, zone_file)) else "False"

        ttl_regex = r"\.\s*(\d+)\s*IN"
        ttl_matches = re.findall(ttl_regex, zone_file)
        numbers = [int(match) for match in ttl_matches]

        domain_dict["highttl_records"] = (
            "True"
            if max(numbers) > 3600
            else "False"
        )

        pattern1 = re.compile(r'.*TXT.*v=spf.*~all', re.IGNORECASE)
        pattern2 = re.compile(r'.*TXT.*v=spf.*\+all', re.IGNORECASE)
        domain_dict["spf_record_all"] = (
            "True"
            if bool(re.search(pattern1, zone_file))  or bool(re.search(pattern2, zone_file)) 
            else "False"
        )

        return domain_dict["name"], domain_dict

================================================
FILE: ScoutSuite/providers/do/resources/networking/firewalls.py
================================================
from ScoutSuite.providers.do.resources.base import DoResources
from ScoutSuite.providers.do.facade.base import DoFacade


class Firewalls(DoResources):
    def __init__(self, facade: DoFacade):
        super().__init__(facade)

    async def fetch_all(self):

        firewalls = await self.facade.networking.get_firewalls()
        if firewalls:
            for firewall in firewalls:
                id, firewall = await self._parse_firewall(firewall)
                self[id] = firewall

    async def _parse_firewall(self, raw_firewall):
        firewall_dict = {}

        firewall_dict["id"] = raw_firewall["id"]
        firewall_dict["name"] = raw_firewall["name"]
        firewall_dict["status"] = raw_firewall["status"]
        firewall_dict["inbound_rules"] = raw_firewall["inbound_rules"]
        firewall_dict["outbound_rules"] = raw_firewall["outbound_rules"]
        firewall_dict["created_at"] = raw_firewall["created_at"]
        firewall_dict["droplet_ids"] = str(raw_firewall["droplet_ids"])
        firewall_dict["tags"] = str(raw_firewall["tags"])
        firewall_dict["pending_changes"] = str(raw_firewall["pending_changes"])
        public_ports = {}
        for rules in raw_firewall["inbound_rules"]:
            if (
                "0.0.0.0/0" in rules["sources"]["addresses"]
                or "::/0" in rules["sources"]["addresses"]
            ):
                public_ports[rules["ports"]] = rules["sources"]["addresses"]

        firewall_dict["all_ports_exposed"] = (
            "True" if ("0" in public_ports.keys()) else "False"
        )
        firewall_dict["public_ports_enabled"] = "True" if public_ports else "False"
        firewall_dict["public_port_detail"] = (
            f"Port {','.join(public_ports.keys())} exposed to public internet due to this configuration {str(public_ports)}"
            if public_ports
            else ""
        )

        return firewall_dict["id"], firewall_dict


================================================
FILE: ScoutSuite/providers/do/resources/networking/load_balancers.py
================================================
from ScoutSuite.providers.do.resources.base import DoResources
from ScoutSuite.providers.do.facade.base import DoFacade


class LoadBalancers(DoResources):
    def __init__(self, facade: DoFacade):
        super().__init__(facade)

    async def fetch_all(self):
        load_balancers = await self.facade.networking.get_load_balancers()
        if load_balancers:
            for load_balancer in load_balancers:
                id, load_balancer = await self._parse_load_balancer(load_balancer)
                self[id] = load_balancer

    async def _parse_load_balancer(self, raw_load_balancer):
        load_balancer_dict = {}

        load_balancer_dict["id"] = raw_load_balancer["id"]
        load_balancer_dict["name"] = raw_load_balancer["name"]
        load_balancer_dict["name"] = raw_load_balancer["name"]
        load_balancer_dict["redirect_http_to_https"] = str(
            raw_load_balancer["redirect_http_to_https"]
        )
        load_balancer_dict["enable_backend_keepalive"] = str(
            raw_load_balancer["enable_backend_keepalive"]
        )
        load_balancer_dict["droplet_ids"] = str(raw_load_balancer["droplet_ids"])
        return load_balancer_dict["id"], load_balancer_dict


================================================
FILE: ScoutSuite/providers/do/resources/spaces/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/do/resources/spaces/base.py
================================================
from ScoutSuite.providers.do.facade.base import DoFacade
from ScoutSuite.providers.do.resources.base import DoCompositeResources
from ScoutSuite.providers.do.resources.spaces.buckets import Buckets


class Spaces(DoCompositeResources):
    _children = [(Buckets, "buckets")]

    def __init__(self, facade: DoFacade):
        super().__init__(facade)
        self.service = "buckets"

    async def fetch_all(self, **kwargs):
        await self._fetch_children(resource_parent=self)


================================================
FILE: ScoutSuite/providers/do/resources/spaces/buckets.py
================================================
from ScoutSuite.providers.do.resources.base import DoResources
from ScoutSuite.providers.do.facade.base import DoFacade
from ScoutSuite.core.console import print_exception
import json


class Buckets(DoResources):
    def __init__(self, facade: DoFacade):
        super().__init__(facade)

    async def fetch_all(self):

        buckets = await self.facade.spaces.get_all_buckets()
        if buckets:
            for bucket in buckets:
                id, bucket = await self._parse_buckets(bucket)
                self[id] = bucket

    async def _parse_buckets(self, raw_buckets):
        buckets_dict = {}

        buckets_dict["name"] = raw_buckets["Name"]
        buckets_dict["public_read"] = (
            str(raw_buckets["grantees"]["AllUsers"]["permissions"]["read"])
            if "AllUsers" in raw_buckets.get("grantees", {})
            else False
        )
        buckets_dict["public_write"] = (
            raw_buckets["grantees"]["AllUsers"]["permissions"]["write"]
            if "AllUsers" in raw_buckets.get("grantees", {})
            else False
        )
        buckets_dict["read_acp"] = (
            raw_buckets["grantees"]["AllUsers"]["permissions"]["read_acp"]
            if "AllUsers" in raw_buckets.get("grantees", {})
            else False
        )
        buckets_dict["write_acp"] = (
            raw_buckets["grantees"]["AllUsers"]["permissions"]["write_acp"]
            if "AllUsers" in raw_buckets.get("grantees", {})
            else False
        )
        buckets_dict["CORS"] = (
            True
            if "CORS" in raw_buckets and raw_buckets["CORS"] and "AllowedOrigins" in raw_buckets["CORS"][0]
            else False
        )        
        return buckets_dict["name"], buckets_dict

================================================
FILE: ScoutSuite/providers/do/rules/filters/.gitkeep
================================================


================================================
FILE: ScoutSuite/providers/do/rules/findings/database-databases-mysql-publically-exposed.json
================================================
{
    "description": "Mysql Database cluster publically exposed",
    "rationale": "Typically, only the application servers should be allowed to connect to the database cluster.",
    "dashboard_name": "Databases",
    "path": "database.databases.id",
    "conditions": [
        "and",
        [
            "database.databases.id.trusted_sources",
            "equal",
            "False"
        ],
        [
            "database.databases.id.engine",
            "equal",
            "mysql"
        ]
    ],
    "id_suffix": "trusted_sources"
}


================================================
FILE: ScoutSuite/providers/do/rules/findings/database-databases-mysql-user-legacy-encryption.json
================================================
{
    "description": "Mysql Database user with Legacy MySQL 5.x encryption",
    "rationale": "DigitalOcean Managed Databases using MySQL 8+ are automatically configured to use caching_sha2_password authentication by default. caching_sha2_password uses a stronger password encryption than prior versions of MySQL.",
    "dashboard_name": "Databases",
    "path": "database.databases.id",
    "conditions": [
        "and",
        [
            "database.databases.id.legacy_encryption_users",
            "notEqual",
            "False"
        ],
        [
            "database.databases.id.engine",
            "equal",
            "mysql"
        ]
    ],
    "id_suffix": "legacy_encryption_users"
}


================================================
FILE: ScoutSuite/providers/do/rules/findings/database-databases-postgres-connection-pools.json
================================================
{
    "description": "No connection pools found for Postgres database",
    "rationale": "When you use PostgreSQL without a connection pool, each client request creates a new connection to the database. This can lead to a high number of connections, which can cause performance issues and slow down your application. Connection pooling can help mitigate these issues by reusing existing connections instead of creating new ones for each request",
    "dashboard_name": "Databases",
    "path": "database.databases.id",
    "conditions": [
        "and",
        [
            "database.databases.id.connection_pools",
            "equal",
            "False"
        ],
        [
            "database.databases.id.engine",
            "equal",
            "pg"
        ]
    ],
    "id_suffix": "connection_pools"
}


================================================
FILE: ScoutSuite/providers/do/rules/findings/database-databases-postgres-trusted-sources.json
================================================
{
    "description": "Databases publicly exposed",
    "rationale": "Database services should restrict incoming requests only from trusted sources.",
    "dashboard_name": "Databases",
    "path": "database.databases.id",
    "conditions": [
        "and",
        [
            "database.databases.id.trusted_sources",
            "equal",
            "False"
        ]
    ],
    "id_suffix": "trusted_sources"
}


================================================
FILE: ScoutSuite/providers/do/rules/findings/database-databases-redis-evicition-policy.json
================================================
{
    "description": "Eviction policy for Redis database cluster not set to 'allkeys-lru'",
    "rationale": "When Redis is used as a cache, it is often convenient to let it automatically evict old data as you add new data. Redis provides several eviction policies to choose from, including allkeys-lru, allkeys-lfu, volatile-lru, volatile-lfu, allkeys-random, volatile-random, and volatile-ttl 1. If you do not set an eviction policy, Redis will use the noeviction policy by default. This means that Redis will not evict any keys when the memory limit is reached, and any new values will not be saved 1. If you do not set an eviction policy and Redis runs out of memory, it will start to return errors for commands that could result in more memory being used 1. In general, it is recommended to use the allkeys-lru policy when you expect a power-law distribution in the popularity of your requests. That is, you expect a subset of elements will be accessed far more often than the rest",
    "dashboard_name": "Databases",
    "path": "database.databases.id",
    "conditions": [
        "and",
        [
            "database.databases.id.eviction_policy",
            "notEqual",
            "allkeys_lru"
        ],
        [
            "database.databases.id.engine",
            "equal",
            "redis"
        ]
    ],
    "id_suffix": "eviction_policy"
}


================================================
FILE: ScoutSuite/providers/do/rules/findings/droplet-droplets-all-ports-exposed.json
================================================
{
    "description": "Droplets with all ports exposed to public",
    "rationale": "Droplets should expose only required/intented ports to public internet",
    "dashboard_name": "Droplets",
    "path": "droplet.droplets.id",
    "conditions": [
        "and",
        [
            "droplet.droplets.id.all_ports_exposed",
            "equal",
            "True"
        ]
    ],
    "id_suffix": "all_ports_exposed"
}


================================================
FILE: ScoutSuite/providers/do/rules/findings/droplet-droplets-backup-not-enabled.json
================================================
{
    "description": "Droplets with auto backups disabled",
    "rationale": "Droplet backups feature should be enabled for disaster recovery.",
    "dashboard_name": "Droplets",
    "path": "droplet.droplets.id",
    "conditions": [
        "and",
        [
            "droplet.droplets.id.next_backup_window",
            "null",
            ""
        ]
    ],
    "id_suffix": "next_backup_window"
}




================================================
FILE: ScoutSuite/providers/do/rules/findings/droplet-droplets-backup-not-present.json
================================================
{
    "description": "Droplets having no backups present",
    "rationale": "Droplets should have atleast 1 backup present for disaster recovery.",
    "dashboard_name": "Droplets",
    "path": "droplet.droplets.id",
    "conditions": [
        "and",
        [
            "droplet.droplets.id.backup_ids",
            "equal",
            "[]"
        ]
    ],
    "id_suffix": "backup_ids"
}




================================================
FILE: ScoutSuite/providers/do/rules/findings/droplet-droplets-custom-image.json
================================================
{
    "description": "Droplets with custom image",
    "rationale": "Using custom images instead of those provided by Digital Ocean may result in reduced security control, as user-created images may not include the latest security patches and configurations that are routinely maintained and updated in provider-supplied images.",
    "dashboard_name": "Droplets",
    "path": "droplet.droplets.id",
    "conditions": [
        "and",
        [
            "droplet.droplets.id.image_type",
            "equal",
            "custom"
        ]
    ],
    "id_suffix": "image_type"
}



================================================
FILE: ScoutSuite/providers/do/rules/findings/droplet-droplets-features-monitoring.json
================================================
{
    "description": "Droplets without improved metrics monitoring enabled",
    "rationale": "Droplets without improved metrics monitoring enabled",
    "dashboard_name": "Droplets",
    "path": "droplet.droplets.id",
    "conditions": [
        "and",
        [
            "droplet.droplets.id.features_monitoring",
            "equal",
            "False"
        ]
    ],
    "id_suffix": "features_monitoring"
}



================================================
FILE: ScoutSuite/providers/do/rules/findings/droplet-droplets-firewall-not-attached.json
================================================
{
    "description": "Droplets with no firewall attached",
    "rationale": "Droplet should have a firewall atatched for enabling secure network configuration",
    "dashboard_name": "Droplets",
    "path": "droplet.droplets.id",
    "conditions": [
        "and",
        [
            "droplet.droplets.id.firewalls",
            "null",
            ""
        ]
    ],
    "id_suffix": "firewalls"
}




================================================
FILE: ScoutSuite/providers/do/rules/findings/droplet-droplets-port-22-exposed.json
================================================
{
    "description": "Droplets with port 22 exposed to public",
    "rationale": "Droplets should have port 22 restricted to trusted networks",
    "dashboard_name": "Droplets",
    "path": "droplet.droplets.id",
    "conditions": [
        "and",
        [
            "droplet.droplets.id.port_22_exposed",
            "equal",
            "True"
        ]
    ],
    "id_suffix": "port_22_exposed"
}


================================================
FILE: ScoutSuite/providers/do/rules/findings/droplet-droplets-snapshot-not-present.json
================================================
{
    "description": "Droplets having no snapshots present",
    "rationale": "Droplets should have at least 1 snapshot present for strategic points of recovery, for instance, before a major change or update.",
    "dashboard_name": "Droplets",
    "path": "droplet.droplets.id",
    "conditions": [
        "and",
        [
            "droplet.droplets.id.snapshot_ids",
            "equal",
            "[]"
        ]
    ],
    "id_suffix": "snapshot_ids"
}




================================================
FILE: ScoutSuite/providers/do/rules/findings/kubernetes-kubernetes-autoupgrade-minor.json
================================================
{
    "description": "Auto-Upgrade Minor Version Patches Disabled",
    "rationale": "Enabling auto-upgrade for minor version patches in Kubernetes on Digital Ocean enhances security by automatically applying the latest security patches and bug fixes, ensuring that the system is protected against vulnerabilities without upgrading to a new minor version.",
    "dashboard_name": "Kubernetes",
    "path": "kubernetes.kubernetes.id",
    "conditions": [
        "and",
        [
            "kubernetes.kubernetes.id.auto_upgrade",
            "equal",
            "False"
        ]
    ],
    "id_suffix": "auto_upgrade"
}




================================================
FILE: ScoutSuite/providers/do/rules/findings/kubernetes-kubernetes-ha-enabled.json
================================================
{
    "description": "High Availability for Control Plane",
    "rationale": "Enabling the High Availability Control Plane feature in Kubernetes on Digital Ocean ensures that the cluster remains operational even if one or more control nodes fail, enhancing the reliability and resilience of your applications. Please note that this feature cannot be disabled once it has been enabled.",
    "dashboard_name": "Kubernetes",
    "path": "kubernetes.kubernetes.id",
    "conditions": [
        "and",
        [
            "kubernetes.kubernetes.id.ha",
            "equal",
            "False"
        ]
    ],
    "id_suffix": "ha"
}




================================================
FILE: ScoutSuite/providers/do/rules/findings/kubernetes-kubernetes-surge-upgrade.json
================================================
{
    "description": "Surge Upgrade Disabled",
    "rationale": "Enabling surge updates in Digital Ocean allows for the creation of additional nodes during updates before pods draining, ensuring that new versions are fully operational before old ones are terminated, thus avoiding downtime.",
    "dashboard_name": "Kubernetes",
    "path": "kubernetes.kubernetes.id",
    "conditions": [
        "and",
        [
            "kubernetes.kubernetes.id.surge_upgrade",
            "equal",
            "False"
        ]
    ],
    "id_suffix": "surge_upgrade"
}




================================================
FILE: ScoutSuite/providers/do/rules/findings/networking-domains-high-ttl.json
================================================
{
    "description": "Domain has a high TTL record",
    "rationale": "Long TTLs delay the propagation of changes. For instance, if you update an IP address or switch services, clients will continue using old cached data until the TTL expires",
    "dashboard_name": "Networking",
    "path": "networking.domains.id",
    "conditions": [
        "and",
        [
            "networking.domains.id.highttl_records",
            "notEqual",
            "False"
        ]
    ],
    "id_suffix": "highttl_records"
}


================================================
FILE: ScoutSuite/providers/do/rules/findings/networking-domains-missing-dkim.json
================================================
{
    "description": "Domain is missing DKIM record",
    "rationale": "DKIM helps prevent email spoofing by adding cryptographic signatures to your outgoing emails",
    "dashboard_name": "Networking",
    "path": "networking.domains.id",
    "conditions": [
        "and",
        [
            "networking.domains.id.dkim_record",
            "equal",
            "False"
        ]
    ],
    "id_suffix": "dkim_record"
}


================================================
FILE: ScoutSuite/providers/do/rules/findings/networking-domains-missing-dmarc.json
================================================
{
    "description": "Domain is missing DMARC record",
    "rationale": "A DMARC policy tells a receiving email server what to do after checking a domain's Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records, which are additional email authentication methods. Addtionally without DMARC, you won't be able receive reports about legitimate and unauthorized emails sent on behalf of your domain",
    "dashboard_name": "Networking",
    "path": "networking.domains.id",
    "conditions": [
        "and",
        [
            "networking.domains.id.dmarc_record",
            "equal",
            "False"
        ]
    ],
    "id_suffix": "dmarc_record"
}


================================================
FILE: ScoutSuite/providers/do/rules/findings/networking-domains-missing-spf.json
================================================
{
    "description": "Domain is missing SPF record",
    "rationale": "Without an SPF record, attackers can spoof your domain by sending emails that appear to originate from your legitimate domain",
    "dashboard_name": "Networking",
    "path": "networking.domains.id",
    "conditions": [
        "and",
        [
            "networking.domains.id.spf_record",
            "equal",
            "False"
        ]
    ],
    "id_suffix": "spf_record"
}


================================================
FILE: ScoutSuite/providers/do/rules/findings/networking-domains-spf-overly-permissive.json
================================================
{
    "description": "Domain has a overly permissive SPF record",
    "rationale": "Overly permissive SPF record allows the anyone to send emails on your domain's behalf",
    "dashboard_name": "Networking",
    "path": "networking.domains.id",
    "conditions": [
        "and",
        [
            "networking.domains.id.spf_record_all",
            "notEqual",
            "False"
        ]
    ],
    "id_suffix": "spf_record_all"
}


================================================
FILE: ScoutSuite/providers/do/rules/findings/networking-firewalls-public-ports.json
================================================
{
    "description": "Firewalls with publically exposed ports",
    "rationale": "Firewalls should not expose sensitive exposed to public internet.",
    "dashboard_name": "Networking",
    "path": "networking.firewalls.id",
    "conditions": [
        "and",
        [
            "networking.firewalls.id.public_ports_enabled",
            "equal",
            "True"
        ]
    ],
    "id_suffix": "public_ports_enabled"
}


================================================
FILE: ScoutSuite/providers/do/rules/findings/networking-firewalls-quad-zero.json
================================================
{
    "description": "Firewalls with quad zero configuration",
    "rationale": "Firewalls with quad zero configuration expose all ports to public internet",
    "dashboard_name": "Networking",
    "path": "networking.firewalls.id",
    "conditions": [
        "and",
        [
            "networking.firewalls.id.all_ports_exposed",
            "equal",
            "True"
        ]
    ],
    "id_suffix": "all_ports_exposed"
}


================================================
FILE: ScoutSuite/providers/do/rules/findings/networking-load-balancer-backend-keepalive-disabled.json
================================================
{
    "description": "Load Balancer with backend Keepalive disabled",
    "rationale": "Consider enabling Keep-Alive to improve performance, reduce latency and load",
    "dashboard_name": "Networking",
    "path": "networking.load_balancers.id",
    "conditions": [
        "and",
        [
            "networking.load_balancers.id.enable_backend_keepalive",
            "equal",
            "False"
        ]
    ],
    "id_suffix": "enable_backend_keepalive"
}


================================================
FILE: ScoutSuite/providers/do/rules/findings/networking-load-balancer-ssl-redirect-disabled.json
================================================
{
    "description": "Load Balancer with SSL redirects disabled",
    "rationale": "SSL redirects should be enabled to enforce https connection",
    "dashboard_name": "Networking",
    "path": "networking.load_balancers.id",
    "conditions": [
        "and",
        [
            "networking.load_balancers.id.redirect_http_to_https",
            "equal",
            "False"
        ]
    ],
    "id_suffix": "redirect_http_to_https"
}


================================================
FILE: ScoutSuite/providers/do/rules/findings/networking-load-balancer-without-droplet.json
================================================
{
    "description": "Load Balancer without attached Droplets",
    "rationale": "Load Balancer without attached Droplets",
    "dashboard_name": "Networking",
    "path": "networking.load_balancers.id",
    "conditions": [
        "and",
        [
            "networking.load_balancers.id.droplet_ids",
            "equal",
            "[]"
        ]
    ],
    "id_suffix": "droplet_ids"
}


================================================
FILE: ScoutSuite/providers/do/rules/findings/spaces-buckets-cors.json
================================================
{
    "description": "CORS not configured in bucket",
    "rationale": "CORS configuration in a bucket may significantly restrict web-based applications from accessing resources across different domains, potentially limiting the bucket's usefulness for content delivery and integration with external web services.",
    "dashboard_name": "Spaces",
    "path": "spaces.buckets.id",
    "conditions": [
        "and",
        [
            "spaces.buckets.id.CORS",
            "equal",
            "False"
        ]
    ],
    "id_suffix": "CORS"
}




================================================
FILE: ScoutSuite/providers/do/rules/findings/spaces-buckets-public-read.json
================================================
{
    "description": "Bucket with public read access",
    "rationale": "Buckets with sensitive data must be private only.",
    "dashboard_name": "Spaces",
    "path": "spaces.buckets.id",
    "conditions": [
        "and",
        [
            "spaces.buckets.id.public_read",
            "equal",
            "True"
        ]
    ],
    "id_suffix": "public_read"
}




================================================
FILE: ScoutSuite/providers/do/rules/findings/spaces-buckets-public-write.json
================================================
{
    "description": "Bucket with public write access",
    "rationale": "Buckets with sensitive data must be private only.",
    "dashboard_name": "Spaces",
    "path": "spaces.buckets.id",
    "conditions": [
        "and",
        [
            "spaces.buckets.id.public_write",
            "equal",
            "true"
        ]
    ],
    "id_suffix": "public_write"
}




================================================
FILE: ScoutSuite/providers/do/rules/rulesets/default.json
================================================
{
  "about": "Default ruleset for DigitalOcean.",
  "rules": {
    "droplet-droplets-backup-not-enabled.json": [
      {
        "enabled": true,
        "level": "danger"
      }
    ],
    "droplet-droplets-snapshot-not-present.json": [
      {
        "enabled": true,
        "level": "warning"
      }
    ],
    "networking-load-balancer-without-droplet.json": [
      {
        "enabled": true,
        "level": "warning"
      }
    ],
    "droplet-droplets-custom-image.json": [
      {
        "enabled": true,
        "level": "warning"
      }
    ],
    "droplet-droplets-backup-not-present.json": [
      {
        "enabled": true,
        "level": "warning"
      }
    ],
    "droplet-droplets-firewall-not-attached.json": [
      {
        "enabled": true,
        "level": "danger"
      }
    ],
    "droplet-droplets-port-22-exposed.json": [
      {
        "enabled": true,
        "level": "warning"
      }
    ],
    "droplet-droplets-all-ports-exposed.json": [
      {
        "enabled": true,
        "level": "danger"
      }
    ],
    "spaces-buckets-public-read.json": [
      {
        "enabled": true,
        "level": "danger"
      }
    ],
    "spaces-buckets-cors.json": [
      {
        "enabled": true,
        "level": "warning"
      }
    ],
    "networking-firewalls-public-ports.json": [
      {
        "enabled": true,
        "level": "warning"
      }
    ],
    "networking-firewalls-quad-zero.json": [
      {
        "enabled": true,
        "level": "danger"
      }
    ],
    "networking-load-balancer-ssl-redirect-disabled.json": [
      {
        "enabled": true,
        "level": "danger"
      }
    ],
    "networking-load-balancer-backend-keepalive-disabled.json": [
      {
        "enabled": true,
        "level": "warning"
      }
    ],
    "networking-domains-missing-spf.json": [
      {
        "enabled": true,
        "level": "danger"
      }
    ],
    "networking-domains-missing-dkim.json": [
      {
        "enabled": true,
        "level": "warning"
      }
    ],
    "networking-domains-missing-dmarc.json": [
      {
        "enabled": true,
        "level": "warning"
      }
    ],
    "networking-domains-spf-overly-permissive.json": [
      {
        "enabled": true,
        "level": "danger"
      }
    ],
    "networking-domains-high-ttl.json": [
      {
        "enabled": true,
        "level": "warning"
      }
    ],
    "database-databases-mysql-user-legacy-encryption.json": [
      {
        "enabled": true,
        "level": "danger"
      }
    ],
    "database-databases-redis-evicition-policy.json": [
      {
        "enabled": true,
        "level": "warning"
      }
    ],
    "database-databases-postgres-connection-pools.json": [
      {
        "enabled": true,
        "level": "warning"
      }
    ],
    "database-databases-postgres-trusted-sources.json": [
      {
        "enabled": true,
        "level": "danger"
      }
    ],
    "droplet-droplets-features-monitoring.json": [
      {
        "enabled": true,
        "level": "warning"
      }
    ],
    "kubernetes-kubernetes-ha-enabled.json": [
      {
        "enabled": true,
        "level": "warning"
      }
    ],
    "kubernetes-kubernetes-surge-upgrade.json": [
      {
        "enabled": true,
        "level": "danger"
      }
    ],
    "kubernetes-kubernetes-autoupgrade-minor.json": [
      {
        "enabled": true,
        "level": "warning"
      }
    ]
  }
}


================================================
FILE: ScoutSuite/providers/do/rules/rulesets/filters.json
================================================
{
    "about": "Default set of filters for Scout",
    "rules": {}
}


================================================
FILE: ScoutSuite/providers/do/services.py
================================================
from ScoutSuite.providers.do.authentication_strategy import DoCredentials
from ScoutSuite.providers.do.resources.droplet.base import Droplets
from ScoutSuite.providers.do.resources.spaces.base import Spaces
from ScoutSuite.providers.do.resources.networking.base import Networking
from ScoutSuite.providers.do.resources.database.base import Databases
from ScoutSuite.providers.do.resources.kubernetes.base import Kubernetes
from ScoutSuite.providers.do.facade.base import DoFacade
from ScoutSuite.providers.base.services import BaseServicesConfig


class DigitalOceanServicesConfig(BaseServicesConfig):
    def __init__(self, credentials: DoCredentials = None, **kwargs):
        super().__init__(credentials)

        facade = DoFacade(credentials)

        self.droplet = Droplets(facade)
        self.networking = Networking(facade)
        self.database = Databases(facade)
        self.kubernetes = Kubernetes(facade)
        if self.credentials.session:
            self.spaces = Spaces(facade)

    def _is_provider(self, provider_name):
        return provider_name == "do"


================================================
FILE: ScoutSuite/providers/do/utils.py
================================================
import boto3
from ScoutSuite.core.console import print_exception, print_debug, print_warning


def get_client(service: str, session: boto3.session.Session, region: str = None):
    """
    Instantiates an DO Spaces API client

    """

    try:
        return (
            session.client(
                service,
                region_name=region,
                endpoint_url="https://" + region + ".digitaloceanspaces.com",
            )
            if region
            else session.client(service)
        )
    except Exception as e:
        print_exception(f"Failed to create client for the {service} service: {e}")
        return None


================================================
FILE: ScoutSuite/providers/gcp/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/gcp/authentication_strategy.py
================================================
import logging
import os
import warnings

from google import auth

from ScoutSuite.providers.base.authentication_strategy import AuthenticationStrategy, AuthenticationException


class GCPAuthenticationStrategy(AuthenticationStrategy):

    def authenticate(self, user_account=None, service_account=None, **kwargs):
        """
        Implements authentication for the GCP provider
        Refer to https://google-auth.readthedocs.io/en/stable/reference/google.auth.html.
        """

        try:

            # Set logging level to error for libraries as otherwise generates a lot of warnings
            logging.getLogger('googleapiclient').setLevel(logging.ERROR)
            logging.getLogger('google.auth').setLevel(logging.ERROR)
            logging.getLogger('google_auth_httplib2').setLevel(logging.ERROR)
            logging.getLogger('urllib3').setLevel(logging.ERROR)

            if user_account:
                # disable GCP warning about using User Accounts
                warnings.filterwarnings("ignore", "Your application has authenticated using end user credentials")
            elif service_account:
                client_secrets_path = os.path.abspath(service_account)
                os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = client_secrets_path
            else:
                raise AuthenticationException('Failed to authenticate to GCP - no supported account type')

            credentials, default_project_id = auth.default()

            if not credentials:
                raise AuthenticationException('No credentials')

            credentials.is_service_account = service_account is not None
            credentials.default_project_id = default_project_id

            return credentials

        except Exception as e:
            raise AuthenticationException(e)


================================================
FILE: ScoutSuite/providers/gcp/facade/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/gcp/facade/base.py
================================================
import json
import asyncio

from ScoutSuite.core.console import print_exception, print_info, print_warning, print_debug
from ScoutSuite.providers.gcp.facade.basefacade import GCPBaseFacade
from ScoutSuite.providers.gcp.facade.cloudresourcemanager import CloudResourceManagerFacade
from ScoutSuite.providers.gcp.facade.cloudsql import CloudSQLFacade
from ScoutSuite.providers.gcp.facade.memorystoreredis import MemoryStoreRedisFacade
from ScoutSuite.providers.gcp.facade.cloudstorage import CloudStorageFacade
from ScoutSuite.providers.gcp.facade.gce import GCEFacade
from ScoutSuite.providers.gcp.facade.dns import DNSFacade
from ScoutSuite.providers.gcp.facade.iam import IAMFacade
from ScoutSuite.providers.gcp.facade.kms import KMSFacade
from ScoutSuite.providers.gcp.facade.stackdriverlogging import StackdriverLoggingFacade
from ScoutSuite.providers.gcp.facade.stackdrivermonitoring import StackdriverMonitoringFacade
from ScoutSuite.providers.gcp.facade.gke import GKEFacade
from ScoutSuite.providers.gcp.facade.functions import FunctionsFacade
from ScoutSuite.providers.gcp.facade.bigquery import BigQueryFacade
from ScoutSuite.providers.gcp.facade.utils import GCPFacadeUtils
from ScoutSuite.utils import format_service_name


class GCPFacade(GCPBaseFacade):
    def __init__(self,
                 default_project_id=None, project_id=None, folder_id=None, organization_id=None, all_projects=None):
        super().__init__('cloudresourcemanager', 'v1')

        self.default_project_id = default_project_id
        self.all_projects = all_projects
        self.project_id = project_id
        self.folder_id = folder_id
        self.organization_id = organization_id

        self.cloudresourcemanager = CloudResourceManagerFacade()
        self.cloudsql = CloudSQLFacade()
        self.cloudstorage = CloudStorageFacade()
        self.memorystoreredis = MemoryStoreRedisFacade()
        self.gce = GCEFacade()
        self.functions = FunctionsFacade()
        self.bigquery = BigQueryFacade()
        self.iam = IAMFacade()
        self.kms = KMSFacade()
        self.dns = DNSFacade()
        self.stackdriverlogging = StackdriverLoggingFacade()
        self.stackdrivermonitoring = StackdriverMonitoringFacade()

        # lock to minimize concurrent calls to get_services()
        self.projects_services_lock = False
        self.projects_services = {}

        # Instantiate facades for proprietary services
        try:
            self.gke = GKEFacade(self.gce)
        except NameError as _:
            pass

    async def get_projects(self):
        try:
            # All projects to which the user / Service Account has access to
            if self.all_projects:
                return await self._get_projects_recursively(
                    parent_type='all', parent_id=None)
            # Project passed through the CLI
            elif self.project_id:
                return await self._get_projects_recursively(
                    parent_type='project', parent_id=self.project_id)
            # Folder passed through the CLI
            elif self.folder_id:
                return await self._get_projects_recursively(
                    parent_type='folder', parent_id=self.folder_id)
            # Organization passed through the CLI
            elif self.organization_id:
                return await self._get_projects_recursively(
                    parent_type='organization', parent_id=self.organization_id)
            # Project inferred from default configuration
            elif self.default_project_id:
                return await self._get_projects_recursively(
                    parent_type='project', parent_id=self.default_project_id)
            # Raise exception if none of the above
            else:
                print_info(
                    "Could not infer the Projects to scan and no default Project ID was found.")
                return []

        except Exception as e:
            print_exception(f'Failed to retrieve projects: {e}')
            return []

    async def _get_projects_recursively(self, parent_type, parent_id):
        """
        Returns all the projects in a given organization or folder. For a project_id it only returns the project
        details.

        # FIXME can't currently be done with API client library as it consumes v1 which doesn't support folders
        resource_manager_client = resource_manager.Client(credentials=self.credentials)
        project_list = resource_manager_client.list_projects()
        for p in project_list:
            if p.parent['id'] == self.organization_id and p.status == 'ACTIVE':
                projects.append(p.project_id)
        """

        if parent_type not in ['project', 'organization', 'folder', 'all']:
            return None

        resourcemanager_client = self._get_client()
        resourcemanager_client_v2 = self._build_arbitrary_client('cloudresourcemanager', 'v2', force_new=True)

        projects = []

        try:
            projects_group = resourcemanager_client.projects()

            if parent_type == 'project':
                request = resourcemanager_client.projects().list(filter='id:"%s"' % parent_id)
            elif parent_type == 'all':
                request = resourcemanager_client.projects().list()
            # get parent children projects
            else:
                request = resourcemanager_client.projects().list(filter='parent.id:"%s"' % parent_id)

                # get parent children projects in children folders recursively
                folder_request = resourcemanager_client_v2.folders().list(parent=f'{parent_type}s/{parent_id}')
                folder_response = await GCPFacadeUtils.get_all('folders', folder_request, projects_group)
                for folder in folder_response:
                    projects.extend(await self._get_projects_recursively("folder", folder['name'].strip('folders/')))

            project_response = await GCPFacadeUtils.get_all('projects', request, projects_group)
            if project_response:
                for project in project_response:
                    if project['lifecycleState'] == "ACTIVE":
                        projects.append(project)
            else:
                print_exception('No Projects Found, '
                                'you may have specified a non-existing Organization, Folder or Project')

        except Exception as e:
            print_level = print_exception
            exception_str = str(e)
            try:
                if 'The service is currently unavailable' in exception_str or 'Internal error encountered' in exception_str:
                    print_level = print_warning
                if hasattr(e, 'content'):
                    content = e.content.decode("utf-8")
                    content_dict = json.loads(content)
                    exception_str = content_dict.get("error").get("message")
            except Exception:
                # The default output level and message have been set. Use those in the event of any error processing the exception.
                pass

            print_level(f'Unable to list accessible Projects: {exception_str}')

        finally:
            return projects

    async def get_enabled_services(self, project_id, attempt=1, has_lock=False):
        timeout = 60*attempt
        if project_id not in self.projects_services:
            # not locked, make query
            if has_lock or not self.projects_services_lock:
                self.projects_services_lock = True
                try:
                    serviceusage_client = self._build_arbitrary_client('serviceusage', 'v1', force_new=True)
                    services = serviceusage_client.services()
                    request = services.list(parent=f'projects/{project_id}', pageSize=200, filter="state:ENABLED")
                    services_response = await GCPFacadeUtils.get_all('services', request, services)
                    self.projects_services[project_id] = services_response
                    self.projects_services_lock = False
                    return self.projects_services[project_id]
                except Exception as e:
                    # hit quota, wait and retry
                    if ('API_SHARED_QUOTA_EXHAUSTED' in str(e) or 'RATE_LIMIT_EXCEEDED' in str(e)) and attempt <= 10:
                        print_warning(f"Service Usage quotas exceeded for project \"{project_id}\", retrying in {timeout}s")
                        await asyncio.sleep(timeout)
                        return await self.get_enabled_services(project_id, attempt + 1, has_lock=True)
                    # unknown error
                    else:
                        print_warning(f"Could not fetch the state of services for project \"{project_id}\": {e}")
                        self.projects_services_lock = False
                        return None
            # locked, wait and retry
            else:
                if attempt <= 10:  # need to set a limit to ensure we don't hit recursion limits
                    if attempt != 1:
                        print_debug(f"Lock already acquired for get_services() on project \"{project_id}\", retrying in {timeout}s")
                        await asyncio.sleep(timeout)
                    # set a lower threshold for the first attempt so that execution runs faster when there aren't any issues
                    else:
                        await asyncio.sleep(10)
                    return await self.get_enabled_services(project_id, attempt + 1)
                else:
                    print_warning(f"Could not fetch the state of services for project \"{project_id}\", "
                                  f"exiting before hitting maximum recursion")
                    return None
        else:
            return self.projects_services[project_id]

    async def is_api_enabled(self, project_id, service):
        """
        Given a project ID and service name, this method tries to determine if the service's API is enabled
        """

        # These are hardcoded endpoint correspondences as there's no easy way to do this.
        incorrect_endpoints = []
        # All projects have IAM policies regardless of whether the IAM API is enabled.
        if service == 'IAM':
            return True
        # These are hardcoded endpoint correspondences as there's no easy way to do this.
        elif service == 'KMS':
            endpoint = 'cloudkms'
        elif service == 'CloudStorage':
            endpoint = 'storage-component'
        elif service == 'CloudSQL':
            endpoint = 'sqladmin'
        elif service == 'ComputeEngine':
            endpoint = 'compute'
        elif service == 'Functions':
            endpoint = 'cloudfunctions'
        elif service == 'BigQuery':
            endpoint = 'bigquery'
            incorrect_endpoints.append('annotation-bigquery-public-data.cloudpartnerservices.goog')
        elif service == 'KubernetesEngine':
            endpoint = 'container'
        elif service == 'StackdriverLogging':
            endpoint = 'logging'
        elif service == 'StackdriverMonitoring':
            endpoint = 'monitoring'
        elif service == 'MemoryStore':
            endpoint = 'redis'
        elif service == 'DNS':
            endpoint = 'dns'
        else:
            print_warning(f"Could not validate the state of the {format_service_name(service.lower())} API "
                          f"for project \"{project_id}\" (unknown endpoint), including it in the execution")
            return True

        try:
            enabled_services = await self.get_enabled_services(project_id)
            if enabled_services == None:
                print_warning(f"Could not identify enabled services, including {service}")
                return True
            for s in enabled_services:
                if endpoint in s.get('name') and s.get('config').get('name') not in incorrect_endpoints:
                    print_debug(f'{format_service_name(service.lower())} API enabled for '
                                f'project \"{project_id}\", including')
                    return True
            print_info(f'{format_service_name(service.lower())} API not enabled for '
                       f'project \"{project_id}\", skipping')
            return False
        except Exception as e:
            print_warning(f"Could not validate the state of the {format_service_name(service.lower())} API "
                          f"for project \"{project_id}\": \"{e}\", including it in the execution")
            return True


================================================
FILE: ScoutSuite/providers/gcp/facade/basefacade.py
================================================
# Since the HTTP library used by the Google API Client library is not
# thread-safe, we leverage https://github.com/GoogleCloudPlatform/httplib2shim
# resolves the following:
#   - https://github.com/nccgroup/ScoutSuite/issues/443
#   - https://github.com/nccgroup/ScoutSuite/issues/665
import httplib2shim
httplib2shim.patch()

from googleapiclient import http
from googleapiclient import discovery

from ScoutSuite.utils import get_user_agent


class GCPBaseFacade:
    def __init__(self, client_name: str, client_version: str):
        self._client_name = client_name
        self._client_version = client_version
        self._client = None

    def _build_client(self) -> discovery.Resource:
        return self._build_arbitrary_client(self._client_name, self._client_version)

    def _build_arbitrary_client(self, client_name, client_version, force_new=False):
        """
        :param client_name: name of the service
        :param client_version:  version of the client to create
        :param force_new: whether to create a new client - useful to create arbitrary clients from facades
        :return:
        """

        if force_new:
            client = discovery.build(client_name, client_version, cache_discovery=False, cache=MemoryCache())
            http.set_user_agent(client._http, get_user_agent())  # force set custom user agent
            return client
        else:
            if not self._client:
                client = discovery.build(client_name, client_version, cache_discovery=False, cache=MemoryCache())
                http.set_user_agent(client._http, get_user_agent())  # force set custom user agent
                self._client = client
            return self._client

    def _get_client(self) -> discovery.Resource:
        return self._build_client()


class MemoryCache:
    """
    Workaround https://github.com/googleapis/google-api-python-client/issues/325#issuecomment-274349841
    """
    _cache = {}

    def get(self, url):
        return MemoryCache._cache.get(url)

    def set(self, url, content):
        MemoryCache._cache[url] = content


================================================
FILE: ScoutSuite/providers/gcp/facade/bigquery.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.gcp.facade.basefacade import GCPBaseFacade
from ScoutSuite.providers.gcp.facade.utils import GCPFacadeUtils
from ScoutSuite.providers.utils import map_concurrently, run_concurrently


class BigQueryFacade(GCPBaseFacade):
    def __init__(self):

        super().__init__('bigquery', 'v2')  # API Client

    async def get_datasets(self, project_id: str):
        try:
            bigquery_client = self._get_client()
            datasets = bigquery_client.datasets()

            # get list of datasets
            request = datasets.list(projectId=project_id)
            results = await GCPFacadeUtils.get_all('datasets', request, datasets)
            # extract ids
            dataset_ids = [dataset.get('id').split(':')[-1] for dataset in results]
        except Exception as e:
            print_exception(f'Failed to list BigQuery datasets: {e}')
            return []
        else:
            return await map_concurrently(self._get_dataset, dataset_ids, project_id=project_id)

    async def _get_dataset(self, dataset_id: str, project_id: str):
        try:
            bigquery_client = self._get_client()
            datasets = bigquery_client.datasets()
            request = datasets.get(projectId=project_id, datasetId=dataset_id)
            return await run_concurrently(
                lambda: request.execute()
            )
        except Exception as e:
            print_exception(f'Failed to retrieve BigQuery datasets {dataset_id}: {e}')
            return {}


================================================
FILE: ScoutSuite/providers/gcp/facade/cloudresourcemanager.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.gcp.facade.basefacade import GCPBaseFacade
from ScoutSuite.providers.utils import run_concurrently

class CloudResourceManagerFacade(GCPBaseFacade):
    def __init__(self):
        super().__init__('cloudresourcemanager', 'v1')

    async def get_member_bindings(self, project_id: str):
        try:
            cloudresourcemanager_client = self._get_client()
            response = await run_concurrently(
                    lambda: cloudresourcemanager_client.projects().getIamPolicy(resource=project_id).execute()
            )
            return response.get('bindings', [])
        except Exception as e:
            print_exception(f'Failed to retrieve project IAM policy bindings: {e}')
            return []
        




================================================
FILE: ScoutSuite/providers/gcp/facade/cloudsql.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.gcp.facade.basefacade import GCPBaseFacade
from ScoutSuite.providers.gcp.facade.utils import GCPFacadeUtils
from ScoutSuite.providers.utils import run_concurrently

class CloudSQLFacade(GCPBaseFacade):
    def __init__(self):
        super().__init__('sqladmin', 'v1beta4')

    async def get_backups(self, project_id: str, instance_name: str):
        try:
            cloudsql_client = self._get_client()
            backups_group = cloudsql_client.backupRuns()
            request = backups_group.list(project=project_id, instance=instance_name)
            return await GCPFacadeUtils.get_all('items', request, backups_group)
        except Exception as e:
            print_exception(f'Failed to retrieve database instance backups: {e}')
            return []

    async def get_database_instances(self, project_id: str):
        try:
            cloudsql_client = self._get_client()
            instances_group = cloudsql_client.instances()
            request = instances_group.list(project=project_id)
            return await GCPFacadeUtils.get_all('items', request, instances_group)
        except Exception as e:
            print_exception(f'Failed to retrieve database instances: {e}')
            return []

    async def get_users(self, project_id: str, instance_name: str):
        try:
            cloudsql_client = self._get_client()
            response = await run_concurrently(
                    lambda: cloudsql_client.users().list(project=project_id, instance=instance_name).execute()
            )
            return response.get('items', [])
        except Exception as e:
            if 'The requested operation is not valid for an on-premises instance.' in str(e):
                return []
            if 'Invalid request since instance is not running' not in str(e):
                print_exception(f'Failed to retrieve database instance users: {e}')
            return []


================================================
FILE: ScoutSuite/providers/gcp/facade/cloudstorage.py
================================================
from google.cloud import storage
from google.api_core.gapic_v1.client_info import ClientInfo

from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.utils import run_concurrently, get_and_set_concurrently
from ScoutSuite.utils import get_user_agent


class CloudStorageFacade:

    def get_client(self, project_id: str):
        client_info = ClientInfo(user_agent=get_user_agent())
        client = storage.Client(project=project_id,
                                client_info=client_info)
        return client

    async def get_buckets(self, project_id: str):
        try:
            client = self.get_client(project_id)
            buckets = await run_concurrently(lambda: list(client.list_buckets()))
            await get_and_set_concurrently([self._get_and_set_bucket_logging, 
                self._get_and_set_bucket_iam_policy], buckets)
            return buckets
        except Exception as e:
            print_exception(f'Failed to retrieve storage buckets: {e}')
            return []

    async def _get_and_set_bucket_logging(self, bucket):
        try:
            bucket_logging = await run_concurrently(lambda: bucket.get_logging())
            setattr(bucket, 'logging', bucket_logging)
        except Exception as e:
            print_exception(f'Failed to retrieve bucket logging: {e}')
            setattr(bucket, 'logging', None)

    async def _get_and_set_bucket_iam_policy(self, bucket):
        try:
            bucket_iam_policy = await run_concurrently(lambda: bucket.get_iam_policy())
            setattr(bucket, 'iam_policy', bucket_iam_policy)
        except Exception as e:
            print_exception(f'Failed to retrieve bucket IAM policy: {e}')
            setattr(bucket, 'iam_policy',  None)


================================================
FILE: ScoutSuite/providers/gcp/facade/dns.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.gcp.facade.basefacade import GCPBaseFacade
from ScoutSuite.providers.gcp.facade.utils import GCPFacadeUtils
from ScoutSuite.providers.utils import run_concurrently


class DNSFacade(GCPBaseFacade):
    def __init__(self):
        super().__init__('dns', 'v1')

    async def get_zones(self, project_id):
        try:
            dns_client = self._get_client()
            return await run_concurrently(
                lambda: dns_client.managedZones().list(project=project_id).execute()
            )
        except Exception as e:
            print_exception(f'Failed to retrieve zones: {e}')
            return {}


================================================
FILE: ScoutSuite/providers/gcp/facade/functions.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.gcp.facade.basefacade import GCPBaseFacade
from ScoutSuite.providers.gcp.facade.utils import GCPFacadeUtils
from ScoutSuite.providers.utils import map_concurrently, run_concurrently, get_and_set_concurrently


class FunctionsFacade(GCPBaseFacade):
    def __init__(self):
        # The version needs to be set per-function
        super().__init__('cloudfunctions', None)  # API Client

    async def get_functions_v1(self, project_id: str):
        return await self._get_functions_version("v1", project_id)

    async def get_functions_v2(self, project_id: str):
        return await self._get_functions_version("v2alpha", project_id)

    async def _get_functions_version(self, api_version: str, project_id: str):
        try:
            # get list of functions
            list_results = await self._list_functions_version(project_id, api_version)
            # get list of function names
            functions_list = [function.get('name') for function in list_results]
        except Exception as e:
            print_exception(f'Failed to list Cloud Functions functions ({api_version}): {e}')
            return []
        else:
            functions = await map_concurrently(self._get_function_version, functions_list, api_version=api_version)
            await get_and_set_concurrently([self._get_and_set_function_iam_policy],
                                           functions,
                                           api_version=api_version)
            return functions

    async def _list_functions_version(self, project_id: str, api_version: str):
        functions_client = self._build_arbitrary_client(self._client_name, api_version, force_new=True)
        parent = f'projects/{project_id}/locations/-'
        functions = functions_client.projects().locations().functions()
        request = functions.list(parent=parent)
        results = await GCPFacadeUtils.get_all('functions', request, functions)
        return results

    async def _get_function_version(self, name: str, api_version: str):
        try:
            functions_client = self._build_arbitrary_client(self._client_name, api_version, force_new=True)
            functions = functions_client.projects().locations().functions()
            request = functions.get(name=name)
            return await run_concurrently(lambda: request.execute())
        except Exception as e:
            print_exception(f'Failed to get Cloud Functions functions ({api_version}): {e}')
            return {}

    async def _get_and_set_function_iam_policy(self, function, api_version: str):
        try:
            functions_client = self._build_arbitrary_client(self._client_name, api_version, force_new=True)
            functions = functions_client.projects().locations().functions()
            request = functions.getIamPolicy(resource=function.get('name'))
            policy = await run_concurrently(lambda: request.execute())
            # setattr(function, 'bindings', policy.get('bindings', []))
            function['bindings'] = policy.get('bindings', [])
        except Exception as e:
            print_exception(f'Failed to get bindings for Cloud Functions function {function.get("name")} '
                            f'({api_version}): {e}')
            function['bindings'] = []


================================================
FILE: ScoutSuite/providers/gcp/facade/gce.py
================================================
from ScoutSuite.core.console import print_exception, print_warning
from ScoutSuite.providers.gcp.facade.basefacade import GCPBaseFacade
from ScoutSuite.providers.gcp.facade.utils import GCPFacadeUtils
from ScoutSuite.providers.utils import run_concurrently


class GCEFacade(GCPBaseFacade):
    def __init__(self):
        super().__init__('compute', 'v1')

    async def get_disks(self, project_id, zone):
        try:
            gce_client = self._get_client()
            request = gce_client.disks().list(project=project_id, zone=zone)
            disks_group = gce_client.disks()
            return await GCPFacadeUtils.get_all('items', request, disks_group)
        except Exception as e:
            print_exception(f'Failed to retrieve disks: {e}')
            return []

    async def get_firewalls(self, project_id):
        try:
            gce_client = self._get_client()
            request = gce_client.firewalls().list(project=project_id)
            firewalls_group = gce_client.firewalls()
            return await GCPFacadeUtils.get_all('items', request, firewalls_group)
        except Exception as e:
            print_exception(f'Failed to retrieve firewalls: {e}')
            return []

    async def get_instances(self, project_id, zone):
        try:
            instances = []
            gce_client = self._get_client()
            request = gce_client.instances().list(project=project_id, zone=zone)
            instances_group = gce_client.instances()
            instances = await GCPFacadeUtils.get_all('items', request, instances_group)
        except Exception as e:
            print_exception(f'Failed to retrieve compute instances: {e}')
        else:
            await self._add_metadata(project_id, instances)
        finally:
            return instances

    async def _add_metadata(self, project_id, instances):
        project = await self.get_project(project_id)
        common_instance_metadata = self.metadata_to_dict(project['commonInstanceMetadata'])
        for instance in instances:
            instance['metadata'] = self.metadata_to_dict(instance['metadata'])
            instance['commonInstanceMetadata'] = common_instance_metadata

    def metadata_to_dict(self, metadata):
        return {item['key']: item['value'] for item in metadata['items']} if 'items' in metadata else {}

    async def get_networks(self, project_id):
        try:
            gce_client = self._get_client()
            request = gce_client.networks().list(project=project_id)
            networks_group = gce_client.networks()
            return await GCPFacadeUtils.get_all('items', request, networks_group)
        except Exception as e:
            print_exception(f'Failed to retrieve networks: {e}')
            return []

    async def get_project(self, project_id):
        try:
            gce_client = self._get_client()
            return await run_concurrently(
                lambda: gce_client.projects().get(project=project_id).execute()
            )
        except Exception as e:
            print_exception(f'Failed to retrieve GCE project: {e}')
            return None

    async def get_regions(self, project_id):
        try:
            gce_client = self._get_client()
            request = gce_client.regions().list(project=project_id)
            regions_group = gce_client.regions()
            return await GCPFacadeUtils.get_all('items', request, regions_group)
        except Exception as e:
            print_exception(f'Failed to retrieve regions: {e}')
            return []

    async def get_snapshots(self, project_id):
        try:
            gce_client = self._get_client()
            request = gce_client.snapshots().list(project=project_id)
            snapshots_group = gce_client.snapshots()
            return await GCPFacadeUtils.get_all('items', request, snapshots_group)
        except Exception as e:
            print_exception(f'Failed to retrieve snapshots: {e}')
            return []

    async def get_subnetwork(self, project_id, region, subnetwork_id):
        try:
            gce_client = self._get_client()
            return await run_concurrently(
                lambda: gce_client.subnetworks().get(project=project_id, region=region,
                                                     subnetwork=subnetwork_id).execute()
            )
        except Exception as e:
            if 'was not found' in str(e):
                print_warning(f'Failed to retrieve subnetwork: {e}')
            else:
                print_exception(f'Failed to retrieve subnetwork: {e}')
            return None

    async def get_subnetworks(self, project_id, region):
        try:
            gce_client = self._get_client()
            request = gce_client.subnetworks().list(project=project_id, region=region)
            subnetworks_group = gce_client.subnetworks()
            return await GCPFacadeUtils.get_all('items', request, subnetworks_group)
        except Exception as e:
            if 'was not found' in str(e):
                print_warning(f'Failed to retrieve subnetworks: {e}')
            else:
                print_exception(f'Failed to retrieve subnetworks: {e}')
            return []

    async def get_zones(self, project_id):
        try:
            gce_client = self._get_client()
            request = gce_client.zones().list(project=project_id)
            zones_group = gce_client.zones()
            return await GCPFacadeUtils.get_all('items', request, zones_group)
        except Exception as e:
            print_exception(f'Failed to retrieve zones: {e}')
            return []

    async def get_forwarding_rules(self, project_id, region):
        try:
            gce_client = self._get_client()
            request = gce_client.forwardingRules().list(project=project_id, region=region)
            forwarding_rules = gce_client.forwardingRules()
            return await GCPFacadeUtils.get_all('items', request, forwarding_rules)
        except Exception as e:
            print_exception(f'Failed to retrieve forwarding_rules: {e}')
            return []

    async def get_global_forwarding_rules(self, project_id):
        try:
            gce_client = self._get_client()
            request = gce_client.globalForwardingRules().list(project=project_id)
            forwarding_rules = gce_client.globalForwardingRules()
            return await GCPFacadeUtils.get_all('items', request, forwarding_rules)
        except Exception as e:
            print_exception(f'Failed to retrieve forwarding_rules: {e}')
            return []


================================================
FILE: ScoutSuite/providers/gcp/facade/gke.py
================================================
import re

from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.gcp.facade.base import GCPBaseFacade
from ScoutSuite.providers.utils import run_concurrently, get_and_set_concurrently


class GKEFacade(GCPBaseFacade):
    def __init__(self, gce_facade):
        super(GKEFacade, self).__init__('container', 'v1beta1')
        self._gce_facade = gce_facade

    async def get_clusters(self, project_id):
        try:
            gke_client = self._get_client()
            response = await run_concurrently(
                lambda: gke_client.projects().locations().clusters().list(parent=f"projects/{project_id}/locations/-").execute()
            )
            clusters = response.get('clusters', [])
            await get_and_set_concurrently([self._get_and_set_private_google_access_enabled],
                                           clusters, project_id=project_id)
            return clusters
        except Exception as e:
            print_exception('Failed to retrieve clusters: {}'.format(e))
            return []

    async def _get_and_set_private_google_access_enabled(self, cluster, project_id):
        try:
            region = self._get_cluster_region(cluster)
            subnetwork_project_id = self._get_cluster_subnetwork_project(cluster)
            subnetwork = await self._gce_facade.get_subnetwork(subnetwork_project_id, region, cluster['subnetwork'])
            if subnetwork:
                cluster['privateIpGoogleAccess'] = subnetwork.get('privateIpGoogleAccess')
            else:
                cluster['privateIpGoogleAccess'] = None
        except Exception as e:
            print_exception('Failed to retrieve cluster private IP Google access config: {}'.format(e))
            cluster['privateIpGoogleAccess'] = None

    # The cluster location is given as -. See the the following link for more info: 
    # https://cloud.google.com/compute/docs/regions-zones/#identifying_a_region_or_zone
    def _get_cluster_region(self, cluster):
        region_regex = re.compile("^([\\w]+-[\\w]+)")
        result = region_regex.search(cluster['location'])
        return result.group(1)

    # Subnetwork can be in different project
    # networkConfig.subnetwork is like projects/{project}/regions/{region}/subnetworks/{subnetworkname}
    def _get_cluster_subnetwork_project(self, cluster):
        return cluster['networkConfig']['subnetwork'].split('/')[1]


================================================
FILE: ScoutSuite/providers/gcp/facade/iam.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.gcp.facade.basefacade import GCPBaseFacade
from ScoutSuite.providers.gcp.facade.utils import GCPFacadeUtils
from ScoutSuite.providers.utils import run_concurrently

class IAMFacade(GCPBaseFacade):
    def __init__(self):
        super().__init__('iam', 'v1')

    async def get_service_accounts(self, project_id: str):
        try:
            name = f'projects/{project_id}'
            iam_client = self._get_client()
            request = iam_client.projects().serviceAccounts().list(name=name)
            service_accounts_group = iam_client.projects().serviceAccounts()
            return await GCPFacadeUtils.get_all('accounts', request, service_accounts_group)
        except Exception as e:
            print_exception(f'Failed to retrieve service accounts: {e}')
            return []

    async def get_service_account_bindings(self, project_id: str, service_account_email: str):
        try:
            resource = f'projects/{project_id}/serviceAccounts/{service_account_email}'
            iam_client = self._get_client()
            response = await run_concurrently(
                    lambda: iam_client.projects().serviceAccounts().getIamPolicy(resource=resource).execute()
            )
            return response.get('bindings', [])
        except Exception as e:
            print_exception(f'Failed to retrieve service account IAM policy bindings: {e}')
            return []

    async def get_service_account_keys(self, project_id: str, service_account_email: str, key_types: list=[]):
        try:
            name = f'projects/{project_id}/serviceAccounts/{service_account_email}'
            iam_client = self._get_client()
            response = await run_concurrently(
                    lambda: iam_client.projects().serviceAccounts().keys().list(name=name,
                                                                                keyTypes=key_types).execute()
            )
            return response.get('keys', [])
        except Exception as e:
            print_exception(f'Failed to retrieve service account keys: {e}')
            return []

    async def get_service_account_key(self, key_name: str):
        try:
            iam_client = self._get_client()
            response = await run_concurrently(
                lambda: iam_client.projects().serviceAccounts().keys().get(name=key_name,
                                                                           fields='').execute()
            )
            return response
        except Exception as e:
            print_exception(f'Failed to retrieve service account keys: {e}')
            return []

    async def get_role_definition(self, role: str):
        try:
            role = role.split("_withcond_")[0] # remove the condition key to get the actual role
            iam_client = self._get_client()
            if 'projects/' in role:
                response = await run_concurrently(
                    lambda: iam_client.projects().roles().get(name=role).execute()
                )
            elif 'organizations/' in role:
                response = await run_concurrently(
                    lambda: iam_client.organizations().roles().get(name=role).execute()
                )
            else:
                response = await run_concurrently(
                    lambda: iam_client.roles().get(name=role).execute()
                )
            return response
        except Exception as e:
            print_exception(f'Failed to retrieve IAM role definition for role {role}: {e}')
            return {}


================================================
FILE: ScoutSuite/providers/gcp/facade/kms.py
================================================
from google.cloud import kms
from google.api_core.gapic_v1.client_info import ClientInfo

from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.gcp.facade.basefacade import GCPBaseFacade
from ScoutSuite.providers.gcp.facade.utils import GCPFacadeUtils
from ScoutSuite.providers.utils import run_concurrently
from ScoutSuite.utils import get_user_agent


class KMSFacade(GCPBaseFacade):
    def __init__(self):
        # This facade is currently using both libraries as the Cloud Client library doesn't support locations
        # Cloud Client
        client_info = ClientInfo(user_agent=get_user_agent())
        self.cloud_client = kms.KeyManagementServiceClient(client_info=client_info)
        super().__init__('cloudkms', 'v1')  # API Client

    async def get_locations(self, project_id: str):

        try:
            kms_client = self._get_client()
            parent = f'projects/{project_id}'
            locations = kms_client.projects().locations()
            request = locations.list(name=parent)
            return await GCPFacadeUtils.get_all('locations', request, locations)
        except Exception as e:
            print_exception(f'Failed to retrieve KMS locations: {e}')
            return []

    async def list_key_rings(self, project_id: str):

        try:
            locations = await self.get_locations(project_id)
            key_rings = {}
            for l in locations:
                parent = self.cloud_client.location_path(project_id, l['locationId'])
                key_rings[l['locationId']] = await run_concurrently(
                    lambda: list(self.cloud_client.list_key_rings(parent)))
            return key_rings
        except Exception as e:
            if 'Billing is disabled for project' not in str(e):
                print_exception(f'Failed to retrieve KMS key rings: {e}')
            return {}

    async def list_keys(self, project_id: str, location: str, keyring_name: str):

        try:
            parent = self.cloud_client.key_ring_path(project_id, location, keyring_name)
            kms_client = self._get_client()
            cryptokeys = kms_client.projects().locations().keyRings().cryptoKeys()
            request = cryptokeys.list(parent=parent)
            return await GCPFacadeUtils.get_all('cryptoKeys', request, cryptokeys)
        except Exception as e:
            print_exception(f'Failed to retrieve KMS keys for key ring {keyring_name}: {e}')
            return []

    async def keys_iam_policy(self, project_id: str, location: str, keyring_name: str, key_name: str):

        try:
            parent = self.cloud_client.crypto_key_path(project_id, location, keyring_name, key_name)
            kms_client = self._get_client()
            cryptokeys = kms_client.projects().locations().keyRings().cryptoKeys()
            request = cryptokeys.getIamPolicy(resource=parent)
            return await GCPFacadeUtils.get_all('bindings', request, cryptokeys)
        except Exception as e:
            print_exception(f'Failed to retrieve KMS binding policy for key {key_name}: {e}')
            return []


================================================
FILE: ScoutSuite/providers/gcp/facade/memorystoreredis.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.gcp.facade.basefacade import GCPBaseFacade
from ScoutSuite.providers.gcp.facade.utils import GCPFacadeUtils


class MemoryStoreRedisFacade(GCPBaseFacade):
    def __init__(self):
        super().__init__('redis', 'v1beta1')

    async def get_redis_instances(self, project_id: str):
        # Retrieves Redis Instances using the Cloud Memorystore API
        try:
            formatted_parent = f'projects/{project_id}/locations/-'
            cloudmem_client = self._get_client()
            instances_group = cloudmem_client.projects().locations().instances()
            request = instances_group.list(parent=formatted_parent)
            return await GCPFacadeUtils.get_all('instances', request, instances_group)
        except Exception as e:
            print_exception(f'Failed to retrieve redis instances: {e}')
            return []


================================================
FILE: ScoutSuite/providers/gcp/facade/stackdriverlogging.py
================================================
from google.cloud import logging as stackdriverlogging
from google.api_core.gapic_v1.client_info import ClientInfo

from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.utils import run_concurrently
from ScoutSuite.utils import get_user_agent


class StackdriverLoggingFacade:

    def get_client(self, project_id: str):
        client_info = ClientInfo(user_agent=get_user_agent())
        client = stackdriverlogging.Client(project=project_id,
                                           client_info=client_info)
        return client

    async def get_sinks(self, project_id: str):
        try:
            client = self.get_client(project_id)
            return await run_concurrently(lambda: [sink for sink in client.list_sinks()])
        except Exception as e:
            print_exception(f'Failed to retrieve sinks: {e}')
            return []

    async def get_metrics(self, project_id: str):
        try:
            client = self.get_client(project_id)
            return await run_concurrently(lambda: [metric for metric in client.list_metrics()])
        except Exception as e:
            print_exception(f'Failed to retrieve metrics: {e}')
            return []


================================================
FILE: ScoutSuite/providers/gcp/facade/stackdrivermonitoring.py
================================================
from google.cloud import monitoring as stackdrivermonitoring
from google.api_core.gapic_v1.client_info import ClientInfo

from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.utils import run_concurrently
from ScoutSuite.utils import get_user_agent


class StackdriverMonitoringFacade:
    # TODO find a way to skip the project if it's not configured as a stackdriver workspace

    def get_uptime_client(self):
        client_info = ClientInfo(user_agent=get_user_agent())
        client = stackdrivermonitoring.UptimeCheckServiceClient(client_info=client_info)
        return client

    def get_alerts_client(self):
        client_info = ClientInfo(user_agent=get_user_agent())
        client = stackdrivermonitoring.AlertPolicyServiceClient(client_info=client_info)
        return client

    async def get_uptime_checks(self, project_id: str):
        try:
            client = self.get_uptime_client()
            name = client.project_path(project_id)
            return await run_concurrently(lambda: [r for r in client.list_uptime_check_configs(name)])
        except Exception as e:
            if 'is not a workspace' not in getattr(e, 'message', '') and '404' not in str(e):
                print_exception(f'Failed to retrieve uptime checks: {e}')
            return []

    async def get_alert_policies(self, project_id: str):
        try:
            client = self.get_alerts_client()
            name = client.project_path(project_id)
            return await run_concurrently(lambda: [r for r in client.list_alert_policies(name)])
        except Exception as e:
            if 'is not a workspace' not in getattr(e, 'message', '') and '404' not in str(e):
                print_exception(f'Failed to retrieve alert policies: {e}')
            return []


================================================
FILE: ScoutSuite/providers/gcp/facade/utils.py
================================================
from ScoutSuite.providers.utils import run_concurrently


class GCPFacadeUtils:
    @staticmethod
    async def _get_all(resources, resource_key: str, request, resources_group):
        while request is not None:
            response = request.execute()
            resources.extend(response.get(resource_key, []))
            request = await run_concurrently(
                lambda: resources_group.list_next(previous_request=request, previous_response=response)
            )

    @staticmethod
    async def get_all(resource_key: str, request, resources_group):
        resources = []
        await GCPFacadeUtils._get_all(resources, resource_key, request, resources_group)
        return resources


================================================
FILE: ScoutSuite/providers/gcp/metadata.json
================================================
{
  "security": {
    "iam": {
      "resources": {
        "users": {
          "cols": 2,
          "path": "services.iam.projects.id.users"
        },
        "groups": {
          "cols": 2,
          "path": "services.iam.projects.id.groups"
        },
        "service_accounts": {
          "cols": 2,
          "path": "services.iam.projects.id.service_accounts"
        },
        "domains": {
          "cols": 2,
          "path": "services.iam.projects.id.domains"
        },
        "bindings": {
          "cols": 2,
          "path": "services.iam.projects.id.bindings"
        },
        "bindings_separation_duties": {
          "cols": 2,
          "path": "services.iam.projects.id.bindings_separation_duties"
        }
      }
    },
    "kms": {
      "resources": {
        "keyrings": {
          "cols": 2,
          "path": "services.kms.projects.id.keyrings"
        }
      }
    }
  },
  "compute": {
    "computeengine": {
      "resources": {
        "instances": {
          "cols": 2,
          "path": "services.computeengine.projects.id.zones.id.instances"
        },
        "snapshots": {
          "cols": 2,
          "path": "services.computeengine.projects.id.snapshots"
        },
        "firewalls": {
          "cols": 2,
          "path": "services.computeengine.projects.id.firewalls"
        },
        "networks": {
          "cols": 2,
          "path": "services.computeengine.projects.id.networks"
        },
        "subnetworks": {
          "cols": 2,
          "path": "services.computeengine.projects.id.regions.id.subnetworks"
        },
        "forwarding_rules": {
          "cols": 2,
          "path": "services.computeengine.projects.id.regions.id.forwarding_rules"
        },
        "global_forwarding_rules": {
          "cols": 2,
          "path": "services.computeengine.projects.id.global_forwarding_rules"
        }
      }
    },
    "kubernetesengine": {
      "resources": {
        "clusters": {
          "cols": 2,
          "path": "services.kubernetesengine.projects.id.clusters"
        }
      }
    },
    "functions": {
      "resources": {
        "functions_v1": {
          "cols": 2,
          "path": "services.functions.projects.id.functions_v1"
        },
        "functions_v2": {
          "cols": 2,
          "path": "services.functions.projects.id.functions_v2"
        }
      }
    }
  },
  "network": {
    "dns": {
      "resources": {
        "managed_zones": {
          "cols": 2,
          "path": "services.dns.projects.id.managed_zones"
        }
      }
  }},
  "storage": {
    "cloudstorage": {
      "resources": {
        "buckets": {
          "cols": 2,
          "path": "services.cloudstorage.projects.id.buckets"
        }
      }
    }
  },
  "database": {
    "cloudsql": {
      "resources": {
        "instances": {
          "cols": 2,
          "path": "services.cloudsql.projects.id.instances"
        }
      }
    },
    "cloudmemorystore": {
      "resources": {
        "redis_instances": {
          "cols": 2,
          "path": "services.cloudmemorystore.projects.id.redis_instances"
        }
      }
    },
    "bigquery": {
      "resources": {
        "datasets": {
          "cols": 2,
          "path": "services.bigquery.projects.id.datasets"
        }
      }
    }
  },
  "management": {
    "stackdriverlogging": {
      "resources": {
        "sinks": {
          "cols": 2,
          "path": "services.stackdriverlogging.projects.id.sinks"
        },
        "metrics": {
          "cols": 2,
          "path": "services.stackdriverlogging.projects.id.metrics"
        },
        "logging_metrics": {
          "cols": 2,
          "path": "services.stackdriverlogging.projects.id.logging_metrics"
        }
      }
    },
    "stackdrivermonitoring": {
      "resources": {
        "uptime_checks": {
          "cols": 2,
          "path": "services.stackdrivermonitoring.projects.id.uptime_checks"
        },
        "alert_policies": {
          "cols": 2,
          "path": "services.stackdrivermonitoring.projects.id.alert_policies"
        },
        "monitoring_alert_policies": {
          "cols": 2,
          "path": "services.stackdrivermonitoring.projects.id.monitoring_alert_policies"
        }
      }
    }
  }
}



================================================
FILE: ScoutSuite/providers/gcp/provider.py
================================================
import os

from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.base.provider import BaseProvider
from ScoutSuite.providers.gcp.services import GCPServicesConfig


class GCPProvider(BaseProvider):
    """
    Implements provider for GCP
    """

    def __init__(self,
                 project_id=None, folder_id=None, organization_id=None, all_projects=None,
                 report_dir=None, timestamp=None, services=None, skipped_services=None, result_format='json', **kwargs):
        services = [] if services is None else services
        skipped_services = [] if skipped_services is None else skipped_services

        self.metadata_path = '%s/metadata.json' % os.path.split(
            os.path.abspath(__file__))[0]

        self.provider_code = 'gcp'
        self.provider_name = 'Google Cloud Platform'
        self.environment = 'default'

        self.all_projects = all_projects
        self.project_id = project_id
        self.folder_id = folder_id
        self.organization_id = organization_id

        self.credentials = kwargs['credentials']
        self._set_account_id()

        self.services = GCPServicesConfig(self.credentials, self.credentials.default_project_id,
                                          self.project_id, self.folder_id, self.organization_id, self.all_projects)

        self.result_format = result_format

        super().__init__(report_dir, timestamp,
                         services, skipped_services, result_format)

    def get_report_name(self):
        """
        Returns the name of the report using the provider's configuration
        """
        if self.account_id:
            return f'gcp-{self.account_id}'
        else:
            return 'gcp'

    def _set_account_id(self):
        # All accessible projects
        if self.all_projects:
            # Service Account
            if self.credentials.is_service_account and hasattr(self.credentials, 'service_account_email'):
                self.account_id = self.credentials.service_account_email
            else:
                # TODO use username email (can't find it...)
                self.account_id = 'user-account'
        # Project passed through the CLI
        elif self.project_id:
            self.account_id = self.project_id
        # Folder passed through the CLI
        elif self.folder_id:
            self.account_id = self.folder_id
        # Organization passed through the CLI
        elif self.organization_id:
            self.account_id = self.organization_id
        # Project inferred from default configuration
        elif self.credentials.default_project_id:
            self.account_id = self.credentials.default_project_id
        else:
            self.account_id = 'unknown-project-id'

    def preprocessing(self, ip_ranges=None, ip_ranges_name_key=None):
        """
        Tweak the GCP config to match cross-resources and clean any fetching artifacts

        :param ip_ranges:
        :param ip_ranges_name_key:
        :return: None
        """

        self._match_instances_and_snapshots()
        self._match_networks_and_instances()
        self._match_networks_and_firewalls()
        self._match_subnetworks_and_instances()

        super().preprocessing()

    def _match_instances_and_snapshots(self):
        """
        Compare Compute Engine instances and snapshots to identify instance disks that do not have a snapshot.

        :return:
        """

        try:
            if 'computeengine' in self.service_list:
                for project in self.services['computeengine']['projects'].values():
                    for zone in project['zones'].values():
                        for instance in zone['instances'].values():
                            for instance_disk in instance['disks'].values():
                                instance_disk['snapshots'] = []
                                for disk in project['snapshots'].values():
                                    if disk['status'] == 'READY' and \
                                            disk['source_disk_url'] == instance_disk['source_url']:
                                        instance_disk['snapshots'].append(disk)

                                instance_disk['latest_snapshot'] = max(instance_disk['snapshots'],
                                                                       key=lambda x: x['creation_timestamp']) \
                                    if instance_disk['snapshots'] else None
        except Exception as e:
            print_exception('Unable to match instances and snapshots: {}'.format(e))

    def _match_networks_and_instances(self):
        """
        For each network, math instances in that network

        :return:
        """

        try:
            if 'computeengine' in self.service_list:
                for project in self.services['computeengine']['projects'].values():
                    for network in project['networks'].values():
                        network['instances'] = []
                        for zone in project['zones'].values():
                            # Skip the counts contained in the zones dictionary
                            if zone is int:
                                continue
                            for instance in zone['instances'].values():
                                instance['network_id'] = None
                                for network_interface in instance['network_interfaces']:
                                    if network_interface['network'] == network['network_url']:
                                        network['instances'].append({'instance_id': instance['id'],
                                                                     'instance_zone': instance['zone']})
                                        network_interface['network_id'] = network['id']
        except Exception as e:
            print_exception('Unable to match instances and networks: {}'.format(e))

    def _match_networks_and_firewalls(self):
        """
        For each network, math firewall rules in that network

        :return:
        """

        try:
            if 'computeengine' in self.service_list:
                for project in self.services['computeengine']['projects'].values():
                    for network in project['networks'].values():
                        network['firewalls'] = []
                        for firewall in project['firewalls'].values():
                            firewall['network_id'] = None
                            if firewall['network_url'] == network['network_url']:
                                network['firewalls'].append(firewall['id'])
                                firewall['network_id'] = network['id']
        except Exception as e:
            print_exception('Unable to match firewalls and networks: {}'.format(e))

    def _match_subnetworks_and_instances(self):
        """
        For each subnetwork, math instances in that subnetwork

        :return:
        """

        try:
            if 'computeengine' in self.service_list:
                for project in self.services['computeengine']['projects'].values():
                    for region in project['regions'].values():
                        for subnetwork in region['subnetworks'].values():
                            subnetwork['instances'] = []
                            for zone in project['zones'].values():
                                # Skip the counts contained in the zones dictionary
                                if zone is int:
                                    continue
                                for instance in zone['instances'].values():
                                    instance['subnetwork_id'] = None
                                    for network_interface in instance['network_interfaces']:
                                        if network_interface['subnetwork'] == subnetwork['subnetwork_url']:
                                            subnetwork['instances'].append({'instance_id': instance['id'],
                                                                         'instance_zone': instance['zone']})
                                            network_interface['subnetwork_id'] = subnetwork['id']
                                            network_interface['subnetwork_region'] = subnetwork['region']
        except Exception as e:
            print_exception('Unable to match instances and subnetworks: {}'.format(e))


================================================
FILE: ScoutSuite/providers/gcp/resources/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/gcp/resources/base.py
================================================
"""This module provides implementations for CompositeResources for GCP."""

from ScoutSuite.providers.base.resources.base import CompositeResources


class GCPCompositeResources(CompositeResources):

    """This class represents a collection of Resources from GCP. Classes extending GCPCompositeResources should define a
    "_children" attribute which consists of a list of tuples describing the children. The tuples are expected to
    respect the following format: (, ). The child_name is used by indicates the name under
    which the child will be stored in the parent object.
    """
    
    pass


================================================
FILE: ScoutSuite/providers/gcp/resources/bigquery/base.py
================================================
from ScoutSuite.providers.gcp.resources.bigquery.datasets import Datasets
from ScoutSuite.providers.gcp.resources.projects import Projects


class BigQuery(Projects):
    _children = [
        (Datasets, 'datasets')
    ]


================================================
FILE: ScoutSuite/providers/gcp/resources/bigquery/datasets.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.utils import get_non_provider_id


class Datasets(Resources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_datasets = await self.facade.bigquery.get_datasets(self.project_id)
        for raw_dataset in raw_datasets:
            dataset_id, dataset = self._parse_dataset(raw_dataset)
            self[dataset_id] = dataset

    def _parse_dataset(self, raw_dataset):
        dataset_dict = {}
        dataset_dict['id'] = get_non_provider_id(raw_dataset.get('id'))
        dataset_dict['name'] = raw_dataset.get('datasetReference').get('datasetId')
        dataset_dict['location'] = raw_dataset.get('location')
        dataset_dict['creation_time'] = int(raw_dataset.get('creationTime'))
        dataset_dict['last_modified_time'] = int(raw_dataset.get('lastModifiedTime'))
        dataset_dict['default_encryption_configuration'] = \
            raw_dataset.get('defaultEncryptionConfiguration', {}).get('kmsKeyName')

        # format bindings in a way that's easier to query
        dataset_dict['bindings'] = {}
        for entry in raw_dataset.get('access'):
            role = entry.get('role')
            if role not in dataset_dict['bindings'].keys():
                dataset_dict['bindings'][role] = []
            for k, v in entry.items():
                if k != 'role':
                    dataset_dict['bindings'][role].append({"type": k,
                                                           "member": v})

        return dataset_dict['id'], dataset_dict


================================================
FILE: ScoutSuite/providers/gcp/resources/cloudsql/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/gcp/resources/cloudsql/backups.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade


class Backups(Resources):
    def __init__(self, facade: GCPFacade, project_id: str, instance_name: str):
        super().__init__(facade)
        self.project_id = project_id
        self.instance_name = instance_name

    async def fetch_all(self):
        raw_backups = await self.facade.cloudsql.get_backups(self.project_id, self.instance_name)
        for raw_backup in raw_backups:
            if raw_backup['status'] == 'SUCCESSFUL':
                backup_id, backup = self._parse_backup(raw_backup)
                self[backup_id] = backup

    def _parse_backup(self, raw_backup):
        backup_dict = {}
        backup_dict['id'] = raw_backup['id']
        backup_dict['backup_url'] = raw_backup['selfLink'],
        backup_dict['creation_timestamp'] = raw_backup['endTime'],
        backup_dict['status'] = raw_backup['status'],
        backup_dict['type'] = raw_backup['type']
        return backup_dict['id'], backup_dict


================================================
FILE: ScoutSuite/providers/gcp/resources/cloudsql/base.py
================================================
from ScoutSuite.providers.gcp.resources.projects import Projects
from ScoutSuite.providers.gcp.resources.cloudsql.database_instances import DatabaseInstances


class CloudSQL(Projects):
    _children = [ 
        (DatabaseInstances, 'instances')
    ]


================================================
FILE: ScoutSuite/providers/gcp/resources/cloudsql/database_instances.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.gcp.resources.base import GCPCompositeResources
from ScoutSuite.providers.gcp.resources.cloudsql.backups import Backups
from ScoutSuite.providers.gcp.resources.cloudsql.users import Users
from ScoutSuite.providers.utils import get_non_provider_id


class DatabaseInstances(GCPCompositeResources):
    _children = [
        (Backups, 'backups'),
        (Users, 'users')
    ]

    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_instances = await self.facade.cloudsql.get_database_instances(self.project_id)
        for raw_instance in raw_instances:
            instance_id, instance = self._parse_instance(raw_instance)
            self[instance_id] = instance
        await self._fetch_children_of_all_resources(
            resources=self,
            scopes={instance_id: {'project_id': self.project_id, 'instance_name': instance['name']}
                    for instance_id, instance in self.items()})
        self._set_last_backup_timestamps(self.items())

    def _parse_instance(self, raw_instance):
        instance_dict = {}

        instance_dict['id'] = get_non_provider_id(raw_instance['name'])
        instance_dict['name'] = raw_instance['name']
        instance_dict['project_id'] = raw_instance['project']
        instance_dict['automatic_backup_enabled'] = raw_instance['settings'].get('backupConfiguration', {}).get('enabled')
        instance_dict['database_version'] = raw_instance['databaseVersion']
        instance_dict['log_enabled'] = self._is_log_enabled(raw_instance)
        instance_dict['ssl_required'] = self._is_ssl_required(raw_instance)
        instance_dict['authorized_networks'] = raw_instance['settings'].get('ipConfiguration', {}).get('authorizedNetworks', [])

        if raw_instance['settings'].get('databaseFlags', None):
            instance_dict['local_infile_off'] = self._mysql_local_infile_flag_off(raw_instance)

            instance_dict['log_checkpoints_on'] = self._postgres_flags_on(raw_instance, 'log_checkpoints')
            instance_dict['log_connections_on'] = self._postgres_flags_on(raw_instance, 'log_connections')
            instance_dict['log_disconnections_on'] = self._postgres_flags_on(raw_instance, 'log_disconnections')
            instance_dict['log_lock_waits_on'] = self._postgres_flags_on(raw_instance, 'log_lock_waits')
            instance_dict['log_min_messages'] = self._postgres_log_min_error_statement_flags(raw_instance)
            instance_dict['log_temp_files_0'] = self._postgres_log_temp_files_flags_0(raw_instance)
            instance_dict['log_min_duration_statement_-1'] = self._postgres_log_min_duration_statement_flags_1(
                raw_instance)

            instance_dict['cross_db_ownership_chaining_off'] = self._sqlservers_cross_db_ownership_chaining_flag_off(
                raw_instance, 'cross db ownership chaining')
            instance_dict['contained_database_authentication_off'] = self._sqlservers_cross_db_ownership_chaining_flag_off(
                raw_instance, 'contained database authentication')

        else:
            instance_dict['local_infile_off'] = True

            instance_dict['log_checkpoints_on'] = self._check_database_type(raw_instance)
            instance_dict['log_connections_on'] = self._check_database_type(raw_instance)
            instance_dict['log_disconnections_on'] = self._check_database_type(raw_instance)
            instance_dict['log_lock_waits_on'] = self._check_database_type(raw_instance)
            instance_dict['log_min_messages'] = self._check_database_type(raw_instance)
            instance_dict['log_temp_files_0'] = self._check_database_type(raw_instance)
            instance_dict['log_min_duration_statement_-1'] = self._check_database_type(raw_instance)

            instance_dict['cross_db_ownership_chaining_off'] = True
            instance_dict['contained_database_authentication_off'] = True

        # check if is or has a failover replica
        instance_dict['has_failover_replica'] = raw_instance.get('failoverReplica', []) != []
        instance_dict['is_failover_replica'] = raw_instance.get('masterInstanceName', '') != ''

        # network interfaces
        instance_dict['public_ip'] = None
        instance_dict['private_ip'] = None
        instance_dict['outgoing_ip'] = None
        for address in raw_instance.get('ipAddresses', []):
            if address['type'] == 'PRIMARY':
                instance_dict['public_ip'] = address['ipAddress']
            elif address['type'] == 'PRIVATE':
                instance_dict['private_ip'] = address['ipAddress']
            elif address['type'] == 'OUTGOING':
                instance_dict['outgoing_ip'] = address['ipAddress']
            else:
                print_exception('Unknown Cloud SQL instance IP address type: {}'.format(address['type']))

        return instance_dict['id'], instance_dict

    def _is_log_enabled(self, raw_instance):
        return raw_instance['settings'].get('backupConfiguration', {}).get('binaryLogEnabled')

    def _is_ssl_required(self, raw_instance):
        return raw_instance['settings'].get('ipConfiguration', {}).get('requireSsl', False)

    def _set_last_backup_timestamps(self, instances):
        for instance_id, _ in instances:
            self[instance_id]['last_backup_timestamp'] = self._get_last_backup_timestamp(
                self[instance_id]['backups'])

    def _get_last_backup_timestamp(self, backups):
        if not backups:
            return None
        last_backup_id = max(backups.keys(), key=(
            lambda k: backups[k]['creation_timestamp']))
        return backups[last_backup_id]['creation_timestamp']

    def _mysql_local_infile_flag_off(self, raw_instance):
        if 'MYSQL' in raw_instance['databaseVersion']:
            for flag in raw_instance['settings'].get('databaseFlags', []):
                if flag['name'] == 'local_infile' and flag['value'] == 'on':
                    return False
        return True

    def _check_database_type(self, raw_instance):
        if 'POSTGRES' in raw_instance['databaseVersion']:
            return False
        return None

    def _postgres_flags_on(self, raw_instance, flag_name: str):
        if 'POSTGRES' in raw_instance['databaseVersion']:
            for flag in raw_instance['settings'].get('databaseFlags', []):
                if flag['name'] == flag_name and flag['value'] != 'off':
                    return True
            return False
        else:
            return None

    def _postgres_log_min_error_statement_flags(self, raw_instance):
        if 'POSTGRES' in raw_instance['databaseVersion']:
            for flag in raw_instance['settings'].get('databaseFlags', []):
                if flag['name'] == 'log_min_error_statement' and flag['value'] is not None:
                    return True
            return False
        else:
            return None

    def _postgres_log_temp_files_flags_0(self, raw_instance):
        if 'POSTGRES' in raw_instance['databaseVersion']:
            for flag in raw_instance['settings'].get('databaseFlags', []):
                if flag['name'] == 'log_temp_files' and flag['value'] == 0:
                    return True
            return False
        else:
            return None

    def _postgres_log_min_duration_statement_flags_1(self, raw_instance):
        if 'POSTGRES' in raw_instance['databaseVersion']:
            for flag in raw_instance['settings'].get('databaseFlags', []):
                if flag['name'] == 'log_min_duration_statement' and flag['value'] == -1:
                    return True
            return False
        else:
            return None

    def _sqlservers_cross_db_ownership_chaining_flag_off(self, raw_instance, flag_name: str):
        if 'SQLSERVER' in raw_instance['databaseVersion']:
            for flag in raw_instance['settings'].get('databaseFlags', []):
                if flag['name'] == flag_name and flag['value'] == 'off':
                    return True
            return False
        else:
            return None


================================================
FILE: ScoutSuite/providers/gcp/resources/cloudsql/users.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade


class Users(Resources):
    def __init__(self, facade: GCPFacade, project_id: str, instance_name: str):
        super().__init__(facade)
        self.project_id = project_id
        self.instance_name = instance_name

    async def fetch_all(self):
        raw_users = await self.facade.cloudsql.get_users(self.project_id, self.instance_name)
        for raw_user in raw_users:
            user_name, user = self._parse_user(raw_user)
            self[user_name] = user

    def _parse_user(self, raw_user):
        user_dict = {}
        user_dict['name'] = raw_user['name']
        user_dict['host'] = raw_user.get('host')
        return user_dict['name'], user_dict


================================================
FILE: ScoutSuite/providers/gcp/resources/cloudstorage/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/gcp/resources/cloudstorage/base.py
================================================
from ScoutSuite.providers.gcp.resources.projects import Projects
from ScoutSuite.providers.gcp.resources.cloudstorage.buckets import Buckets


class CloudStorage(Projects):
    _children = [ 
        (Buckets, 'buckets')
    ]


================================================
FILE: ScoutSuite/providers/gcp/resources/cloudstorage/buckets.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.utils import get_non_provider_id
from ScoutSuite.core.console import print_exception


class Buckets(Resources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_buckets = await self.facade.cloudstorage.get_buckets(self.project_id)
        for raw_bucket in raw_buckets:
            bucket_id, bucket = self._parse_bucket(raw_bucket)
            self[bucket_id] = bucket

    def _parse_bucket(self, raw_bucket):
        bucket_dict = {}
        bucket_dict['id'] = get_non_provider_id(raw_bucket.id)
        bucket_dict['name'] = raw_bucket.name
        bucket_dict['project_id'] = self.project_id
        bucket_dict['project_number'] = raw_bucket.project_number
        bucket_dict['creation_date'] = raw_bucket.time_created
        bucket_dict['location'] = raw_bucket.location
        bucket_dict['storage_class'] = raw_bucket.storage_class.lower()
        bucket_dict['versioning_enabled'] = raw_bucket.versioning_enabled
        bucket_dict['logging_enabled'] = raw_bucket.logging is not None

        bucket_dict['public_access_prevention'] = raw_bucket.iam_configuration.public_access_prevention

        iam_configuration = raw_bucket.iam_configuration.get('uniformBucketLevelAccess') or \
            raw_bucket.iam_configuration.get('bucketPolicyOnly')
        if iam_configuration:
            bucket_dict['uniform_bucket_level_access'] = iam_configuration.get("enabled", False)
        else:
            bucket_dict['uniform_bucket_level_access'] = None

        if bucket_dict['uniform_bucket_level_access']:
            bucket_dict['acls'] = []
            bucket_dict['default_object_acl'] = []
        else:
            try:
                bucket_dict['acls'] = list(raw_bucket.acl)
            except Exception as e:
                print_exception(f'Failed to retrieve storage bucket ACLs: {e}')
                bucket_dict['acls'] = []
            try:
                bucket_dict['default_object_acl'] = list(raw_bucket.default_object_acl)
            except Exception as e:
                print_exception(f'Failed to retrieve storage bucket object ACLs: {e}')
                bucket_dict['default_object_acl'] = []

        bucket_dict['member_bindings'] = self._get_cloudstorage_bucket_iam_member_bindings(raw_bucket)

        return bucket_dict['id'], bucket_dict

    def _get_cloudstorage_bucket_iam_member_bindings(self, raw_bucket):
        bucket_iam_policy = raw_bucket.iam_policy
        member_bindings = {}
        if bucket_iam_policy:
            for binding in bucket_iam_policy._bindings:
                for member in binding['members']:
                    if member not in member_bindings:
                        member_bindings[member] = [binding['role']]
                    else:
                        member_bindings[member].append(binding['role'])
        return member_bindings


================================================
FILE: ScoutSuite/providers/gcp/resources/dns/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/gcp/resources/dns/base.py
================================================
from ScoutSuite.providers.gcp.resources.projects import Projects
from ScoutSuite.providers.gcp.resources.dns.managed_zones import ManagedZones


class DNS(Projects):
    _children = [ 
        (ManagedZones, 'managed_zones')
     ]


================================================
FILE: ScoutSuite/providers/gcp/resources/dns/managed_zones.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade


class ManagedZones(Resources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_zones = await self.facade.dns.get_zones(self.project_id)
        for raw_zone in raw_zones.get('managedZones', []):
            zone_id, zone = self._parse_zone(raw_zone)
            self[zone_id] = zone

    def _parse_zone(self, raw_zone):
        zone_dict = {}
        zone_dict['id'] = raw_zone['id']
        zone_dict['name'] = raw_zone['name']
        zone_dict['description'] = self._get_description(raw_zone)
        zone_dict['dns_name'] = raw_zone['dnsName']
        zone_dict['name_servers'] = raw_zone.get('nameServers', None)
        zone_dict['visibility'] = raw_zone['visibility']
        zone_dict['creation_timestamp'] = raw_zone['creationTime']

        dnssec_config = raw_zone.get('dnssecConfig',None)
        if dnssec_config:
            zone_dict['dnssec_enabled'] = True if dnssec_config['state'] == 'on' else False
            zone_dict['dnssec_keys'] = self._get_keys(dnssec_config,zone_dict)
        else:
            zone_dict['dnssec_enabled'] = False
            zone_dict['dnssec_keys'] = None
            zone_dict['key_signing_algorithm'] = None
            zone_dict['zone_signing_algorithm']=None
        return zone_dict['id'], zone_dict

    def _get_description(self, raw_zone):
        description = raw_zone.get('description')
        return description if description else 'N/A'

    def _get_keys(self, dnssec_config,zone_dict):
        raw_keys = dnssec_config.get('defaultKeySpecs', None)
        if not raw_keys:
            return None
        key_dict = {}
        for raw_key in raw_keys:
            key_dict[raw_key['keyType']]={
                'key_type': raw_key['keyType'],
                'key_algorithm': raw_key['algorithm'],
                'length': raw_key['keyLength'],
            }
            if raw_key['keyType'] == 'keySigning':
                zone_dict['key_signing_algorithm'] = raw_key['algorithm']
            elif raw_key['keyType'] == 'zoneSigning':
                zone_dict['zone_signing_algorithm'] = raw_key['algorithm']



        return key_dict


================================================
FILE: ScoutSuite/providers/gcp/resources/functions/base.py
================================================
from ScoutSuite.providers.gcp.resources.functions.functions_v1 import FunctionsV1
from ScoutSuite.providers.gcp.resources.functions.functions_v2 import FunctionsV2
from ScoutSuite.providers.gcp.resources.projects import Projects

class Functions(Projects):
    _children = [
        (FunctionsV1, 'functions_v1'),
        (FunctionsV2, 'functions_v2')
    ]


================================================
FILE: ScoutSuite/providers/gcp/resources/functions/functions_v1.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.utils import get_non_provider_id
from ScoutSuite.providers.gcp.resources.functions.utils import get_environment_secrets


class FunctionsV1(Resources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_functions = await self.facade.functions.get_functions_v1(self.project_id)
        for raw_function in raw_functions:
            function_id, function = self._parse_function(raw_function)
            self[function_id] = function

    def _parse_function(self, raw_function):
        function_dict = {}

        function_dict['id'] = get_non_provider_id(raw_function['name'])
        function_dict['name'] = raw_function['name'].split('/')[-1]
        function_dict['status'] = raw_function['status']
        function_dict['update_time'] = raw_function['updateTime']
        function_dict['version_id'] = raw_function['versionId']

        function_dict['runtime'] = raw_function['runtime']
        function_dict['memory'] = raw_function['availableMemoryMb']
        function_dict['timeout'] = raw_function['timeout']
        if raw_function.get('maxInstances', False):
            function_dict['max_instances'] = raw_function['maxInstances']
        function_dict['docker_registry'] = raw_function['dockerRegistry']
        function_dict['url'] = raw_function.get('httpsTrigger', {}).get('url')
        function_dict['security_level'] = 'SECURE_ALWAYS' if function_dict['url'] is None else raw_function.get('httpsTrigger', {}).get('securityLevel')
        function_dict['ingress_settings'] = raw_function['ingressSettings']

        function_dict['bindings'] = raw_function['bindings']

        function_dict['environment_variables'] = raw_function.get('environmentVariables', {})
        function_dict['environment_variables_secrets'] = get_environment_secrets(function_dict['environment_variables'])

        function_dict['labels'] = raw_function['labels']

        return function_dict['id'], function_dict


================================================
FILE: ScoutSuite/providers/gcp/resources/functions/functions_v2.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.utils import get_non_provider_id
from ScoutSuite.providers.gcp.resources.functions.utils import get_environment_secrets


class FunctionsV2(Resources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_functions = await self.facade.functions.get_functions_v2(self.project_id)
        for raw_function in raw_functions:
            function_id, function = self._parse_function(raw_function)
            self[function_id] = function

    def _parse_function(self, raw_function):
        function_dict = {}

        function_dict['id'] = get_non_provider_id(raw_function['name'])
        function_dict['name'] = raw_function['name'].split('/')[-1]
        function_dict['status'] = raw_function['state']
        function_dict['update_time'] = raw_function['updateTime']
        function_dict['version_id'] = raw_function.get('serviceConfig', {}).get('revision')

        function_dict['runtime'] = raw_function.get('buildConfig', {}).get('runtime')
        function_dict['memory'] = raw_function.get('serviceConfig', {}).get('availableMemory')
        function_dict['timeout'] = raw_function.get('serviceConfig', {}).get('timeoutSeconds')
        function_dict['max_instances'] = raw_function.get('serviceConfig', {}).get('maxInstanceCount')

        function_dict['url'] = raw_function.get('serviceConfig', {}).get('uri')
        function_dict['ingress_settings'] = raw_function.get('serviceConfig', {}).get('ingressSettings')

        function_dict['service_account'] = raw_function.get('serviceConfig', {}).get('serviceAccountEmail')
        function_dict['bindings'] = raw_function['bindings']

        function_dict['environment_variables'] = raw_function.get('serviceConfig', {}).get('environmentVariables', {})
        function_dict['environment_variables_secrets'] = get_environment_secrets(function_dict['environment_variables'])

        function_dict['labels'] = raw_function['labels']

        return function_dict['id'], function_dict


================================================
FILE: ScoutSuite/providers/gcp/resources/functions/utils.py
================================================
from ScoutSuite.providers.utils import is_secret


def get_environment_secrets(environment_variables):
    secrets = []
    for k, v in environment_variables.items():
        secrets.append(is_secret(k))
        secrets.append(is_secret(v))
    # return None values
    return [secret for secret in secrets if secret]


================================================
FILE: ScoutSuite/providers/gcp/resources/gce/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/gcp/resources/gce/base.py
================================================
from ScoutSuite.providers.gcp.resources.projects import Projects
from ScoutSuite.providers.gcp.resources.gce.firewalls import Firewalls
from ScoutSuite.providers.gcp.resources.gce.networks import Networks
from ScoutSuite.providers.gcp.resources.gce.regions import GCERegions
from ScoutSuite.providers.gcp.resources.gce.snapshots import Snapshots
from ScoutSuite.providers.gcp.resources.gce.zones import GCEZones
from ScoutSuite.providers.gcp.resources.gce.global_forwarding_rules import GlobalForwardingRules


class ComputeEngine(Projects):
    _children = [ 
        (Firewalls, 'firewalls'),
        (Networks, 'networks'),
        (GCERegions, 'regions'),
        (Snapshots, 'snapshots'),
        (GCEZones, 'zones'),
        (GlobalForwardingRules, "global_forwarding_rules"),
     ]

    async def fetch_all(self):
        await Projects.fetch_all(self)
        # Instances and Subnetworks are resources with 2 levels of filtering 
        # (project and region/zone), so we need to propagate their count up.
        # Normally this would be done by setting the resource counts in the Regions
        # and Zones classes, but having a "resource_name_count" field in their 
        # dictionary causes errors in the rule engine.
        self['instances_count'] = sum(sum(
            zone['instances_count'] for zone in project['zones'].values()) for project in self['projects'].values())
        self['subnetworks_count'] = sum(sum(
            region['subnetworks_count'] for region in project['regions'].values())
                                        for project in self['projects'].values())
        del self['regions_count']
        del self['zones_count']


================================================
FILE: ScoutSuite/providers/gcp/resources/gce/disks.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.utils import get_non_provider_id


class Disks(Resources):
    def _parse_disk(self, raw_disk):
        disk_dict = {}
        disk_dict['id'] = get_non_provider_id(raw_disk['deviceName'])
        disk_dict['type'] = raw_disk.get('type')
        disk_dict['mode'] = raw_disk.get('mode')
        disk_dict['source_url'] = raw_disk.get('source')
        disk_dict['source_device_name'] = raw_disk.get('deviceName')
        disk_dict['bootable'] = raw_disk.get('boot')
        disk_dict['encrypted_with_csek'] = self._is_encrypted_with_csek(raw_disk)
        return disk_dict['id'], disk_dict

    def _is_encrypted_with_csek(self, raw_disk):
        return 'diskEncryptionKey' in raw_disk \
               and 'sha256' in raw_disk.get('diskEncryptionKey') \
               and raw_disk['diskEncryptionKey']['sha256'] != ''


================================================
FILE: ScoutSuite/providers/gcp/resources/gce/firewalls.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade


class Firewalls(Resources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_firewalls = await self.facade.gce.get_firewalls(self.project_id)
        for raw_firewall in raw_firewalls:
            firewall_id, firewall = self._parse_firewall(raw_firewall)
            self[firewall_id] = firewall

    def _parse_firewall(self, raw_firewall):
        firewall_dict = {}
        firewall_dict['id'] = raw_firewall['id']
        firewall_dict['project_id'] = raw_firewall['selfLink'].split('/')[-4]
        firewall_dict['name'] = raw_firewall['name']
        firewall_dict['description'] = self._get_description(raw_firewall)
        firewall_dict['creation_timestamp'] = raw_firewall['creationTimestamp']
        firewall_dict['network'] = raw_firewall['network'].split('/')[-1]
        firewall_dict['network_url'] = raw_firewall['network']
        firewall_dict['priority'] = raw_firewall['priority']
        firewall_dict['source_ranges'] = raw_firewall.get('sourceRanges', [])
        firewall_dict['destination_ranges'] = raw_firewall.get('destinationRanges', [])
        firewall_dict['source_tags'] = raw_firewall.get('sourceTags', [])
        firewall_dict['target_tags'] = raw_firewall.get('targetTags', [])
        firewall_dict['direction'] = raw_firewall['direction']
        firewall_dict['disabled'] = raw_firewall['disabled']
        firewall_dict['logs'] = raw_firewall['logConfig'].get('enable', False)

        self._parse_firewall_rules(firewall_dict, raw_firewall)
        return firewall_dict['id'], firewall_dict

    def _parse_firewall_rules(self, firewall_dict, raw_firewall):
        for direction in ['allowed', 'denied']:
            direction_string = '%s_traffic' % direction
            firewall_dict[direction_string] = {
                'tcp': [],
                'udp': []
            }
            if direction in raw_firewall:
                firewall_dict['action'] = direction
                for rule in raw_firewall[direction]:
                    # everything
                    if rule['IPProtocol'] == 'all':
                        firewall_dict[direction_string]["tcp"] = ['0-65535']
                        firewall_dict[direction_string]["udp"] = ['0-65535']
                        firewall_dict[direction_string]["icmp"] = ['Portless Protocol']
                    # protocols that do not support ports
                    elif rule['IPProtocol'] not in firewall_dict[direction_string]:
                        # only including ICMP
                        if rule['IPProtocol'] == 'icmp':
                            firewall_dict[direction_string]["icmp"] = ['Portless Protocol']
                        else:
                            pass
                    # protocols that support ports
                    else:
                        if firewall_dict[direction_string][rule['IPProtocol']] != ['0-65535']:
                            if 'ports' in rule:
                                firewall_dict[direction_string][rule['IPProtocol']] += rule['ports']
                            else:
                                firewall_dict[direction_string][rule['IPProtocol']] = ['0-65535']
                # remove empty values
                firewall_dict[direction_string] = {k: v for k, v in firewall_dict[direction_string].items() if v}

    def _get_description(self, raw_firewall):
        description = raw_firewall.get('description')
        return description if description else 'N/A'


================================================
FILE: ScoutSuite/providers/gcp/resources/gce/forwarding_rules.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade


class ForwardingRules(Resources):
    def __init__(self, facade: GCPFacade, project_id: str, region: str):
        super().__init__(facade)
        self.project_id = project_id
        self.region = region

    async def fetch_all(self):
        raw_rules = await self.facade.gce.get_forwarding_rules(self.project_id, self.region)
        for raw_rule in raw_rules:
            rule_id, rule = self._parse_forwarding_rule(raw_rule)
            self[rule_id] = rule

    def _parse_forwarding_rule(self, raw_forwarding_rule):
        forwarding_rule_dict = {}
        forwarding_rule_dict['id'] = raw_forwarding_rule.get("id")
        forwarding_rule_dict['name'] = raw_forwarding_rule.get("name")
        forwarding_rule_dict['creation_timestamp'] = raw_forwarding_rule.get("creationTimestamp")
        forwarding_rule_dict['description'] = raw_forwarding_rule.get("description")
        forwarding_rule_dict['region'] = raw_forwarding_rule.get("region")
        forwarding_rule_dict['ip_address'] = raw_forwarding_rule.get("IPAddress")
        forwarding_rule_dict['ip_protocol'] = raw_forwarding_rule.get("IPProtocol")
        forwarding_rule_dict['all_ports'] = raw_forwarding_rule.get("allPorts", False)
        forwarding_rule_dict['port_range'] = raw_forwarding_rule.get("portRange", "")
        forwarding_rule_dict['ports'] = raw_forwarding_rule.get("ports", [])
        forwarding_rule_dict['target'] = raw_forwarding_rule.get("target")
        forwarding_rule_dict['load_balancing_scheme'] = raw_forwarding_rule.get("loadBalancingScheme")
        forwarding_rule_dict['network_tier'] = raw_forwarding_rule.get("networkTier")

        forwarding_rule_dict['subnetwork'] = raw_forwarding_rule.get("subnetwork")
        forwarding_rule_dict['network'] = raw_forwarding_rule.get("network")
        forwarding_rule_dict['backend_service'] = raw_forwarding_rule.get("backendService")
        forwarding_rule_dict['service_label'] = raw_forwarding_rule.get("serviceLabel")
        forwarding_rule_dict['service_name'] = raw_forwarding_rule.get("serviceName")
        forwarding_rule_dict['labels'] = raw_forwarding_rule.get("labels")
        forwarding_rule_dict['ip_version'] = raw_forwarding_rule.get("ipVersion")
        forwarding_rule_dict['allow_global_access'] = raw_forwarding_rule.get("allowGlobalAccess")

        return forwarding_rule_dict['id'], forwarding_rule_dict

================================================
FILE: ScoutSuite/providers/gcp/resources/gce/global_forwarding_rules.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade


class GlobalForwardingRules(Resources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_rules = await self.facade.gce.get_global_forwarding_rules(self.project_id)
        for raw_rule in raw_rules:
            rule_id, rule = self._parse_forwarding_rule(raw_rule)
            self[rule_id] = rule

    def _parse_forwarding_rule(self, raw_global_forwarding_rule):
        global_forwarding_rule_dict = {}
        global_forwarding_rule_dict['id'] = raw_global_forwarding_rule.get("id")
        global_forwarding_rule_dict['name'] = raw_global_forwarding_rule.get("name")
        global_forwarding_rule_dict['creation_timestamp'] = raw_global_forwarding_rule.get("creationTimestamp")
        global_forwarding_rule_dict['description'] = raw_global_forwarding_rule.get("description")
        global_forwarding_rule_dict['ip_address'] = raw_global_forwarding_rule.get("IPAddress")
        global_forwarding_rule_dict['ip_protocol'] = raw_global_forwarding_rule.get("IPProtocol")
        global_forwarding_rule_dict['all_ports'] = raw_global_forwarding_rule.get("allPorts", False)
        global_forwarding_rule_dict['port_range'] = raw_global_forwarding_rule.get("portRange", "")
        global_forwarding_rule_dict['ports'] = raw_global_forwarding_rule.get("ports", [])
        global_forwarding_rule_dict['target'] = raw_global_forwarding_rule.get("target")
        global_forwarding_rule_dict['load_balancing_scheme'] = raw_global_forwarding_rule.get("loadBalancingScheme")
        global_forwarding_rule_dict['network_tier'] = raw_global_forwarding_rule.get("networkTie")

        global_forwarding_rule_dict['subnetwork'] = raw_global_forwarding_rule.get("subnetwork")
        global_forwarding_rule_dict['network'] = raw_global_forwarding_rule.get("network")
        global_forwarding_rule_dict['backend_service'] = raw_global_forwarding_rule.get("backendService")
        global_forwarding_rule_dict['service_label'] = raw_global_forwarding_rule.get("serviceLabel")
        global_forwarding_rule_dict['service_name'] = raw_global_forwarding_rule.get("serviceName")
        global_forwarding_rule_dict['labels'] = raw_global_forwarding_rule.get("labels")
        global_forwarding_rule_dict['ip_version'] = raw_global_forwarding_rule.get("ipVersion")
        global_forwarding_rule_dict['allow_global_access'] = raw_global_forwarding_rule.get("allowGlobalAccess")

        return global_forwarding_rule_dict['id'], global_forwarding_rule_dict

================================================
FILE: ScoutSuite/providers/gcp/resources/gce/instance_disks.py
================================================
from ScoutSuite.providers.gcp.resources.gce.disks import Disks


class InstanceDisks(Disks):
    def __init__(self, facade, instance):
        super().__init__(facade)
        self.instance = instance

    def fetch_all(self):
        raw_disks = self.instance.get('disks', {})
        for raw_disk in raw_disks:
            disk_id, disk = self._parse_disk(raw_disk)
            self[disk_id] = disk
        # We need self.instance to get the disks, but we do 
        # not want to have it in the generated JSON.
        del self.instance


================================================
FILE: ScoutSuite/providers/gcp/resources/gce/instances.py
================================================
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.gcp.resources.base import GCPCompositeResources
from ScoutSuite.providers.gcp.resources.gce.instance_disks import InstanceDisks
from ScoutSuite.providers.utils import get_non_provider_id


class Instances(GCPCompositeResources):
    _children = [
        (InstanceDisks, 'disks')
    ]

    def __init__(self, facade: GCPFacade, project_id: str, zone: str):
        super().__init__(facade)
        self.project_id = project_id
        self.zone = zone

    async def fetch_all(self):
        raw_instances = await self.facade.gce.get_instances(self.project_id, self.zone)
        for raw_instance in raw_instances:
            instance_id, instance = self._parse_instance(raw_instance)
            self[instance_id] = instance
            self[instance_id]['disks'].fetch_all()

    def _parse_instance(self, raw_instance):
        instance_dict = {}
        instance_dict['id'] = get_non_provider_id(raw_instance['name'])
        instance_dict['project_id'] = self.project_id
        instance_dict['name'] = raw_instance['name']
        instance_dict['description'] = self._get_description(raw_instance)
        instance_dict['creation_timestamp'] = raw_instance['creationTimestamp']
        instance_dict['zone'] = raw_instance['zone'].split('/')[-1]
        instance_dict['tags'] = raw_instance['tags']
        instance_dict['status'] = raw_instance['status']
        instance_dict['zone_url_'] = raw_instance['zone']
        instance_dict['network_interfaces'] = raw_instance['networkInterfaces']
        instance_dict['deletion_protection_enabled'] = raw_instance['deletionProtection']
        instance_dict['block_project_ssh_keys_enabled'] = self._is_block_project_ssh_keys_enabled(raw_instance)
        instance_dict['oslogin_enabled'] = self._is_oslogin_enabled(raw_instance)
        instance_dict['ip_forwarding_enabled'] = raw_instance.get("canIpForward", False)
        instance_dict['serial_port_enabled'] = self._is_serial_port_enabled(raw_instance)
        instance_dict['disks'] = InstanceDisks(self.facade, raw_instance)
        instance_dict['public_ip_addresses'] = self._public_ip_adresses(raw_instance)

        if 'serviceAccounts' in raw_instance and raw_instance.get('serviceAccounts'):
            instance_dict['service_account'] = raw_instance.get('serviceAccounts')[0].get('email')
            instance_dict['access_scopes'] = raw_instance.get('serviceAccounts')[0].get('scopes')
            instance_dict['default_service_account'] = \
                self._is_default_service_account(instance_dict['service_account'])
            instance_dict['full_access_apis'] = self._allow_full_access_to_all_cloud_api(raw_instance)
        else:
            instance_dict['service_account'] = None
            instance_dict['access_scopes'] = None
            instance_dict['default_service_account'] = False
            instance_dict['full_access_apis'] = False

        if 'shieldedInstanceConfig' in raw_instance:
            instance_dict['shielded_enable'] = self._shielded_vm_enabled(raw_instance)
        else:
            instance_dict['shielded_enable'] = False

        return instance_dict['id'], instance_dict

    def _get_description(self, raw_instance):
        description = raw_instance.get('description')
        return description if description else 'N/A'

    def _is_block_project_ssh_keys_enabled(self, raw_instance):
        return raw_instance['metadata'].get('block-project-ssh-keys') == 'true'

    def _is_oslogin_enabled(self, raw_instance):
        instance_logging_enabled = raw_instance['metadata'].get('enable-oslogin')
        project_logging_enabled = raw_instance['commonInstanceMetadata'].get('enable-oslogin')
        return instance_logging_enabled == 'TRUE' \
               or instance_logging_enabled is None and project_logging_enabled == 'TRUE'

    def _is_serial_port_enabled(self, raw_instance):
        return raw_instance['metadata'].get('serial-port-enable') == 'true'

    def _is_default_service_account(self, service_account: str):
        if '-compute@developer.gserviceaccount.com' in service_account:
            return True
        return False

    def _allow_full_access_to_all_cloud_api(self, raw_instance):
        if '-compute@developer.gserviceaccount.com' in raw_instance.get('serviceAccounts')[0].get('email'):
            for scope in raw_instance.get('serviceAccounts')[0].get('scopes'):
                if scope == 'https://www.googleapis.com/auth/cloud-platform':
                    return True
        return False

    def _shielded_vm_enabled(self, raw_instance):
        vtpm = raw_instance['shieldedInstanceConfig'].get('enableVtpm', False)
        integrity_monitoring = raw_instance['shieldedInstanceConfig'].get('enableIntegrityMonitoring', False)
        secure_boot = raw_instance['shieldedInstanceConfig'].get('enableSecureBoot', False)
        return vtpm and integrity_monitoring and secure_boot

    def _public_ip_adresses(self, raw_instance):
        for network in raw_instance['networkInterfaces']:
            access_configs = network.get('accessConfigs', None)
            if access_configs:
                return True
        return False


================================================
FILE: ScoutSuite/providers/gcp/resources/gce/networks.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade


class Networks(Resources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_networks = await self.facade.gce.get_networks(self.project_id)
        for raw_network in raw_networks:
            network_id, network = self._parse_network(raw_network)
            self[network_id] = network

    def _parse_network(self, raw_network):
        network_dict = {}
        network_dict['id'] = raw_network['id']
        network_dict['project_id'] = raw_network['selfLink'].split('/')[-4]
        network_dict['name'] = raw_network['name']

        network_dict['description'] = self._get_description(raw_network)
        network_dict['creation_timestamp'] = raw_network['creationTimestamp']
        network_dict['auto_subnet'] = raw_network.get('autoCreateSubnetworks', None)
        network_dict['routing_config'] = raw_network['routingConfig']

        network_dict['network_url'] = raw_network['selfLink']
        network_dict['subnetwork_urls'] = raw_network.get('subnetworks', None)
        # Network is legacy if there is no subnets
        network_dict['legacy_mode'] = True \
            if (raw_network.get('subnetworks', None) is None or not raw_network.get('subnetworks', None)) and \
            raw_network.get('autoCreateSubnetworks', None) is None \
            else False

        return network_dict['id'], network_dict

    def _get_description(self, raw_network):
        description = raw_network.get('description')
        return description if description else 'N/A'


================================================
FILE: ScoutSuite/providers/gcp/resources/gce/regions.py
================================================
from ScoutSuite.providers.gcp.resources.regions import Regions
from ScoutSuite.providers.gcp.resources.gce.subnetworks import Subnetworks
from ScoutSuite.providers.gcp.resources.gce.forwarding_rules import ForwardingRules


class GCERegions(Regions):
    _children = [
        (Subnetworks, 'subnetworks'),
        (ForwardingRules, "forwarding_rules"),
    ]


================================================
FILE: ScoutSuite/providers/gcp/resources/gce/snapshots.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade


class Snapshots(Resources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_snapshots = await self.facade.gce.get_snapshots(self.project_id)
        for raw_snapshot in raw_snapshots:
            snapshot_id, snapshot = self._parse_snapshot(raw_snapshot)
            self[snapshot_id] = snapshot

    def _parse_snapshot(self, raw_snapshot):
        snapshot_dict = {}
        snapshot_dict['id'] = raw_snapshot['id']
        snapshot_dict['name'] = raw_snapshot['name']
        snapshot_dict['description'] = self._get_description(raw_snapshot)
        snapshot_dict['creation_timestamp'] = raw_snapshot['creationTimestamp']
        snapshot_dict['status'] = raw_snapshot['status']
        snapshot_dict['source_disk_id'] = raw_snapshot['sourceDiskId']
        snapshot_dict['source_disk_url'] = raw_snapshot['sourceDisk']
        return snapshot_dict['id'], snapshot_dict

    def _get_description(self, raw_snapshot):
        description = raw_snapshot.get('description')
        return description if description else 'N/A'


================================================
FILE: ScoutSuite/providers/gcp/resources/gce/subnetworks.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade


class Subnetworks(Resources):
    def __init__(self, facade: GCPFacade, project_id: str, region: str):
        super().__init__(facade)
        self.project_id = project_id
        self.region = region

    async def fetch_all(self):
        raw_subnetworks = await self.facade.gce.get_subnetworks(self.project_id, self.region)
        for raw_subnetwork in raw_subnetworks:
            subnetwork_id, subnetwork = self._parse_subnetwork(raw_subnetwork)
            self[subnetwork_id] = subnetwork

    def _parse_subnetwork(self, raw_subnetwork):
        subnetwork_dict = {}
        subnetwork_dict['id'] = raw_subnetwork['id']
        subnetwork_dict['project_id'] = raw_subnetwork['selfLink'].split('/')[-5]
        subnetwork_dict['region'] = raw_subnetwork['region'].split('/')[-1]
        subnetwork_dict['name'] = "{}-{}".format(raw_subnetwork['name'], subnetwork_dict['region'])
        subnetwork_dict['gateway_address'] = raw_subnetwork['gatewayAddress']
        subnetwork_dict['ip_range'] = raw_subnetwork['ipCidrRange']
        subnetwork_dict['creation_timestamp'] = raw_subnetwork['creationTimestamp']
        subnetwork_dict['private_ip_google_access'] = raw_subnetwork['privateIpGoogleAccess']

        subnetwork_dict['subnetwork_url'] = raw_subnetwork['selfLink']
        subnetwork_dict['network_url'] = raw_subnetwork['network']

        if 'logConfig' in raw_subnetwork:
            subnetwork_dict['flowlogs_enabled'] = raw_subnetwork['logConfig']['enable']
        else:
            # Set as UNKNOWN for now. For instance, some projects' 
            # default networks with flow logs enabled do not have a logConfig 
            # stanza in JSON output.
            subnetwork_dict['flowlogs_enabled'] = "UNKNOWN"

        return subnetwork_dict['id'], subnetwork_dict


================================================
FILE: ScoutSuite/providers/gcp/resources/gce/zones.py
================================================
from ScoutSuite.providers.gcp.resources.gce.instances import Instances
from ScoutSuite.providers.gcp.resources.zones import Zones


class GCEZones(Zones):
    _children = [
        (Instances, 'instances'),
    ]


================================================
FILE: ScoutSuite/providers/gcp/resources/gke/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/gcp/resources/gke/base.py
================================================
from ScoutSuite.providers.gcp.resources.projects import Projects
from ScoutSuite.providers.gcp.resources.gke.clusters import Clusters


class KubernetesEngine(Projects):
    _children = [
        (Clusters, 'clusters')
    ]

    async def fetch_all(self):
        await Projects.fetch_all(self)


================================================
FILE: ScoutSuite/providers/gcp/resources/gke/clusters.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.gcp.resources.gke.node_pools import NodePools
from ScoutSuite.providers.utils import get_non_provider_id


class Clusters(Resources):
    def __init__(self, facade: GCPFacade, project_id):
        super(Clusters, self).__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_clusters = await self.facade.gke.get_clusters(self.project_id)
        for raw_cluster in raw_clusters:
            cluster_id, cluster = await self._parse_cluster(raw_cluster)
            self[cluster_id] = cluster
            self[cluster_id]['node_pools'].fetch_all()

    async def _parse_cluster(self, raw_cluster):
        cluster_dict = {}
        cluster_dict['id'] = get_non_provider_id(raw_cluster['name'])
        cluster_dict['name'] = raw_cluster['name']
        cluster_dict['location'] = raw_cluster['location']
        cluster_dict['status'] = raw_cluster['status']
        cluster_dict['type'] = "Zonal" if raw_cluster['location'].count("-") > 1 else "Regional"
        cluster_dict['alias_ip_enabled'] = raw_cluster.get('ipAllocationPolicy', {}).get('useIpAliases', False)
        cluster_dict['basic_authentication_enabled'] = self._is_basic_authentication_enabled(raw_cluster)
        cluster_dict['client_certificate_enabled'] = self._is_client_certificate_enabled(raw_cluster)
        cluster_dict['pod_security_policy_enabled'] = self._is_pod_security_policy_enabled(raw_cluster)
        cluster_dict['dashboard_status'] = self._get_dashboard_status(raw_cluster)
        cluster_dict['has_limited_scopes'] = self._has_limited_scopes(raw_cluster)
        cluster_dict['image_type'] = raw_cluster.get('nodeConfig', {}).get('imageType', None)
        cluster_dict['labels'] = raw_cluster.get('resourceLabels', [])
        cluster_dict['has_labels'] = len(cluster_dict['labels']) > 0
        cluster_dict['endpoint'] = raw_cluster.get('endpoint')
        cluster_dict['legacy_abac_enabled'] = raw_cluster.get('legacyAbac', {}).get('enabled', False)
        cluster_dict['logging_enabled'] = self._is_logging_enabled(raw_cluster)
        cluster_dict['master_authorized_networks_enabled'] = raw_cluster.get('masterAuthorizedNetworksConfig', {}).get('enabled', False)
        cluster_dict['monitoring_enabled'] = self._is_monitoring_enabled(raw_cluster)
        cluster_dict['network_policy_enabled'] = raw_cluster.get('networkPolicy', {}).get('enabled', False)
        cluster_dict['node_pools'] = NodePools(raw_cluster)
        cluster_dict['scopes'] = self._get_scopes(raw_cluster)
        cluster_dict['service_account'] = raw_cluster.get('nodeConfig', {}).get('serviceAccount', None)
        cluster_dict['master_authorized_networks_config'] = self._get_master_authorized_networks_config(raw_cluster)
        cluster_dict['application_layer_encryption_enabled'] = raw_cluster.get('databaseEncryption', {}).get('state', None) == 'ENCRYPTED'
        cluster_dict['workload_identity_enabled'] = raw_cluster.get('workloadIdentityConfig', {}).get('workloadPool', '').endswith('.svc.id.goog')
        cluster_dict['metadata_server_enabled'] = self._metadata_server_enabled(raw_cluster.get('nodePools', []))
        cluster_dict['release_channel'] = raw_cluster.get('releaseChannel', {}).get('channel', None)
        cluster_dict['shielded_nodes_enabled'] = raw_cluster.get('shieldedNodes', {}).get('enabled', False)
        cluster_dict['binary_authorization_enabled'] = raw_cluster.get('binaryAuthorization', {}).get('enabled', False)
        cluster_dict['private_ip_google_access_enabled'] = raw_cluster.get('privateIpGoogleAccess', False)
        cluster_dict['private_nodes_enabled'] = raw_cluster.get('privateClusterConfig', {}).get('enablePrivateNodes', False)
        cluster_dict['private_endpoint_enabled'] = raw_cluster.get('privateClusterConfig', {}).get('enablePrivateEndpoint', False)
        cluster_dict['public_endpoint'] = raw_cluster.get('privateClusterConfig', {}).get('publicEndpoint', None)
        cluster_dict['private_endpoint'] = raw_cluster.get('privateClusterConfig', {}).get('privateEndpoint', None)

        return cluster_dict['id'], cluster_dict

    def _metadata_server_enabled(self, node_pools):
        for pool in node_pools:
            if pool.get('config', {}).get('workloadMetadataConfig', {}) == {}:
                return False
        return True

    def _get_master_authorized_networks_config(self, raw_cluster):
        if raw_cluster.get('masterAuthorizedNetworksConfig'):
            config = raw_cluster.get('masterAuthorizedNetworksConfig')
            config['includes_public_cidr'] = False
            for block in config.get('cidrBlocks', []):
                if block.get('cidrBlock') == '0.0.0.0/0':
                    config['includes_public_cidr'] = True
            return config
        else:
            return {
                'enabled': False,
                'cidrBlocks': [],
                'includes_public_cidr': False
            }

    def _is_pod_security_policy_enabled(self, raw_cluster):
        if 'podSecurityPolicyConfig' in raw_cluster:
            return raw_cluster['podSecurityPolicyConfig'].get('enabled', False)
        return False

        return raw_cluster['masterAuth'].get('username', '') != ''

    def _is_basic_authentication_enabled(self, raw_cluster):
        return raw_cluster['masterAuth'].get('username', '') != ''

    def _is_client_certificate_enabled(self, raw_cluster):
        return raw_cluster['masterAuth'].get('clientCertificate', '') != ''

    def _is_logging_enabled(self, raw_cluster):
        return raw_cluster['loggingService'] != 'none'

    def _is_monitoring_enabled(self, raw_cluster):
        return raw_cluster['monitoringService'] != 'none'

    def _parse_scope(self, scope_url):
        return scope_url.split('/')[-1]

    def _get_scopes(self, raw_cluster):
        return [self._parse_scope(scope_url) for scope_url in raw_cluster['nodeConfig'].get('oauthScopes', [])]

    def _has_limited_scopes(self, raw_cluster):
        minimum_scopes = {'devstorage.read_only', 'logging.write', 'monitoring'}
        cluster_scopes = self._get_scopes(raw_cluster)
        return all(scope in minimum_scopes for scope in cluster_scopes)

    def _get_dashboard_status(self, raw_cluster):
        is_disabled = 'kubernetesDashboard' not in raw_cluster['addonsConfig'] or \
                      raw_cluster['addonsConfig']['kubernetesDashboard'].get('disabled')
        return 'Disabled' if is_disabled else 'Enabled'


================================================
FILE: ScoutSuite/providers/gcp/resources/gke/node_pools.py
================================================
from ScoutSuite.providers.base.resources.base import Resources


class NodePools(Resources):
    def __init__(self, cluster):
        super(NodePools, self).__init__(service_facade=None)
        self.cluster = cluster

    def fetch_all(self):
        raw_node_pools = self.cluster['nodePools']
        for raw_node_pool in raw_node_pools:
            node_pool_id, node_pool = self._parse_node_pool(raw_node_pool)
            self[node_pool_id] = node_pool
        # We need self.cluster to get the node pools, but we do 
        # not want to have it in the generated JSON.
        del self.cluster

    def _parse_node_pool(self, raw_node_pool):
        node_pool_dict = {}
        node_pool_dict['id'] = raw_node_pool['name']
        node_pool_dict['status'] = raw_node_pool['status']
        node_pool_dict['auto_repair_enabled'] = \
            raw_node_pool.get('management', {}).get('autoRepair', False)
        node_pool_dict['auto_upgrade_enabled'] = \
            raw_node_pool.get('management', {}).get('autoUpgrade', False)
        node_pool_dict['secure_boot_enabled'] = \
            raw_node_pool.get('config', {}).get('shieldedInstanceConfig', {}).get('enableSecureBoot', False)
        node_pool_dict['integrity_monitoring_enabled'] = \
            raw_node_pool.get('config', {}).get('shieldedInstanceConfig', {}).get('enableIntegrityMonitoring', False)
        node_pool_dict['legacy_metadata_endpoints_enabled'] = \
            raw_node_pool['config'].get('metadata', {}).get('disable-legacy-endpoints') == 'false'
        return node_pool_dict['id'], node_pool_dict



================================================
FILE: ScoutSuite/providers/gcp/resources/iam/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/gcp/resources/iam/base.py
================================================
from ScoutSuite.providers.gcp.resources.projects import Projects
from ScoutSuite.providers.gcp.resources.iam.member_bindings import Bindings
from ScoutSuite.providers.gcp.resources.iam.users import Users
from ScoutSuite.providers.gcp.resources.iam.groups import Groups
from ScoutSuite.providers.gcp.resources.iam.domains import Domains
from ScoutSuite.providers.gcp.resources.iam.service_accounts import ServiceAccounts
from ScoutSuite.providers.gcp.resources.iam.bindings_separation_duties import BindingsSeparationDuties


class IAM(Projects):
    _children = [
        (Bindings, 'bindings'),
        (Users, 'users'),
        (Groups, 'groups'),
        (ServiceAccounts, 'service_accounts'),
        (Domains, "domains"),
        (BindingsSeparationDuties, 'bindings_separation_duties')
    ]


================================================
FILE: ScoutSuite/providers/gcp/resources/iam/bindings_separation_duties.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade


class BindingsSeparationDuties(Resources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_bindings = await self.facade.cloudresourcemanager.get_member_bindings(self.project_id)
        binding_id, binding = await self._parse_binding_separation(raw_bindings)
        self[binding_id] = binding

    async def _parse_binding_separation(self, raw_bindings):
        binding_dict = {}
        binding_dict['id'] = self.project_id
        binding_dict['name'] = self.project_id
        binding_dict["account_separation_duties"] = self.ensure_seperation_duties(raw_bindings)
        binding_dict["kms_separation_duties"] = self.ensure_KMS_seperation_duties(raw_bindings)

        return binding_dict['id'], binding_dict

    def ensure_seperation_duties(self, raw_bindings):
        # This function checks if a member has both the iam.serviceAccountAdmin role and iam.serviceAccountUser role.
        # If the roles do have a common member the function returns False
        list_members_role_admin = []
        list_members_role_other = []
        for binding in raw_bindings:
            role = binding['role'].split('/')[-1]
            if role == 'iam.serviceAccountAdmin':
                list_members_role_admin = binding['members']
            if role == 'iam.serviceAccountUser':
                list_members_role_other = binding['members']

        common_members = list(set(list_members_role_admin).intersection(list_members_role_other))
        if common_members:
            return False
        return True

    def ensure_KMS_seperation_duties(self, raw_bindings):
        # This function checks if a member has both the cloudkms.admin role and either
        # cloudkms.cryptoKeyEncrypterDecrypter, cloudkms.cryptoKeyEncrypter, cloudkms.cryptoKeyDecrypter role.
        # If the roles do have a common member the function returns False
        list_members_role_admin = []
        list_members_role_others = {"cloudkms.cryptoKeyEncrypterDecrypter": [],
                                    "cloudkms.cryptoKeyEncrypter": [],
                                    "cloudkms.cryptoKeyDecrypter": []}
        for binding in raw_bindings:
            role = binding['role'].split('/')[-1]
            if role == 'cloudkms.admin':
                list_members_role_admin = binding['members']
            if role == 'cloudkms.cryptoKeyEncrypterDecrypter':
                list_members_role_others['cloudkms.cryptoKeyEncrypterDecrypter'] = binding['members']
            if role == 'cloudkms.cryptoKeyEncrypter':
                list_members_role_others['cloudkms.cryptoKeyEncrypter'] = binding['members']
            if role == 'cloudkms.cryptoKeyDecrypter':
                list_members_role_others['cloudkms.cryptoKeyDecrypter'] = binding['members']

        common_members1 = list(
            set(list_members_role_admin).intersection(list_members_role_others['cloudkms.cryptoKeyEncrypterDecrypter']))
        common_members2 = list(
            set(list_members_role_admin).intersection(list_members_role_others['cloudkms.cryptoKeyEncrypter']))
        common_members3 = list(
            set(list_members_role_admin).intersection(list_members_role_others['cloudkms.cryptoKeyDecrypter']))
        if common_members1 or common_members2 or common_members3:
            return False
        return True


================================================
FILE: ScoutSuite/providers/gcp/resources/iam/domains.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.utils import get_non_provider_id


class Domains(Resources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_bindings = await self.facade.cloudresourcemanager.get_member_bindings(self.project_id)
        parsed_domains = self._parse_binding(raw_bindings)
        for domain_id in parsed_domains.keys():
            self[parsed_domains[domain_id]['id']] = parsed_domains[domain_id]

    def _parse_binding(self, raw_bindings):

        parsed_groups = {}
        for binding in raw_bindings:
            role = binding['role'].split('/')[-1]
            if 'members' in binding:
                for member in binding['members']:
                    member_type, entity = member.split(':')[:2]
                    if member_type == 'domain':
                        if entity not in parsed_groups.keys():
                            parsed_groups[entity] = {'id': get_non_provider_id(entity),
                                                    'name': entity,
                                                    'roles': [role]}
                        else:
                            parsed_groups[entity]['roles'].append(role)
        return parsed_groups


================================================
FILE: ScoutSuite/providers/gcp/resources/iam/groups.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.utils import get_non_provider_id


class Groups(Resources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_bindings = await self.facade.cloudresourcemanager.get_member_bindings(self.project_id)
        parsed_groups = self._parse_binding(raw_bindings)
        for group_id in parsed_groups.keys():
            self[parsed_groups[group_id]['id']] = parsed_groups[group_id]

    def _parse_binding(self, raw_bindings):

        parsed_groups = {}
        for binding in raw_bindings:
            role = binding['role'].split('/')[-1]
            if 'members' in binding:
                for member in binding['members']:
                    member_type, entity = member.split(':')[:2]
                    if member_type == 'group':
                        if entity not in parsed_groups.keys():
                            parsed_groups[entity] = {'id': get_non_provider_id(entity),
                                                    'name': entity,
                                                    'roles': [role]}
                        else:
                            parsed_groups[entity]['roles'].append(role)
        return parsed_groups


================================================
FILE: ScoutSuite/providers/gcp/resources/iam/keys.py
================================================
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.base.resources.base import Resources


class Keys(Resources):
    def __init__(self, facade: GCPFacade, project_id: str, service_account_email: str):
        super().__init__(facade)
        self.project_id = project_id
        self.service_account_email = service_account_email 

    async def fetch_all(self):
        # fetch system managed keys
        raw_keys = await self.facade.iam.get_service_account_keys(self.project_id, self.service_account_email, ['SYSTEM_MANAGED'])
        for raw_key in raw_keys:
            key_id, key = await self._parse_key(raw_key, 'SYSTEM_MANAGED')
            self[key_id] = key
        # fetch user managed keys
        raw_keys = await self.facade.iam.get_service_account_keys(self.project_id, self.service_account_email, ['USER_MANAGED'])
        for raw_key in raw_keys:
            key_id, key = await self._parse_key(raw_key, 'USER_MANAGED')
            self[key_id] = key

    async def _parse_key(self, raw_key, key_type):
        key_dict = {}
        # The name of the key has the following format:
        # projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}
        # https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys
        key_dict['id'] = raw_key['name'].split('/')[-1]
        key_dict['valid_after'] = raw_key['validAfterTime']
        key_dict['valid_before'] = raw_key['validBeforeTime']
        key_dict['key_algorithm'] = raw_key['keyAlgorithm']
        key_dict['key_type'] = key_type

        return key_dict['id'], key_dict


================================================
FILE: ScoutSuite/providers/gcp/resources/iam/member_bindings.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.utils import get_non_provider_id


class Bindings(Resources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_bindings = await self.facade.cloudresourcemanager.get_member_bindings(self.project_id)
        for raw_binding in raw_bindings:
            binding_id, binding = await self._parse_binding(raw_binding)
            self[binding_id] = binding

    async def _parse_binding(self, raw_binding):
        binding_dict = {}
        binding_dict['id'] = get_non_provider_id(raw_binding['role'])
        binding_dict['name'] = raw_binding['role'].split('/')[-1]
        binding_dict['members'] = self._parse_members(raw_binding)
        binding_dict['custom_role'] = 'projects/' in raw_binding['role']

        role_definition = await self.facade.iam.get_role_definition(raw_binding['role'])

        binding_dict['title'] = role_definition.get('title')
        binding_dict['description'] = role_definition.get('description')
        binding_dict['permissions'] = role_definition.get('includedPermissions')

        return binding_dict['id'], binding_dict

    def _parse_members(self, raw_binding):
        members_dict = {'users': [], 'groups': [], 'service_accounts': [], 'domains': []}
        
        if 'members' not in raw_binding:
            return members_dict

        type_map = { 
            'user': 'users', 
            'group': 'groups', 
            'serviceAccount': 'service_accounts',
            'domain': 'domains'
        }
        
        # We want to group the members by type, so we need to parse their type and entity.
        # The members are given as strings with the format :
        # See the GCP Resource Manager API reference for more info:
        # https://cloud.google.com/resource-manager/reference/rest/Shared.Types/Binding 
        for member in raw_binding['members']:
            member_type, entity = member.split(':')[:2]
            if member_type in type_map:
                members_dict[type_map[member_type]].append(entity)
            elif member_type == 'deleted':
                pass
            else:
                print_exception(f'Type {member_type} not handled')
        
        return members_dict


================================================
FILE: ScoutSuite/providers/gcp/resources/iam/service_account_bindings.py
================================================
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.base.resources.base import Resources


class ServiceAccountBindings(Resources):
    def __init__(self, facade: GCPFacade, project_id: str, service_account_email: str):
        super().__init__(facade)
        self.project_id = project_id
        self.service_account_email = service_account_email 

    async def fetch_all(self):
        raw_bindings = await self.facade.iam.get_service_account_bindings(self.project_id, self.service_account_email)
        for raw_binding in raw_bindings:
            binding_id, binding = self._parse_binding(raw_binding)
            self[binding_id] = binding

    def _parse_binding(self, raw_binding):
        return len(self), raw_binding


================================================
FILE: ScoutSuite/providers/gcp/resources/iam/service_accounts.py
================================================
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.gcp.resources.base import GCPCompositeResources
from ScoutSuite.providers.gcp.resources.iam.service_account_bindings import ServiceAccountBindings
from ScoutSuite.providers.gcp.resources.iam.keys import Keys
import re


class ServiceAccounts(GCPCompositeResources):
    _children = [
        (ServiceAccountBindings, 'bindings'),
        (Keys, 'keys')
    ]

    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_service_accounts = await self.facade.iam.get_service_accounts(self.project_id)
        for raw_service_account in raw_service_accounts:
            service_account_id, service_account = self._parse_service_account(
                raw_service_account)
            self[service_account_id] = service_account
            await self._fetch_children(
                self[service_account_id],
                scope={'project_id': self.project_id, 'service_account_email': service_account['email']})

    def _parse_service_account(self, raw_service_account):
        service_account_dict = {}
        service_account_dict['id'] = raw_service_account['uniqueId']
        service_account_dict['display_name'] = raw_service_account.get(
            'displayName', 'N/A')
        service_account_dict['name'] = raw_service_account['email']
        service_account_dict['email'] = raw_service_account['email']
        service_account_dict['project_id'] = raw_service_account['projectId']

        pattern = re.compile(r'.+@{}\.iam\.gserviceaccount\.com'.format(service_account_dict['project_id']))
        if pattern.match(service_account_dict['email']):
            service_account_dict['default_service_account'] = False
        else:
            service_account_dict['default_service_account'] = True

        return service_account_dict['id'], service_account_dict


================================================
FILE: ScoutSuite/providers/gcp/resources/iam/users.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.utils import get_non_provider_id


class Users(Resources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_bindings = await self.facade.cloudresourcemanager.get_member_bindings(self.project_id)
        parsed_users = self._parse_binding(raw_bindings)
        for user_id in parsed_users.keys():
            self[parsed_users[user_id]['id']] = parsed_users[user_id]

    def _parse_binding(self, raw_bindings):

        parsed_users = {}
        for binding in raw_bindings:
            role = binding['role'].split('/')[-1]
            if 'members' in binding:
                for member in binding['members']:
                    member_type, entity = member.split(':')[:2]
                    if member_type == 'user':
                        if entity not in parsed_users.keys():
                            parsed_users[entity] = {'id': get_non_provider_id(entity),
                                                    'name': entity,
                                                    'roles': [role]}
                        else:
                            parsed_users[entity]['roles'].append(role)
        return parsed_users


================================================
FILE: ScoutSuite/providers/gcp/resources/kms/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/gcp/resources/kms/base.py
================================================
from ScoutSuite.providers.gcp.resources.kms.keyrings import KeyRings
from ScoutSuite.providers.gcp.resources.projects import Projects


class KMS(Projects):
    _children = [
        (KeyRings, 'keyrings')
    ]


================================================
FILE: ScoutSuite/providers/gcp/resources/kms/keyrings.py
================================================
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.gcp.resources.base import GCPCompositeResources
from ScoutSuite.providers.gcp.resources.kms.keys import Keys


class KeyRings(GCPCompositeResources):
    _children = [
        (Keys, 'keys')
    ]

    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_keyrings = await self.facade.kms.list_key_rings(self.project_id)
        for location in raw_keyrings.keys():
            for raw_keyring in raw_keyrings.get(location, []):
                keyring_id, keyring = self._parse_keyring(raw_keyring, location)
                self[keyring_id] = keyring

        await self._fetch_children_of_all_resources(
            resources=self,
            scopes={keyring_id: {'project_id': self.project_id, 'keyring_name': keyring['name'],
                                 'location': keyring['location']}
                    for keyring_id, keyring in self.items()})

    def _parse_keyring(self, raw_keyring, location):
        keyring_dict = {}
        keyring_dict['id'] = raw_keyring.name
        keyring_dict['name'] = raw_keyring.name.split('/')[-1]
        keyring_dict['location'] = location
        return keyring_dict['id'], keyring_dict


================================================
FILE: ScoutSuite/providers/gcp/resources/kms/keys.py
================================================
from datetime import datetime, timezone

import dateutil

from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.gcp.resources.base import GCPCompositeResources
from ScoutSuite.providers.gcp.resources.kms.kms_policy import KMSPolicy


class Keys(GCPCompositeResources):
    _children = [
        (KMSPolicy, 'kms_iam_policy')
    ]

    def __init__(self, facade: GCPFacade, project_id: str, keyring_name: str, location: str):
        super().__init__(facade)
        self.project_id = project_id
        self.keyring_name = keyring_name
        self.location = location

    async def fetch_all(self):
        raw_keys = await self.facade.kms.list_keys(self.project_id, self.location, self.keyring_name)
        for raw_key in raw_keys:
            key_id, key = self._parse_key(raw_key)
            self[key_id] = key

        await self._fetch_children_of_all_resources(
            resources=self,
            scopes={key_id: {'project_id': self.project_id, 'keyring_name': self.keyring_name,
                             'location': self.location, 'key_name': key['id']}
                    for key_id, key in self.items()})

    def _parse_key(self, raw_key):
        key_dict = {}

        key_dict['id'] = raw_key['name'].split('/')[-1]
        key_dict['state'] = raw_key.get('primary', {}).get('state', None)
        key_dict['creation_datetime'] = raw_key.get('primary', {}).get('createTime', None)
        key_dict['protection_level'] = raw_key.get('primary', {}).get('protectionLevel', None)
        key_dict['algorithm'] = raw_key.get('primary', {}).get('algorithm', None)
        key_dict['next_rotation_datetime'] = raw_key.get('nextRotationTime', None)
        key_dict['purpose'] = raw_key['purpose']

        key_dict['rotation_period'] = raw_key.get('rotationPeriod', None)
        if key_dict['rotation_period']:
            rotation_period = int("".join(filter(str.isdigit, key_dict['rotation_period'])))
            # get values in days instead of seconds
            key_dict['rotation_period'] = rotation_period//(24*3600)

        key_dict['next_rotation_time_days'] = None
        if key_dict['next_rotation_datetime']:
            next_rotation_time = dateutil.parser.parse(key_dict['next_rotation_datetime']) - datetime.now(timezone.utc)
            key_dict['next_rotation_time_days'] = next_rotation_time.days
        return key_dict['id'], key_dict


================================================
FILE: ScoutSuite/providers/gcp/resources/kms/kms_policy.py
================================================
from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.utils import get_non_provider_id


class KMSPolicy(Resources):

    def __init__(self, facade: GCPFacade, project_id: str, keyring_name: str, location: str, key_name: str):
        super().__init__(facade)
        self.project_id = project_id
        self.keyring_name = keyring_name
        self.location = location
        self.key_name = key_name

    async def fetch_all(self):
        raw_kms_bindings = await self.facade.kms.keys_iam_policy(self.project_id, self.location, self.keyring_name, self.key_name)
        for raw_kms_binding in raw_kms_bindings:
            kms_binding_id, kms_bindings = await self._parse_binding(raw_kms_binding)
            self[kms_binding_id] = kms_bindings

    async def _parse_binding(self, kms_raw_binding):
        kms_binding_dict = {}
        kms_binding_dict['id'] = get_non_provider_id(kms_raw_binding['role'])
        kms_binding_dict['name'] = kms_raw_binding['role'].split('/')[-1]
        kms_binding_dict['members'] = kms_raw_binding['members']
        kms_binding_dict['custom_role'] = 'projects/' in kms_raw_binding['role']
        kms_binding_dict['anonymous_public_accessible'] = self.keys_not_anonymous_public_accessible(kms_raw_binding)

        role_definition = await self.facade.iam.get_role_definition(kms_raw_binding['role'])

        kms_binding_dict['title'] = role_definition.get('title')
        kms_binding_dict['description'] = role_definition.get('description')
        kms_binding_dict['permissions'] = role_definition.get('includedPermissions')

        return kms_binding_dict['id'], kms_binding_dict

    def keys_not_anonymous_public_accessible(self, kms_raw_binding):
        if 'allUsers' in kms_raw_binding['members'] or 'allAuthenticatedUsers' in kms_raw_binding['members']:
            return False
        return True


================================================
FILE: ScoutSuite/providers/gcp/resources/memorystore/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/gcp/resources/memorystore/base.py
================================================
from ScoutSuite.providers.gcp.resources.projects import Projects
from ScoutSuite.providers.gcp.resources.memorystore.redis_instances import RedisInstances


class MemoryStore(Projects):
    _children = [ 
        (RedisInstances, 'redis_instances')
     ]


================================================
FILE: ScoutSuite/providers/gcp/resources/memorystore/redis_instances.py
================================================
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.gcp.resources.base import GCPCompositeResources
from ScoutSuite.providers.utils import get_non_provider_id


class RedisInstances(GCPCompositeResources):

    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_instances = await self.facade.memorystoreredis.get_redis_instances(self.project_id)
        for raw_instance in raw_instances:
            instance_id, instance = self._parse_instance(raw_instance)
            self[instance_id] = instance

    def _parse_instance(self, raw_instance):
        instance_dict = {}

        instance_dict['id'] = get_non_provider_id(raw_instance['name'])
        instance_dict['name'] = raw_instance.get('displayName')
        instance_dict['project_id'] = self.project_id
        instance_dict['location'] = raw_instance['locationId']
        instance_dict['redis_version'] = raw_instance['redisVersion']
        instance_dict['port'] = raw_instance['port']
        instance_dict['tier'] = raw_instance['tier']
        instance_dict['memory_size_gb'] = raw_instance['memorySizeGb']
        instance_dict['authorized_network'] = raw_instance['authorizedNetwork']
        instance_dict['connect_mode'] = raw_instance['connectMode']
        instance_dict['transit_encryption_mode'] = raw_instance['transitEncryptionMode']
        instance_dict['ssl_required'] = self._is_ssl_required(raw_instance)
        instance_dict['auth_enabled'] = self._is_auth_required(raw_instance)

        return instance_dict['id'], instance_dict

    def _is_ssl_required(self, raw_instance):
        # Checks if transit encryption mode is SERVER_AUTHENTICATION. Otherwise, SSL
        # is not enabled.
        is_ssl_required = raw_instance.get('transitEncryptionMode', False)
        if is_ssl_required == 'SERVER_AUTHENTICATION':
            return True
        return False

    def _is_auth_required(self, raw_instance):
        is_auth_enabled = raw_instance.get('authEnabled', False)
        return is_auth_enabled



================================================
FILE: ScoutSuite/providers/gcp/resources/projects.py
================================================
from ScoutSuite.providers.gcp.resources.base import GCPCompositeResources


class Projects(GCPCompositeResources):

    """This class represents a collection of GCP Resources that are grouped by project. 
    Classes extending Projects should implement the method _fetch_children() with a project ID as paramater.
    The children resources will be stored with the following structure {: {: {: {: }}}}.
    """

    async def fetch_all(self):
        """This method fetches all the GCP projects that can be accessed with the given run configuration.
        It then fetches all the children defined in _children and groups them by project.
        """

        raw_projects = await self.facade.get_projects()

        self['projects'] = {}
        # For each project, validate that the corresponding service API is enabled before including it in the execution.
        for p in raw_projects:
            enabled = await self.facade.is_api_enabled(p['projectId'], self.__class__.__name__)
            if enabled:
                self['projects'][p['projectId']] = {}

        await self._fetch_children_of_all_resources(
            resources=self['projects'],
            scopes={project_id: {'project_id': project_id} for project_id in self['projects']})
        self._set_counts()

    def _set_counts(self):
        for _, child_name in self._children:
            self[child_name + '_count'] = sum([project[child_name + '_count']
                                               for project in self['projects'].values()])


================================================
FILE: ScoutSuite/providers/gcp/resources/regions.py
================================================
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.gcp.resources.base import GCPCompositeResources


class Regions(GCPCompositeResources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_regions = await self.facade.gce.get_regions(self.project_id)
        for raw_region in raw_regions:
            self[raw_region['name']] = {}
        await self._fetch_children_of_all_resources(
            resources=self,
            scopes={region: {'project_id': self.project_id, 'region': region} for region in self})


================================================
FILE: ScoutSuite/providers/gcp/resources/stackdriverlogging/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/gcp/resources/stackdriverlogging/base.py
================================================
from ScoutSuite.providers.gcp.resources.projects import Projects
from ScoutSuite.providers.gcp.resources.stackdriverlogging.logging_metrics import LoggingMetrics
from ScoutSuite.providers.gcp.resources.stackdriverlogging.sinks import Sinks
from ScoutSuite.providers.gcp.resources.stackdriverlogging.metrics import Metrics


class StackdriverLogging(Projects):
    _children = [ 
        (Sinks, 'sinks'),
        (Metrics, 'metrics'),
        (LoggingMetrics, 'logging_metrics')
    ]


================================================
FILE: ScoutSuite/providers/gcp/resources/stackdriverlogging/logging_metrics.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade


class LoggingMetrics(Resources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_metrics = await self.facade.stackdriverlogging.get_metrics(self.project_id)
        metric = self._parse_metric(raw_metrics)
        self[self.project_id] = metric

    def _parse_metric(self, raw_metrics):
        metric_dict = {}
        metric_dict['project_ownership_assignments'] =\
            self._specific_filter_present(raw_metrics, '(protoPayload.serviceName="cloudresourcemanager.googleapis'
                                                       '.com") AND (ProjectOwnership OR projectOwnerInvitee) OR ('
                                                       'protoPayload.serviceData.policyDelta.bindingDeltas.action'
                                                       '="REMOVE" AND '
                                                       "protoPayload.serviceData.policyDelta.bindingDeltas.role"
                                                       '="roles/owner") OR ('
                                                       'protoPayload.serviceData.policyDelta.bindingDeltas.action'
                                                       '="ADD" AND '
                                                       'protoPayload.serviceData.policyDelta.bindingDeltas.role'
                                                       '="roles/owner")')
        metric_dict['audit_config_change'] = \
            self._specific_filter_present(raw_metrics, 'protoPayload.methodName="SetIamPolicy" AND '
                                                       'protoPayload.serviceData.policyDelta.auditConfigDeltas:*')
        metric_dict['custom_role_change'] = \
            self._specific_filter_present(raw_metrics, 'resource.type="iam_role" AND protoPayload.methodName =  '
                                                       '"google.iam.admin.v1.CreateRole" OR '
                                                       'protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR '
                                                       'protoPayload.methodName="google.iam.admin.v1.UpdateRole"')
        metric_dict['vpc_network_firewall_rule_change'] = \
            self._specific_filter_present(raw_metrics, 'resource.type="gce_firewall_rule" AND '
                                                       'jsonPayload.event_subtype="compute.firewalls.patch" OR '
                                                       'jsonPayload.event_subtype="compute.firewalls.insert"')
        metric_dict['vpc_network_route_change'] = \
            self._specific_filter_present(raw_metrics, 'resource.type="gce_route" AND '
                                                       'jsonPayload.event_subtype="compute.routes.delete" OR '
                                                       'jsonPayload.event_subtype="compute.routes.insert"')
        metric_dict['vpc_network_change'] = \
            self._specific_filter_present(raw_metrics, 'resource.type=gce_network AND '
                                                       'jsonPayload.event_subtype="compute.networks.insert" OR '
                                                       'jsonPayload.event_subtype="compute.networks.patch" OR '
                                                       'jsonPayload.event_subtype="compute.networks.delete"  OR '
                                                       'jsonPayload.event_subtype="compute.networks.removePeering" OR '
                                                       'jsonPayload.event_subtype="compute.networks.addPeering"')
        metric_dict['cloud_storage_iam_permission_change'] = \
            self._specific_filter_present(raw_metrics, 'resource.type=gcs_bucket AND '
                                                       'protoPayload.methodName="storage.setIamPermissions"')
        metric_dict['sql_instance_conf_change'] = \
            self._specific_filter_present(raw_metrics, 'protoPayload.methodName="cloudsql.instances.update"')

        return metric_dict

    def _specific_filter_present(self, raw_metrics, filter_value: str):
        for metric in raw_metrics:
            if metric.filter_ == filter_value:
                return True
        return False


================================================
FILE: ScoutSuite/providers/gcp/resources/stackdriverlogging/metrics.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade


class Metrics(Resources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_metrics = await self.facade.stackdriverlogging.get_metrics(self.project_id)
        for raw_metric in raw_metrics:
            metric_name, metric = self._parse_metric(raw_metric)
            self[metric_name] = metric

    def _parse_metric(self, raw_metric):
        metric_dict = {}
        metric_dict['name'] = raw_metric.name
        metric_dict['description'] = raw_metric.description
        metric_dict['filter'] = raw_metric.filter_
        return metric_dict['name'], metric_dict


================================================
FILE: ScoutSuite/providers/gcp/resources/stackdriverlogging/sinks.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade


class Sinks(Resources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_sinks = await self.facade.stackdriverlogging.get_sinks(self.project_id)
        for raw_sink in raw_sinks:
            sink_name, sink = self._parse_sink(raw_sink)
            self[sink_name] = sink

    def _parse_sink(self, raw_sink):
        sink_dict = {}
        sink_dict['name'] = raw_sink.name
        sink_dict['filter'] = raw_sink.filter_
        sink_dict['destination'] = raw_sink.destination
        return sink_dict['name'], sink_dict


================================================
FILE: ScoutSuite/providers/gcp/resources/stackdrivermonitoring/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/gcp/resources/stackdrivermonitoring/alert_policies.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.utils import get_non_provider_id


class AlertPolicies(Resources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_alert_policies = await self.facade.stackdrivermonitoring.get_alert_policies(self.project_id)
        for raw_alert_policy in raw_alert_policies:
            alert_policy_name, alert_policy = self._parse_alert_policy(raw_alert_policy)
            self[alert_policy_name] = alert_policy

    def _parse_alert_policy(self, raw_alert_policy):
        alert_policy_dict = {}
        alert_policy_dict['id'] = get_non_provider_id(raw_alert_policy.name)
        alert_policy_dict['name'] = raw_alert_policy.display_name
        alert_policy_dict['combiner'] = raw_alert_policy.combiner
        alert_policy_dict['creation_record'] = raw_alert_policy.creation_record
        alert_policy_dict['mutation_record'] = raw_alert_policy.mutation_record
        alert_policy_dict['conditions'] = raw_alert_policy.conditions
        alert_policy_dict['enabled'] = raw_alert_policy.enabled
        return alert_policy_dict['id'], alert_policy_dict




================================================
FILE: ScoutSuite/providers/gcp/resources/stackdrivermonitoring/base.py
================================================
from ScoutSuite.providers.gcp.resources.projects import Projects
from ScoutSuite.providers.gcp.resources.stackdrivermonitoring.monitoring_alert_policies import MonitoringAlertPolicies
from ScoutSuite.providers.gcp.resources.stackdrivermonitoring.uptime_checks import UptimeChecks
from ScoutSuite.providers.gcp.resources.stackdrivermonitoring.alert_policies import AlertPolicies


class StackdriverMonitoring(Projects):
    _children = [ 
        (UptimeChecks, 'uptime_checks'),
        (AlertPolicies, 'alert_policies'),
        (MonitoringAlertPolicies, 'monitoring_alert_policies')
    ]


================================================
FILE: ScoutSuite/providers/gcp/resources/stackdrivermonitoring/monitoring_alert_policies.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade


class MonitoringAlertPolicies(Resources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_alert_policies = await self.facade.stackdrivermonitoring.get_alert_policies(self.project_id)
        alert_policy = self._parse_alert_policy(raw_alert_policies)
        self[self.project_id] = alert_policy

    def _parse_alert_policy(self, raw_alert_policies):
        alert_policy_dict = {}
        alert_policy_dict['project_ownership_assignments'] = \
            self._specific_alert_policy_present(raw_alert_policies)
        alert_policy_dict['audit_config_change'] = self._specific_alert_policy_present(raw_alert_policies)
        alert_policy_dict['custom_role_change'] = self._specific_alert_policy_present(raw_alert_policies)
        alert_policy_dict['vpc_network_firewall_rule_change'] = self._specific_alert_policy_present(raw_alert_policies)
        alert_policy_dict['vpc_network_route_change'] = self._specific_alert_policy_present(raw_alert_policies)
        alert_policy_dict['vpc_network_change'] = self._specific_alert_policy_present(raw_alert_policies)
        alert_policy_dict['cloud_storage_iam_permission_change'] = \
            self._specific_alert_policy_present(raw_alert_policies)
        alert_policy_dict['sql_instance_conf_change'] = self._specific_alert_policy_present(raw_alert_policies)
        return alert_policy_dict

    def _specific_alert_policy_present(self, alert_policies):
        for alert_policy in alert_policies:
            for condition in alert_policy.conditions:
                if condition.condition_threshold.filter == 'metric.type=\"logging.googleapis.com/user/\"' and alert_policy.enabled.value:
                    return True
        return False


================================================
FILE: ScoutSuite/providers/gcp/resources/stackdrivermonitoring/uptime_checks.py
================================================
from ScoutSuite.providers.base.resources.base import Resources
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.utils import get_non_provider_id


class UptimeChecks(Resources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_uptime_checks = await self.facade.stackdrivermonitoring.get_uptime_checks(self.project_id)
        for raw_uptime_check in raw_uptime_checks:
            uptime_check_name, uptime_check = self._parse_uptime_check(raw_uptime_check)
            self[uptime_check_name] = uptime_check

    def _parse_uptime_check(self, raw_uptime_check):
        uptime_check_dict = {}
        uptime_check_dict['id'] = get_non_provider_id(raw_uptime_check.name)
        uptime_check_dict['name'] = raw_uptime_check.display_name
        uptime_check_dict['monitored_resource'] = raw_uptime_check.monitored_resource
        uptime_check_dict['http_check'] = raw_uptime_check.http_check
        uptime_check_dict['period'] = raw_uptime_check.period
        uptime_check_dict['timeout'] = raw_uptime_check.timeout
        return uptime_check_dict['id'], uptime_check_dict


================================================
FILE: ScoutSuite/providers/gcp/resources/zones.py
================================================
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.gcp.resources.base import GCPCompositeResources


class Zones(GCPCompositeResources):
    def __init__(self, facade: GCPFacade, project_id: str):
        super().__init__(facade)
        self.project_id = project_id

    async def fetch_all(self):
        raw_zones = await self.facade.gce.get_zones(self.project_id)
        for raw_zone in raw_zones:
            self[raw_zone['name']] = {}
        await self._fetch_children_of_all_resources(
            resources=self,
            scopes={zone: {'project_id': self.project_id, 'zone': zone} for zone in self})


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/bigquery-dataset-member.json
================================================
{
    "description": "Datasets Accessible by \"_ARG_0_\"",
    "rationale": "Allowing anonymous and/or public access grants permissions to anyone to access the dataset's content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a dataset is not allowed.",
    "remediation": "Delete any permissions assigned to the allUsers and allAuthenticatedUsers members.",
    "dashboard_name": "Datasets",
    "display_path": "bigquery.projects.id.datasets.id",
    "path": "bigquery.projects.id.datasets.id",
    "conditions": [
        "or",
        [
            "bigquery.projects.id.datasets.id.bindings",
            "containString",
            "_ARG_0_"
        ]
    ],
    "key": "bigquery-dataset-_ARG_0_",
    "arg_names": [
        "Member"
    ],
    "id_suffix": "permissions"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/bigquery-encryption-no-cmk.json
================================================
{
    "description": "Dataset Not Encrypted with Customer-Managed Keys (CMKs)",
    "rationale": "Encrypting datasets with Cloud KMS Customer-Managed Keys (CMKs) will allow for a more granular control over data encryption/decryption process.",
    "dashboard_name": "Datasets",
    "display_path": "bigquery.projects.id.datasets.id",
    "path": "bigquery.projects.id.datasets.id",
    "conditions": [
        "or",
        [
            "bigquery.projects.id.datasets.id.default_encryption_configuration",
            "null",
            ""
        ]
    ],
    "id_suffix": "default_encryption_configuration"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudsql-allows-root-login-from-any-host.json
================================================
{
    "description": "Instance Allows Root Login from Any Host",
    "rationale": "Root access to MySQL Database Instances should be allowed only through trusted IPs.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "6.4"
        }
    ],
    "references": [
        "https://forsetisecurity.org/docs/latest/concepts/best-practices.html#cloud-sql",
        "https://cloud.google.com/blog/products/gcp/best-practices-for-securing-your-google-cloud-databases"
    ],
    "dashboard_name": "Instances",
    "path": "cloudsql.projects.id.instances.id",
    "conditions": [
        "and",
        [
            "cloudsql.projects.id.instances.id.database_version",
            "match",
            "MYSQL.*"
        ],
        [
            "cloudsql.projects.id.instances.id.",
            "withKey",
            "users"
        ],
        [
            "cloudsql.projects.id.instances.id.users",
            "withKey",
            "root"
        ],
        [
            "or",
            [
                "cloudsql.projects.id.instances.id.users.root.host",
                "equal",
                "%"
            ],
            [
                "cloudsql.projects.id.instances.id.users.root.host",
                "equal",
                "0.0.0.0"
            ],
            [
                "cloudsql.projects.id.instances.id.users.root.host",
                "equal",
                "/0"
            ]
        ]
    ],
    "id_suffix": "root_access_from_any_host"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudsql-instance-backups-disabled.json
================================================
{
    "description": "Instance with Automatic Backups Disabled",
    "rationale": "Backups provide a way to restore a Cloud SQL instance to recover lost data or recover from a problem with that instance. Automated backups need to be set for any instance that contains data that should be protected from loss or damage.",
    "remediation": "From console:
  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Select the instance where the backups need to be configured.
  3. Click Edit
  4. In the Backups section, check `Enable automated backups', and choose a backup window.
  5. Click Save
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "6.7"
        }
    ],
    "references": [
        "https://cloud.google.com/sql/docs/mysql/backup-recovery/backups",
        "https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up"
    ],
    "dashboard_name": "Instances",
    "path": "cloudsql.projects.id.instances.id",
    "conditions": [
        "and",
        [
            "cloudsql.projects.id.instances.id.automatic_backup_enabled",
            "false",
            ""
        ],
        [
            "cloudsql.projects.id.instances.id.is_failover_replica",
            "false",
            ""
        ]
    ],
    "id_suffix": "automatic_backup_enabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudsql-instance-is-open-to-public-range.json
================================================
{
    "description": "Database Instances Allowing Access from Public Ranges",
    "rationale": "To minimize attack surface on a Database server instance, only trusted/known and required IP(s) should be allow-listed to connect to it. An authorized network should not have IPs/networks configured to broad public ranges which will allow access to the instance from arbitrary hosts.",
    "remediation": "From console:
  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Click the instance name to open its Instance details page.
  3. Under the Configuration section click Edit configurations.
  4. Under Configuration options expand the Connectivity section.
  5. Click the delete icon for the egregious authorized network
  6. Click Save to update the instance.
",
    "compliance": [],
    "references": [
        "https://cloud.google.com/sql/docs/mysql/configure-ip",
        "https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks",
        "https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints",
        "https://cloud.google.com/sql/docs/mysql/connection-org-policy"
    ],
    "dashboard_name": "Authorized Networks",
    "display_path": "cloudsql.projects.id.instances.id",
    "path": "cloudsql.projects.id.instances.id.authorized_networks.id",
    "conditions": [
        "and",
        [
            "cloudsql.projects.id.instances.id.public_ip",
            "notEmpty",
            ""
        ],
        [
            "cloudsql.projects.id.instances.id.public_ip",
            "notEqual",
            "None"
        ],
        [
            "cloudsql.projects.id.instances.id.authorized_networks.id.value",
            "isPublicSubnet",
            ""
        ],
        [
            "cloudsql.projects.id.instances.id.authorized_networks.id.value",
            "isSubnetRange",
            ""
        ]
    ],
    "id_suffix": "open_to_the_world"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudsql-instance-is-open-to-the-world.json
================================================
{
    "description": "Database Instances Allowing Public Access (0.0.0.0/0)",
    "rationale": "To minimize attack surface on a Database server instance, only trusted/known and required IP(s) should be allow-listed to connect to it. An authorized network should not have IPs/networks configured to 0.0.0.0/0 which will allow access to the instance from anywhere in the world.",
    "remediation": "From console:
  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Click the instance name to open its Instance details page.
  3. Under the Configuration section click Edit configurations.
  4. Under Configuration options expand the Connectivity section.
  5. Click the delete icon for the authorized network 0.0.0.0/0.
  6. Click Save to update the instance.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "6.2"
        },
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "6.5"
        }
    ],
    "references": [
        "https://cloud.google.com/sql/docs/mysql/configure-ip",
        "https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks",
        "https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints",
        "https://cloud.google.com/sql/docs/mysql/connection-org-policy"
    ],
    "dashboard_name": "Authorized Networks",
    "display_path": "cloudsql.projects.id.instances.id",
    "path": "cloudsql.projects.id.instances.id.authorized_networks.id",
    "conditions": [
        "and",
        [
            "cloudsql.projects.id.instances.id.public_ip",
            "notEmpty",
            ""
        ],
        [
            "cloudsql.projects.id.instances.id.public_ip",
            "notEqual",
            "None"
        ],
        [
            "cloudsql.projects.id.instances.id.authorized_networks.id.value",
            "match",
            ".*/0"
        ]
    ],
    "id_suffix": "open_to_the_world"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudsql-instance-no-binary-logging.json
================================================
{
    "description": "Instance with Binary Logging Disabled",
    "rationale": "The benefits of enabling binary logs (replication, scalability, auditability, point-in-time data recovery, etc.) can improve the security posture of the Cloud SQL instance.",
    "references": [
        "https://cloud.google.com/sql/docs/mysql/instance-settings",
        "https://cloud.google.com/sql/docs/mysql/replication/tips"
    ],
    "dashboard_name": "Instances",
    "path": "cloudsql.projects.id.instances.id",
    "conditions": [
        "and",
        [
            "or",
            [
                "cloudsql.projects.id.instances.id.log_enabled",
                "false",
                ""
            ],
            [
                "cloudsql.projects.id.instances.id.log_enabled",
                "null",
                ""
            ]
        ],
        [
            "cloudsql.projects.id.instances.id.is_failover_replica",
            "false",
            ""
        ]
    ],
    "id_suffix": "log_enabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudsql-instance-ssl-not-required.json
================================================
{
    "description": "Instance Not Requiring Mutual TLS Authentication for Incoming Connections",
    "rationale": "SQL database connections if successfully trapped (MITM) can reveal sensitive data such as credentials, database queries, query outputs etc. For improved security, it is recommended to require mutual authentication, which involves using certificates to authenticate both the client and server.",
    "remediation": "From console:
  1. Go to  https://console.cloud.google.com/sql/instances.
  2. Click on an instance name to see its configuration overview.
  3. In the left-side panel, select Connections
  4. In the SSL connections section, click Allow only SSL connections.
  5. Under Configure SSL server certificates click Create new certificate.
  6. Under Configure SSL server certificates click Create a client certificate.
  7. Follow the instructions shown to learn how to connect to your instance.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "6.1"
        },
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "6.4"
        }
    ],
    "references": [
        "https://cloud.google.com/sql/docs/postgres/configure-ssl-instance"
    ],
    "dashboard_name": "Instances",
    "path": "cloudsql.projects.id.instances.id",
    "conditions": [
        "and",
        [
            "or",
            [
                "cloudsql.projects.id.instances.id.ssl_required",
                "null",
                ""
            ],
            [
                "cloudsql.projects.id.instances.id.ssl_required",
                "false",
                ""
            ]
        ],
        [
            "cloudsql.projects.id.instances.id.is_failover_replica",
            "false",
            ""
        ]
    ],
    "id_suffix": "ssl_required"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudsql-instance-with-no-backups.json
================================================
{
    "description": "Instance with No Backups",
    "rationale": "Weekly or monthly backups should be created of all databases holding sensitive information.",
    "references": [
        "https://cloud.google.com/sql/docs/mysql/backup-recovery/backups"
    ],
    "dashboard_name": "Instances",
    "path": "cloudsql.projects.id.instances.id",
    "conditions": [
        "and",
        [
            "cloudsql.projects.id.instances.id",
            "withKey",
            "backups"
        ],
        [
            "cloudsql.projects.id.instances.id.backups",
            "empty",
            ""
        ],
        [
            "cloudsql.projects.id.instances.id.is_failover_replica",
            "false",
            ""
        ]
    ],
    "id_suffix": "last_backup_timestamp"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudsql-instances-public-ips.json
================================================
{
    "description": "Database Instances with Public IPs",
    "rationale": "To lower the organization's attack surface, Cloud SQL databases should not have public IPs. Private IPs provide improved network security and lower latency for your application.",
    "remediation": "From console:
  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Click the instance name to open its Instance details page.
  3. Select the Connections tab.
  4. Deselect the Public IP checkbox.
  5. Click Save to update the instance.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "6.6"
        }
    ],
    "references": [
        "https://cloud.google.com/sql/docs/mysql/configure-private-ip",
        "https://cloud.google.com/sql/docs/mysql/private-ip",
        "https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints",
        "https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp"
    ],
    "dashboard_name": "Instances",
    "path": "cloudsql.projects.id.instances.id",
    "conditions": [
        "and",
        [
            "cloudsql.projects.id.instances.id.public_ip",
            "notEmpty",
            ""
        ],
        [
            "cloudsql.projects.id.instances.id.public_ip",
            "notEqual",
            "None"
        ]
    ],
    "id_suffix": "public_ip"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudsql-mysql-instances-local-infile-on.json
================================================
{
    "description": "Local Infile Database Flag for MySQL Instance Is on",
    "rationale": "The local_infile flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the local_infile setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side. To explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with local_infile disabled. local_infile can also be set at runtime.",
    "remediation": "From console:
  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Select the MySQL instance where the database flag needs to be enabled.
  3. Click Edit
  4. Scroll down to the Flags section.
  5. To set a flag that has not been set on the instance before, click Add item, choose the flag local_infile from the drop-down menu, and set its value to off.
  6. Click Save
  7. Confirm the changes under Flags on the Overview page.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "6.1.2"
        }
    ],
    "references": [
        "https://cloud.google.com/sql/docs/mysql/flags",
        "https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile",
        "https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html"
    ],
    "dashboard_name": "Instances",
    "path": "cloudsql.projects.id.instances.id",
    "conditions": [
        "and",
        [
            "cloudsql.projects.id.instances.id.local_infile_off",
            "false",
            ""
        ]
    ],
    "id_suffix": "local_infile_off"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudsql-postgresql-instances-log-checkpoints-off.json
================================================
{
    "description": "Log Checkpoints Database Flag for PostgreSQL Instance Is off",
    "rationale": "Enabling log_checkpoints causes checkpoints and restart points to be logged in the server log. Some statistics are included in the log messages, including the number of buffers written and the time spent writing them. This parameter can only be set in the postgresql.conf file or on the server command line. This recommendation is applicable to PostgreSQL database instances.",
    "remediation": "From console:
  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Select the PostgreSQL instance where the database flag needs to be enabled.
  3. Click Edit
  4. Scroll down to the Flags section.
  5. To set a flag that has not been set on the instance before, click Add item, choose the flag log_checkpoints from the drop-down menu, and set its value to off.
  6. Click Save
  7. Confirm the changes under Flags on the Overview page.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "6.2.1"
        }
    ],
    "references": [
        "https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT",
        "https://cloud.google.com/sql/docs/postgres/flags#setting_a_database_flag"
    ],
    "dashboard_name": "Instances",
    "path": "cloudsql.projects.id.instances.id",
    "conditions": [
        "and",
        [
            "cloudsql.projects.id.instances.id.log_checkpoints_on",
            "false",
            ""
        ]
    ],
    "id_suffix": "log_checkpoints_on"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudsql-postgresql-instances-log-connections-off.json
================================================
{
    "description": "Log Connections Database Flag for PostgreSQL Instance Is off",
    "rationale": "PostgreSQL does not log attempted connections by default. Enabling the log_connections setting will create log entries for each attempted connection as well as successful completion of client authentication which can be useful in troubleshooting issues and to determine any unusual connection attempts to the server. This recommendation is applicable to PostgreSQL database instances.",
    "remediation": "From console:
  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Select the PostgreSQL instance where the database flag needs to be enabled.
  3. Click Edit
  4. Scroll down to the Flags section.
  5. To set a flag that has not been set on the instance before, click Add item, choose the flag log_connections from the drop-down menu, and set its value to off.
  6. Click Save
  7. Confirm the changes under Flags on the Overview page.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "6.2.2"
        }
    ],
    "references": [
        "https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT",
        "https://cloud.google.com/sql/docs/postgres/flags"
    ],
    "dashboard_name": "Instances",
    "path": "cloudsql.projects.id.instances.id",
    "conditions": [
        "and",
        [
            "cloudsql.projects.id.instances.id.log_connections_on",
            "false",
            ""
        ]
    ],
    "id_suffix": "log_connections_on"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudsql-postgresql-instances-log-disconnections-off.json
================================================
{
    "description": "Log Disconnections Database Flag for PostgreSQL Instance Is off",
    "rationale": "PostgreSQL does not log session details such as duration and session end by default. Enabling the log_disconnections setting will create log entries at the end of each session which can be useful in troubleshooting issues and determine any unusual activity across a time period. The log_disconnections and log_connections work hand in hand and generally, the pair would be enabled/disabled together. This recommendation is applicable to PostgreSQL database instances.",
    "remediation": "From console:
  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Select the PostgreSQL instance where the database flag needs to be enabled.
  3. Click Edit
  4. Scroll down to the Flags section.
  5. To set a flag that has not been set on the instance before, click Add item, choose the flag log_disconnections from the drop-down menu, and set its value to off.
  6. Click Save
  7. Confirm the changes under Flags on the Overview page.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "6.2.3"
        }
    ],
    "references": [
        "https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT",
        "https://cloud.google.com/sql/docs/postgres/flags"
    ],
    "dashboard_name": "Instances",
    "path": "cloudsql.projects.id.instances.id",
    "conditions": [
        "and",
        [
            "cloudsql.projects.id.instances.id.log_disconnections_on",
            "false",
            ""
        ]
    ],
    "id_suffix": "log_disconnections_on"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudsql-postgresql-instances-log-lock-waits-off.json
================================================
{
    "description": "Log Lock Waits Database Flag for PostgreSQL Instance Is off",
    "rationale": "The deadlock timeout defines the time to wait on a lock before checking for any conditions. Frequent run overs on deadlock timeout can be an indication of an underlying issue. Logging such waits on locks by enabling the log_lock_waits flag can be used to identify poor performance due to locking delays or if a specially-crafted SQL is attempting to starve resources through holding locks for excessive amounts of time. This recommendation is applicable to PostgreSQL database instances.",
    "remediation": "From console:
  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Select the PostgreSQL instance where the database flag needs to be enabled.
  3. Click Edit
  4. Scroll down to the Flags section.
  5. To set a flag that has not been set on the instance before, click Add item, choose the flag log_lock_waits from the drop-down menu, and set its value to off.
  6. Click Save
  7. Confirm the changes under Flags on the Overview page.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "6.2.4"
        }
    ],
    "references": [
        "https://www.postgresql.org/docs/9.6/runtime-config-logging.html#GUC-LOG-MIN-DURATION-STATEMENT",
        "https://cloud.google.com/sql/docs/postgres/flags"
    ],
    "dashboard_name": "Instances",
    "path": "cloudsql.projects.id.instances.id",
    "conditions": [
        "and",
        [
            "cloudsql.projects.id.instances.id.log_lock_waits_on",
            "false",
            ""
        ]
    ],
    "id_suffix": "log_lock_waits_on"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudsql-postgresql-instances-log-min-duration-not-set-1.json
================================================
{
    "description": "Log Min Duration Statement Database Flag for PostgreSQL Instance Is Not Set to -1",
    "rationale": "Logging SQL statements may include sensitive information that should not be recorded in logs. This recommendation is applicable to PostgreSQL database instances.",
    "remediation": "From console:
  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Select the PostgreSQL instance where the database flag needs to be enabled.
  3. Click Edit
  4. Scroll down to the Flags section.
  5. To set a flag that has not been set on the instance before, click Add item, choose the flag log_min_duration_statement from the drop-down menu, and set its value to -1.
  6. Click Save
  7. Confirm the changes under Flags on the Overview page.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "6.2.7"
        }
    ],
    "references": [
        "https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT",
        "https://cloud.google.com/sql/docs/postgres/flags"
    ],
    "dashboard_name": "Instances",
    "path": "cloudsql.projects.id.instances.id",
    "conditions": [
        "and",
        [
            "cloudsql.projects.id.instances.id.log_min_duration_statement_-1",
            "false",
            ""
        ]
    ],
    "id_suffix": "log_min_duration_statement_-1"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudsql-postgresql-instances-log-min-messages-not-set.json
================================================
{
    "description": "Log Min Messages Database Flag for PostgreSQL Instance Is Not Set",
    "rationale": "Auditing helps in troubleshooting operational problems and also permits forensic analysis. If log_min_error_statement is not set to the correct value, messages may not be classified as error messages appropriately. Considering general log messages as error messages would make it difficult to find actual errors, while considering only stricter severity levels as error messages may skip actual errors to log their SQL statements. The log_min_error_statement flag should be set in accordance with the organization's logging policy. This recommendation is applicable to PostgreSQL database instances.",
    "remediation": "From console:
  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Select the PostgreSQL instance where the database flag needs to be enabled.
  3. Click Edit
  4. Scroll down to the Flags section.
  5. To set a flag that has not been set on the instance before, click Add item, choose the flag log_min_error_statement from the drop-down menu, and set appropriate value.
  6. Click Save
  7. Confirm the changes under Flags on the Overview page.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "6.2.5"
        }
    ],
    "references": [
        "https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN",
        "https://cloud.google.com/sql/docs/postgres/flags"
    ],
    "dashboard_name": "Instances",
    "path": "cloudsql.projects.id.instances.id",
    "conditions": [
        "and",
        [
            "cloudsql.projects.id.instances.id.log_min_messages",
            "false",
            ""
        ]
    ],
    "id_suffix": "log_min_messages"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudsql-postgresql-instances-log-temp-files-not-set-0.json
================================================
{
    "description": "Log Temp Files Database Flag for PostgreSQL Instance Is Not Set to 0",
    "rationale": "If all temporary files are not logged, it may be more difficult to identify potential performance issues that may be due to either poor application coding or deliberate resource starvation attempts.",
    "remediation": "From console:
  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Select the PostgreSQL instance where the database flag needs to be enabled.
  3. Click Edit
  4. Scroll down to the Flags section.
  5. To set a flag that has not been set on the instance before, click Add item, choose the flag log_temp_files from the drop-down menu, and set its value to 0.
  6. Click Save
  7. Confirm the changes under Flags on the Overview page.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "6.2.6"
        }
    ],
    "references": [
        "https://www.postgresql.org/docs/9.6/runtime-config-logging.html#GUC-LOG-TEMP-FILES",
        "https://cloud.google.com/sql/docs/postgres/flags"
    ],
    "dashboard_name": "Instances",
    "path": "cloudsql.projects.id.instances.id",
    "conditions": [
        "and",
        [
            "cloudsql.projects.id.instances.id.log_temp_files_0",
            "false",
            ""
        ]
    ],
    "id_suffix": "log_temp_files_0"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudsql-sqlservers-instances-contained-database-authentication-on.json
================================================
{
    "description": "Contained Database Authentication Database Flag for SQLServers Instance Is on",
    "rationale": "A contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed. Users can connect to the database without authenticating a login at the Database Engine level. Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server. Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators. Most of the threats are related to the USER WITH PASSWORD authentication process, which moves the authentication boundary from the Database Engine level to the database level, hence this is recommended to disable this flag.",
    "remediation": "From console:
  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Select the MySQL instance where the database flag needs to be enabled.
  3. Click Edit
  4. Scroll down to the Flags section.
  5. To set a flag that has not been set on the instance before, click Add item, choose the flag contained database authentication from the drop-down menu, and set its value to off.
  6. Click Save
  7. Confirm the changes under Flags on the Overview page.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "6.3.2"
        }
    ],
    "references": [
        "https://cloud.google.com/sql/docs/sqlserver/flags",
        "https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15",
        "https://learn.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15"
    ],
    "dashboard_name": "Instances",
    "path": "cloudsql.projects.id.instances.id",
    "conditions": [
        "and",
        [
            "cloudsql.projects.id.instances.id.contained_database_authentication_off",
            "false",
            ""
        ]
    ],
    "id_suffix": "contained_database_authentication_off"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudsql-sqlservers-instances-cross-db-ownership-chaining-on.json
================================================
{
    "description": "Cross DB Ownership Chaining Database Flag for SQLServers Instance Is on",
    "rationale": "Use the cross db ownership for chaining option to configure cross-database ownership chaining for an instance of Microsoft SQL Server. This server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases. Enabling cross db ownership is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining and you are aware of the security implications of this setting. This recommendation is applicable to SQL Server database instances.",
    "remediation": "From console:
  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Select the MySQL instance where the database flag needs to be enabled.
  3. Click Edit
  4. Scroll down to the Flags section.
  5. To set a flag that has not been set on the instance before, click Add item, choose the flag cross db ownership chaining from the drop-down menu, and set its value to off.
  6. Click Save
  7. Confirm the changes under Flags on the Overview page.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "6.3.1"
        }
    ],
    "references": [
        "https://cloud.google.com/sql/docs/sqlserver/flags",
        "https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15"
    ],
    "dashboard_name": "Instances",
    "path": "cloudsql.projects.id.instances.id",
    "conditions": [
        "and",
        [
            "cloudsql.projects.id.instances.id.cross_db_ownership_chaining_off",
            "false",
            ""
        ]
    ],
    "id_suffix": "cross_db_ownership_chaining_off"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudstorage-bucket-member.json
================================================
{
    "description": "Bucket Accessible by \"_ARG_0_\"",
    "rationale": "Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed.",
    "remediation": "\"From console:
  1. Go to Storage browser by visiting https://console.cloud.google.com/storage/browser.
  2. Click on the bucket name to go to its Bucket details page.
  3. Click on the Permissions tab.
  4. Click Delete button in front of allUsers and allAuthenticatedUsers to remove that particular role assignment.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "5.1"
        },
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "5.1"
        }
    ],
    "references": [
        "https://cloud.google.com/storage/docs/access-control/iam-reference",
        "https://cloud.google.com/storage/docs/access-control/making-data-public",
        "https://cloud.google.com/storage/docs/gsutil/commands/iam"
    ],
    "dashboard_name": "Buckets",
    "display_path": "cloudstorage.projects.id.buckets.id",
    "path": "cloudstorage.projects.id.buckets.id",
    "conditions": [
        "and",
        ["or",
            [
                "cloudstorage.projects.id.buckets.id.member_bindings",
                "withKey",
                "_ARG_0_"
            ],
            [
                "cloudstorage.projects.id.buckets.id.acls",
                "containString",
                "_ARG_0_"
            ]
        ],
        [
            "cloudstorage.projects.id.buckets.id.public_access_prevention",
            "notEqual",
            "enforced"
        ],
        [
            "cloudstorage.projects.id.buckets.id.public_access_prevention",
            "notEqual",
            "inherited"
        ]
    ],
    "key": "cloudstorage-bucket-_ARG_0_",
    "arg_names": [
        "Member",
        "Description"
    ],
    "id_suffix": "_ARG_0_"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudstorage-bucket-no-logging.json
================================================
{
    "description": "Bucket with Logging Disabled",
    "rationale": "Enable access and storage logs, in order to capture all events which may affect objects within target buckets.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "5.3"
        }
    ],
    "references": [
        "https://cloud.google.com/storage/docs/access-logs"
    ],
    "dashboard_name": "Buckets",
    "path": "cloudstorage.projects.id.buckets.id",
    "conditions": [
        "and",
        [
            "cloudstorage.projects.id.buckets.id.logging_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "logging_enabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudstorage-bucket-no-public-access-prevention.json
================================================
{
    "description": "Bucket with Private Access Prevention Not Enforced",
    "rationale": "Public access prevention protects Cloud Storage buckets and objects from being accidentally exposed to the public. When you enforce public access prevention, no one can make data in applicable buckets public through IAM policies or ACLs.

Note that even if a bucket does not have public access prevention explicitly enforced in its settings, it might still inherit public access prevention, which occurs if the organization policy constraint storage.publicAccessPrevention is set on the project, folder, or organization that the bucket exists within. For this reason, the bucket state can only be set to enforced or inherited.",
    "references": [
        "https://cloud.google.com/storage/docs/public-access-prevention"
    ],
    "dashboard_name": "Buckets",
    "path": "cloudstorage.projects.id.buckets.id",
    "conditions": [
        "and",
        [
            "cloudstorage.projects.id.buckets.id.public_access_prevention",
            "notEqual",
            "enforced"
        ],
        [
            "cloudstorage.projects.id.buckets.id.public_access_prevention",
            "notEqual",
            "inherited"
        ]
    ],
    "id_suffix": "public_access_prevention"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudstorage-bucket-no-versioning.json
================================================
{
    "description": "Bucket with Versioning Disabled",
    "rationale": "Enable Object Versioning to protect Cloud Storage data from being overwritten or accidentally deleted.",
    "references": [
        "https://cloud.google.com/storage/docs/using-object-versioning"
    ],
    "dashboard_name": "Buckets",
    "path": "cloudstorage.projects.id.buckets.id",
    "conditions": [
        "and",
        [
            "cloudstorage.projects.id.buckets.id.versioning_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "versioning_enabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/cloudstorage-uniform-bucket-level-access-disabled.json
================================================
{
    "description": "Uniform Bucket-Level Access Is Disabled",
    "rationale": "It is recommended to use uniform bucket-level access to unify and simplify how you grant access to your Cloud Storage resources. In order to support a uniform permissioning system, Cloud Storage has uniform bucket-level access. Using this feature disables ACLs for all Cloud Storage resources: access to Cloud Storage resources then is granted exclusively through Cloud IAM. Enabling uniform bucket-level access guarantees that if a Storage bucket is not publicly accessible, no object in the bucket is publicly accessible either.",
    "remediation": "From console:
  1. Open the Cloud Storage browser in the Google Cloud Console by visiting: https://console.cloud.google.com/storage/browser
  2. In the list of buckets, click on the name of the desired bucket.
  3. Select the Permissions tab near the top of the page.
  4. In the text box that starts with This bucket uses fine-grained access control..., click Edit.
  5. In the pop-up menu that appears, select Uniform.
  6. Click Save.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "5.2"
        }
    ],
    "references": [
        "https://cloud.google.com/storage/docs/uniform-bucket-level-access",
        "https://cloud.google.com/storage/docs/using-uniform-bucket-level-access",
        "https://cloud.google.com/storage/docs/org-policy-constraints#uniform-bucket"
    ],
    "dashboard_name": "Buckets",
    "display_path": "cloudstorage.projects.id.buckets.id",
    "path": "cloudstorage.projects.id.buckets.id",
    "conditions": [
        "or",
        [
            "cloudstorage.projects.id.buckets.id.uniform_bucket_level_access",
            "false",
            ""
        ],
        [
            "cloudstorage.projects.id.buckets.id.uniform_bucket_level_access",
            "equal",
            "None"
        ]
    ],
    "id_suffix": "uniform_bucket_level_access"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-firewall-default-rule-in-use.json
================================================
{
    "description": "Default Firewall Rule in Use",
    "rationale": "Some default firewall rules were in use. This could potentially expose sensitive services or protocols to other networks.",
    "dashboard_name": "Firewall Rule",
    "path": "computeengine.projects.id.firewalls.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.firewalls.id.name",
            "containAtLeastOneOf",
            [
                "default-allow-internal",
                "default-allow-icmp",
                "default-allow-rdp",
                "default-allow-ssh",
                "auto-mode-vpc-allow-icmp",
                "auto-mode-vpc-allow-internal",
                "auto-mode-vpc-allow-rdp",
                "auto-mode-vpc-allow-ssh"
            ]
        ],
        [
            "computeengine.projects.id.firewalls.id.disabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "name"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-firewall-rule-allows-all-ports.json
================================================
{
    "description": "Firewall Rule Opens All Ports (0-65535)",
    "rationale": "The firewall rule allows access to all ports. This widens the attack surface of the infrastructure and makes it easier for an attacker to reach potentially sensitive services over the network.",
    "dashboard_name": "Firewall Rule Elements",
    "display_path": "computeengine.projects.id.firewalls.id",
    "path": "computeengine.projects.id.firewalls.id.allowed_traffic.id.ports.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.firewalls.id.action",
            "equal",
            "allowed"
        ],
        [
            "computeengine.projects.id.firewalls.id.disabled",
            "notTrue",
            ""
        ],
        [
            "computeengine.projects.id.firewalls.id.direction",
            "equal",
            "INGRESS"
        ],
        ["or",
            [
                "computeengine.projects.id.firewalls.id.allowed_traffic.id.",
                "equal",
                "0-65535"
            ],
            [
                "computeengine.projects.id.firewalls.id.allowed_traffic.id.",
                "equal",
                "1-65535"
            ]
        ]
    ],
    "id_suffix": "permissive_ports"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-firewall-rule-allows-internal-traffic.json
================================================
{
    "description": "Firewall Rule Allows Internal Traffic",
    "rationale": "Firewall rule allows ingress connections for all protocols and ports among instances in the network.",
    "dashboard_name": "Firewall Rule Elements",
    "display_path": "computeengine.projects.id.firewalls.id",
    "path": "computeengine.projects.id.firewalls.id.allowed_traffic.id.ports.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.firewalls.id.action",
            "equal",
            "allowed"
        ],
        [
            "computeengine.projects.id.firewalls.id.disabled",
            "notTrue",
            ""
        ],
        [
            "computeengine.projects.id.firewalls.id.direction",
            "equal",
            "INGRESS"
        ],
        [
            "computeengine.projects.id.firewalls.id.source_ranges",
            "containAtLeastOneOf",
            "10.128.0.0/9"
        ],
        ["or",
            [
                "computeengine.projects.id.firewalls.id.allowed_traffic.id.",
                "equal",
                "0-65535"
            ],
            [
                "computeengine.projects.id.firewalls.id.allowed_traffic.id.",
                "equal",
                "1-65535"
            ]
        ]
    ],
    "id_suffix": "permissive_ports"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-firewall-rule-allows-port-range.json
================================================
{
    "description": "Firewall Rule Allows Port Range(s)",
    "rationale": "It was found that the firewall rule was using port ranges. Sometimes, ranges could include unintended ports that should not be exposed. As a result, when possible, explicit port lists should be used instead.",
    "dashboard_name": "Firewall Rule Elements",
    "display_path": "computeengine.projects.id.firewalls.id",
    "path": "computeengine.projects.id.firewalls.id.allowed_traffic.id.ports.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.firewalls.id.action",
            "equal",
            "allowed"
        ],
        [
            "computeengine.projects.id.firewalls.id.disabled",
            "notTrue",
            ""
        ],
        [
            "computeengine.projects.id.firewalls.id.direction",
            "equal",
            "INGRESS"
        ],
        [
            "computeengine.projects.id.firewalls.id.allowed_traffic.id.",
            "match",
            "[0-9]+-[0-9]+"
        ],
        [
            "computeengine.projects.id.firewalls.id.allowed_traffic.id.",
            "notEqual",
            "0-65535"
        ],
        [
            "computeengine.projects.id.firewalls.id.allowed_traffic.id.",
            "notEqual",
            "1-65535"
        ]
    ],
    "id_suffix": "permissive_ports"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-firewall-rule-allows-public-access.json
================================================
{
    "description": "Firewall Rule Allows Public Access (0.0.0.0/0)",
    "rationale": "The firewall rule was found to be exposing potentially open ports to all source addresses. Ports are commonly probed by automated scanning tools, and could be an indicator of sensitive services exposed to Internet. If such services need to be exposed, a restriction on the source address could help to reduce the attack surface of the infrastructure.",
    "dashboard_name": "Firewall Rules",
    "path": "computeengine.projects.id.firewalls.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.firewalls.id.action",
            "equal",
            "allowed"
        ],
        [
            "computeengine.projects.id.firewalls.id.disabled",
            "notTrue",
            ""
        ],
        [
            "computeengine.projects.id.firewalls.id.direction",
            "equal",
            "INGRESS"
        ],
        [
            "computeengine.projects.id.firewalls.id.source_ranges",
            "containAtLeastOneOf",
            "0.0.0.0/0"
        ]
    ],
    "id_suffix": "source_ranges"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-firewall-rule-opens-all-ports-to-all.json
================================================
{
    "description": "Firewall Rule Allows Public Access (0.0.0.0/0) to All Ports (0-65535)",
    "rationale": "The firewall rule was found to be exposing all ports to all source addresses. Ports are commonly probed by automated scanning tools, and could be an indicator of sensitive services exposed to Internet. If such services need to be exposed, a restriction on the source address could help to reduce the attack surface of the infrastructure.",
    "dashboard_name": "Firewall Rule Elements",
    "display_path": "computeengine.projects.id.firewalls.id",
    "path": "computeengine.projects.id.firewalls.id.allowed_traffic.id.ports.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.firewalls.id.action",
            "equal",
            "allowed"
        ],
        [
            "computeengine.projects.id.firewalls.id.disabled",
            "notTrue",
            ""
        ],
        [
            "computeengine.projects.id.firewalls.id.direction",
            "equal",
            "INGRESS"
        ],
        [
            "computeengine.projects.id.firewalls.id.source_ranges",
            "containAtLeastOneOf",
            "0.0.0.0/0"
        ],
        ["or",
            [
                "computeengine.projects.id.firewalls.id.allowed_traffic.id.",
                "equal",
                "0-65535"
            ],
            [
                "computeengine.projects.id.firewalls.id.allowed_traffic.id.",
                "equal",
                "1-65535"
            ]
        ]
    ],
    "id_suffix": "permissive_ports"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-firewall-rule-opens-sensitive-port-to-all.json
================================================
{
    "description": "Firewall _ARG_0_ Rule Allows Public Access (0.0.0.0/0) to a Sensitive Port",
    "rationale": "The firewall rule was found to be exposing a well-known port to all source addresses. Well-known ports are commonly probed by automated scanning tools, and could be an indicator of sensitive services exposed to Internet. If such services need to be exposed, a restriction on the source address could help to reduce the attack surface of the infrastructure.",
    "dashboard_name": "Firewall Rule Elements",
    "display_path": "computeengine.projects.id.firewalls.id",
    "path": "computeengine.projects.id.firewalls.id.allowed_traffic.id.ports.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.firewalls.id.action",
            "equal",
            "allowed"
        ],
        [
            "computeengine.projects.id.firewalls.id.disabled",
            "notTrue",
            ""
        ],
        [
            "computeengine.projects.id.firewalls.id.direction",
            "equal",
            "_ARG_0_"
        ],
        [
            "computeengine.projects.id.firewalls.id.source_ranges",
            "containAtLeastOneOf",
            "0.0.0.0/0"
        ],
        [
            "computeengine.projects.id.firewalls.id.allowed_traffic.id.",
            "containAtLeastOneOf",
            [
                "21",
                "22",
                "23",
                "53",
                "1433",
                "1521",
                "3306",
                "3389",
                "27017",
                "54322"
            ]
        ]
    ],
    "id_suffix": "permissive_ports"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-instance-block-project-ssh-keys-disabled.json
================================================
{
    "description": "Block Project SSH Keys Disabled",
    "rationale": "Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project.",
    "remediation": "From console:
  1. Go to the VM instances page by visiting https://console.cloud.google.com/compute/instances.
  2. Click on the name of the Impacted instance
  3. Click Edit in the toolbar.
  4. Under SSH Keys, go to the Block project-wide SSH keys checkbox.
  5. To block users with project-wide SSH keys from connecting to this instance, select Block project-wide SSH keys
  6. Click Save at the bottom of the page
  7. Repeat steps for every impacted Instance
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "4.3"
        }
    ],
    "references": [
        "https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys"
    ],
    "dashboard_name": "Instances",
    "path": "computeengine.projects.id.zones.id.instances.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.zones.id.instances.id.block_project_ssh_keys_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "block_project_ssh_keys_disabled"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-instance-connecting-serial-ports-enabled.json
================================================
{
    "description": "Enable Connecting to Serial Ports Is Enabled",
    "rationale": "The interactive serial console does not support IP-based access restrictions such as IP allow-lists. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. This allows anybody to connect to that instance if they know the correct SSH key, username, project ID, zone, and instance name.",
    "remediation": "From console:
  1. Login to Google Cloud console
  2. Go to Computer Engine
  3. Go to VM instances
  4. Click on the Specific VM
  5. Click Edit
  6. Unselect Enable connecting to serial ports below Remote accessblock.
  7. Click Save
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "4.5"
        }
    ],
    "references": [
        "https://cloud.google.com/compute/docs/instances/interacting-with-serial-console"
    ],
    "dashboard_name": "Instances",
    "path": "computeengine.projects.id.zones.id.instances.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.zones.id.instances.id.serial_port_enabled",
            "true",
            ""
        ]
    ],
    "id_suffix": "serial_port_enabled"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-instance-default-service-account.json
================================================
{
    "description": "Instances Configured to Use Default Service Account",
    "rationale": "The default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services. To defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended to not use the default Compute Engine service account. Instead, you should create a new service account and assigning only the permissions needed by your instance.
 The default Compute Engine service account is named [PROJECT_NUMBER]-compute@developer.gserviceaccount.com.",
    "remediation": "From console:
  1. Go to the VM instances page by visiting https://console.cloud.google.com/compute/instances.
  2. Click on the instance name to go to its VM instance details page.
  3. Click STOP and then click Edit
  4. Under the section Service Account, select a service account other that the default Compute Engine service account. You may first need to create a new service account.
  5. Click Save and then click START
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "4.1"
        }
    ],
    "references": [
        "https://cloud.google.com/compute/docs/access/service-accounts",
        "https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances",
        "https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account"
    ],
    "dashboard_name": "Instances",
    "path": "computeengine.projects.id.zones.id.instances.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.zones.id.instances.id.default_service_account",
            "true",
            ""
        ]
    ],
    "id_suffix": "service_account"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-instance-disk-not-csek-encrypted.json
================================================
{
    "description": "VM Disks Not Customer-Supplied Encryption Keys (CSEK) Encrypted",
    "rationale": "By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.",
    "remediation": "From console:
  1. Go to Compute Engine DIsks by visiting https://console.cloud.google.com/compute/disks.
  2. Click CREATE DISK.
  3. Set Encryption type to Customer supplied
  4. Provide the Key in the box.
  5. Select Wrapped key.
  6. Click Create
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "4.7"
        }
    ],
    "references": [
        "https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys",
        "https://cloud.google.com/compute/docs/reference/rest/v1/disks/get",
        "https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file"
    ],
    "dashboard_name": "Instances",
    "display_path": "computeengine.projects.id.zones.id.instances.id",
    "path": "computeengine.projects.id.zones.id.instances.id.disks.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.zones.id.instances.id.disks.id.encrypted_with_csek",
            "false",
            ""
        ]
    ],
    "id_suffix": "encrypted_with_csek"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-instance-disk-with-no-snapshot.json
================================================
{
    "description": "Instance Disk without Snapshots",
    "rationale": "You should have snapshots of your in-use or available disks taken on a regular basis to enable disaster recovery efforts.",
    "references": [
        "https://cloud.google.com/compute/docs/disks/create-snapshots",
        "https://cloud.google.com/compute/docs/disks/scheduled-snapshots",
        "https://cloud.google.com/compute/docs/disks/snapshot-best-practices"
    ],
    "dashboard_name": "Instances",
    "display_path": "computeengine.projects.id.zones.id.instances.id",
    "path": "computeengine.projects.id.zones.id.instances.id.disks.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.zones.id.instances.id.disks.id.snapshots",
            "empty",
            ""
        ]
    ],
    "id_suffix": "latest_snapshot"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-instance-full-api-access.json
================================================
{
    "description": "Instances Configured to Use Default Service Account with Full Access to All Cloud APIs",
    "rationale": "When an instance is configured with Compute Engine default service account with Scope Allow full access to all Cloud APIs, based on IAM roles assigned to the user(s) accessing Instance, it may allow user to perform cloud operations/API calls that user is not supposed to perform leading to successful privilege escalation.",
    "remediation": "From console:
  1. Go to the VM instances page by visiting https://console.cloud.google.com/compute/instances.
  2. Click on the impacted VM instance.
  3. If the instance is not stopped, click the Stop button. Wait for the instance to be stopped.
  4. Next, click the Edit button.
  5. Scroll down to the Service Account section.
  6. Select a different service account or ensure that Allow full access to all Cloud APIs is not selected.
  7. Click the Save button to save your changes and then click START
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "4.2"
        }
    ],
    "references": [
        "https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances",
        "https://cloud.google.com/compute/docs/access/service-accounts"
    ],
    "dashboard_name": "Instances",
    "path": "computeengine.projects.id.zones.id.instances.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.zones.id.instances.id.full_access_apis",
            "true",
            ""
        ]
    ],
    "id_suffix": "full_access_apis"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-instance-ip-forwarding-enabled.json
================================================
{
    "description": "IP Forwarding Is Enabled",
    "rationale": "Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets.",
    "remediation": "From console:
  1. Go to the VM instances page by visiting https://console.cloud.google.com/compute/instances.
  2. Select the VM Instance you want to remediate.
  3. Click the Delete button.
  4. On the 'VM Instances' page, click `CREATE INSTANCE'.
  5. Create a new instance with the desired configuration. By default, the instance is configured to not allow IP forwarding.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "4.6"
        }
    ],
    "references": [
        "https://cloud.google.com/vpc/docs/using-routes#canipforward"
    ],
    "dashboard_name": "Instances",
    "path": "computeengine.projects.id.zones.id.instances.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.zones.id.instances.id.ip_forwarding_enabled",
            "true",
            ""
        ]
    ],
    "id_suffix": "ip_forwarding_enabled"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-instance-os-login-disabled.json
================================================
{
    "description": "OS Login Disabled",
    "rationale": "Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.",
    "remediation": "From console:
  1. Go to the VM compute metadata page by visiting https://console.cloud.google.com/compute/metadata.
  2. Click Edit>
  3. Add a metadata entry where the key is enable-oslogin and the value is TRUE.
  4. Click Save to apply the changes.
  5. For every instances that overrides the project setting, go to the VM Instances page at https://console.cloud.google.com/compute/instances.
  6. Click the name of the instance on which you want to remove the metadata value.
  7. At the top of the instance details page, click Edit to edit the instance settings.
  8. Under Custom metadata, remove any entry with key enable-oslogin and the value is FALSE
  9. At the bottom of the instance details page, click Save to apply your changes to the instance.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "4.4"
        }
    ],
    "references": [
        "https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys"
    ],
    "dashboard_name": "Instances",
    "path": "computeengine.projects.id.zones.id.instances.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.zones.id.instances.id.oslogin_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "oslogin_disabled"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-instance-public-ip-adresses.json
================================================
{
    "description": "Instances Have Public IP Addresses",
    "rationale": "To reduce your attack surface, Compute instances should not have public IP addresses. Instead, instances should be configured behind load balancers, to minimize the instance's exposure to the internet.",
    "remediation": "From console:
  1. Go to the VM instances page by visiting https://console.cloud.google.com/compute/instances.
  2. Click on the instance name to go the Instance detail page.
  3. Click Edit
  4. For each Network interface, ensure that External IP is set to None.
  5. Click Done and then click Save.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "4.9"
        }
    ],
    "references": [
        "https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses",
        "https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances",
        "https://cloud.google.com/compute/docs/instances/connecting-to-instance",
        "https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip",
        "https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints"
    ],
    "dashboard_name": "Instances",
    "path": "computeengine.projects.id.zones.id.instances.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.zones.id.instances.id.public_ip_addresses",
            "true",
            ""
        ]
    ],
    "id_suffix": "public_ip_addresses"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-instance-shielded-vm-disabled.json
================================================
{
    "description": "Shielded VM Disabled",
    "rationale": "Shielded VM offers verifiable integrity of your Compute Engine VM instances, so you can be confident your instances haven't been compromised by boot-or kernel-level malware or rootkits. Shielded VM's verifiable integrity is achieved through the use of Secure Boot, virtual trusted platform module (vTPM)-enabled Measured Boot, and integrity monitoring.",
    "remediation": "From console:
  1. Go to the VM instances page by visiting https://console.cloud.google.com/compute/instances.
  2. Click on the instance name to see its VM Instance detail page.
  3. Click STOP to stop the instance.
  4. When the instance has stopped, click Edit
  5. In the Shielded VM section, select Turn on vTPM and Turn on Integrity Monitoring.
  6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select Turn on Secure Boot.
  7. Click the Save button to modify the instance and then click START to restart it.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "4.8"
        }
    ],
    "references": [
        "https://cloud.google.com/compute/docs/instances/modifying-shielded-vm",
        "https://cloud.google.com/shielded-vm",
        "https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint"
    ],
    "dashboard_name": "Instances",
    "path": "computeengine.projects.id.zones.id.instances.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.zones.id.instances.id.shielded_enable",
            "false",
            ""
        ]
    ],
    "id_suffix": "shielded_enable"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-instance-with-deletion-protection-disabled.json
================================================
{
    "description": "Instance without Deletion Protection",
    "rationale": "It is good practice to enable this feature on production instances, to ensure that they may not be deleted by accident.",
    "references": [
        "https://cloud.google.com/compute/docs/instances/preventing-accidental-vm-deletion"
    ],
    "dashboard_name": "Instances",
    "path": "computeengine.projects.id.zones.id.instances.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.zones.id.instances.id.deletion_protection_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "deletion_protection_enabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-loadbalancer-forwarding-rule-forwards-sensitive-port.json
================================================
{
    "description": "External Load Balancer Rule Forwards a Non-Standard Port",
    "rationale": "The Load Balancer rule was found to be forwarding a non-standard port (80 or 443), potentially exposing a sensitive service. If such services need to be exposed, a restriction on the source address could help to reduce the attack surface of the infrastructure.",
    "dashboard_name": "Forwarding Rule",
    "path": "computeengine.projects.id.regions.id.forwarding_rules.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.regions.id.forwarding_rules.id.load_balancing_scheme",
            "equal",
            "EXTERNAL"
        ],
        [
            "or",
            [
                "computeengine.projects.id.regions.id.forwarding_rules.id.all_ports",
                "true",
                ""
            ],
            [
                "and",
                [
                    "computeengine.projects.id.regions.id.forwarding_rules.id.port_range",
                    "notEqual",
                    ""
                ],
                [
                    "computeengine.projects.id.regions.id.forwarding_rules.id.port_range",
                    "containNoneOf",
                    [
                        "80-80",
                        "443-443",
                        "80-80,443-443"
                    ]
                ]
            ],
            [
                "and",
                [
                    "computeengine.projects.id.regions.id.forwarding_rules.id.ports",
                    "notEmpty",
                    ""
                ],
                [
                    "computeengine.projects.id.regions.id.forwarding_rules.id.ports",
                    "containNoneOf",
                    [
                        "80",
                        "443"
                    ]
                ]
            ]
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-loadbalancer-global-forwarding-rule-forwards-sensitive-port.json
================================================
{
    "description": "External Load Balancer Global Rule Forwards a Non-Standard Port",
    "rationale": "The Load Balancer rule was found to be forwarding a non-standard port (80 or 443), potentially exposing a sensitive service. If such services need to be exposed, a restriction on the source address could help to reduce the attack surface of the infrastructure.",
    "dashboard_name": "Forwarding Rule",
    "path": "computeengine.projects.id.global_forwarding_rules.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.global_forwarding_rules.id.load_balancing_scheme",
            "equal",
            "EXTERNAL"
        ],
        [
            "or",
            [
                "computeengine.projects.id.global_forwarding_rules.id.all_ports",
                "true",
                ""
            ],
            [
                "and",
                [
                    "computeengine.projects.id.global_forwarding_rules.id.port_range",
                    "notEqual",
                    ""
                ],
                [
                    "computeengine.projects.id.global_forwarding_rules.id.port_range",
                    "containNoneOf",
                    [
                        "80-80",
                        "443-443",
                        "80-80,443-443"
                    ]
                ]
            ],
            [
                "and",
                [
                    "computeengine.projects.id.global_forwarding_rules.id.ports",
                    "notEmpty",
                    ""
                ],
                [
                    "computeengine.projects.id.global_forwarding_rules.id.ports",
                    "containNoneOf",
                    [
                        "80",
                        "443"
                    ]
                ]
            ]
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-network-default-in-use.json
================================================
{
    "description": "Default Network Should Be Removed",
    "rationale": "The default network has a preconfigured network configuration and automatically generates insecure firewall rules. These automatically created firewall rules do not get audit logged and cannot be configured to enable firewall rule logging.",
    "remediation": "From  Console:
  1. Go to VPC networks page by visiting: https://console.cloud.google.com/networking/networks/list
  2. Click the network named default
  3. On the network detail page, click EDIT
  4. Click DELETE VPC NETWORK 
  5. If needed, create a new network to replace the default network
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "3.1"
        }
    ],
    "references": [
        "https://cloud.google.com/compute/docs/networking#firewall_rules",
        "https://cloud.google.com/compute/docs/reference/latest/networks/insert",
        "https://cloud.google.com/compute/docs/reference/latest/networks/delete",
        "https://cloud.google.com/vpc/docs/firewall-rules-logging",
        "https://cloud.google.com/vpc/docs/vpc#default-network",
        "https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete"
    ],
    "dashboard_name": "Networks",
    "path": "computeengine.projects.id.networks.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.networks.id.name",
            "equal",
            "default"
        ]
    ],
    "id_suffix": "name"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-network-legacy-in-use.json
================================================
{
    "description": "Legacy Network Should Be Removed",
    "rationale": "Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. Subnetworks cannot be created in a legacy network and are unable to switch from legacy to auto or custom subnet networks. Legacy networks can have an impact for high network traffic projects and are subject to a single point of contention or failure.",
    "remediation": "For each Google Cloud Platform project,
  1. 1. Follow the documentation and create a non-legacy network suitable for the organization's requirements.
  2. Follow the documentation and delete the networks in the legacy mode.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "3.2"
        }
    ],
    "references": [
        "https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network",
        "https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network"
    ],
    "dashboard_name": "Networks",
    "path": "computeengine.projects.id.networks.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.networks.id.legacy_mode",
            "true",
            ""
        ]
    ],
    "id_suffix": "legacy_mode"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-network-with-no-instances.json
================================================
{
    "description": "Network without Instances",
    "rationale": "Maintaining unused resources increases risks of misconfigurations and increases the difficulty of audits.",
    "dashboard_name": "Networks",
    "path": "computeengine.projects.id.networks.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.networks.id.instances",
            "empty",
            ""
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-old-disk-snapshot.json
================================================
{
    "description": "Old Instance Disk Snapshot",
    "rationale": "Disk snapshots that are over 90 days are likely to be outdated.",
    "references": [
        "https://cloud.google.com/compute/docs/disks/create-snapshots",
        "https://cloud.google.com/compute/docs/disks/scheduled-snapshots",
        "https://cloud.google.com/compute/docs/disks/snapshot-best-practices"
    ],
    "dashboard_name": "Snapshots",
    "path": "computeengine.projects.id.snapshots.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.snapshots.id.status",
            "equal",
            "READY"
        ],
        [
            "computeengine.projects.id.snapshots.id.creation_timestamp",
            "olderThan",
            [
                "90",
                "days"
            ]
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/computeengine-vpc-flow-logs-disabled.json
================================================
{
    "description": "VPC Flow Logs Not Enabled",
    "rationale": "VPC Flow Logs were not enabled for this subnet. It is best practice to enable Flow Logs to some degree in order to have network visibility in the event of resource compromise, as well as source data for threat detections.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "3.8"
        }
    ],
    "references": [
        "https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging"
    ],
    "dashboard_name": "Subnetwork",
    "path": "computeengine.projects.id.regions.id.subnetworks.id",
    "conditions": [
        "and",
        [
            "computeengine.projects.id.regions.id.subnetworks.id.flowlogs_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "flowlogs_enabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/dns-zones-dnssec-not-enabled.json
================================================
{
    "description": "DNSSEC Is Not Enabled for Cloud DNS",
    "rationale": "Domain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling DNS responses to be validated. Having a trustworthy DNS that translates a domain name like www.example.com into its associated IP address is an increasingly important building block of today\u2019s web-based applications. Attackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records. As a result, it prevents attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.",
    "remediation": "From Console:
  1. Go to Cloud DNS by visiting https://console.cloud.google.com/net-services/dns/zones.
  2. For each zone of Type Public, set DNSSEC to ON.
",
    "references": [
        "https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html",
        "https://cloud.google.com/dns/dnssec-config#enabling",
        "https://cloud.google.com/dns/dnssec"
    ],
    "dashboard_name": "Cloud DNS",
    "path": "dns.projects.id.managed_zones.id",
    "conditions": [
        "and",
        [
            "dns.projects.id.managed_zones.id.dnssec_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "dnssec_enabled"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/dns-zones-key-signing-key-using-rsasha1.json
================================================
{
    "description": "DNSSEC Key-signing Key Uses RSASHA1",
    "rationale": "The algorithm used for key signing should be a recommended one and it should be strong. When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the user can select the DNSSEC signing algorithms and the denial-of-existence type. Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If there is a need to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.",
    "remediation": "From Console:
  1. If it is necessary to change the settings for a managed zone where it has been enabled, NSSEC must be turned off and re-enabled with different settings. To turn off DNSSEC, run the following command:
    gcloud dns managed-zones update ZONE_NAME --dnssec-state off
  2. To update key-signing for a reported managed DNS Zone, run the following command:
     gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE
",
    "references": [
        "https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options"
    ],
    "dashboard_name": "Cloud DNS",
    "path": "dns.projects.id.managed_zones.id",
    "conditions": [
        "and",
        [
            "dns.projects.id.managed_zones.id.key_signing_algorithm",
            "equal",
            "rsasha1"
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/dns-zones-zone-signing-key-using-rsasha1.json
================================================
{
    "description": "DNSSEC Zone-signing Key Uses RSASHA1",
    "rationale": "The algorithm used for key signing should be a recommended one and it should be strong. When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the user can select the DNSSEC signing algorithms and the denial-of-existence type. Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If there is a need to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.",
    "remediation": "From Console:
  1. If it is necessary to change the settings for a managed zone where it has been enabled, NSSEC must be turned off and re-enabled with different settings. To turn off DNSSEC, run the following command:
    gcloud dns managed-zones update ZONE_NAME --dnssec-state off
  2. To update key-signing for a reported managed DNS Zone, run the following command:
     gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE
",
    "references": [
        "https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options"
    ],
    "dashboard_name": "Cloud DNS",
    "path": "dns.projects.id.managed_zones.id",
    "conditions": [
        "and",
        [
            "dns.projects.id.managed_zones.id.zone_signing_algorithm",
            "equal",
            "rsasha1"
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/functions-v1-allowing-http.json
================================================
{
    "description": "Functions Allowing HTTP Traffic (Gen 1)",
    "rationale": "Use of a secure protocol (HTTPS) is best practice for encrypted communication. A function allowing HTTP traffic can be vulnerable to eavesdropping and man-in-the-middle attacks.",
    "references": [
        "https://cloud.google.com/logging/docs/reference/audit/appengine/rest/Shared.Types/SecurityLevel"
    ],
    "dashboard_name": "Functions",
    "path": "functions.projects.id.functions_v1.id",
    "conditions": [
        "or",
        [
            "functions.projects.id.functions_v1.id.security_level",
            "notEqual",
            "SECURE_ALWAYS"
        ]
    ],
    "id_suffix": "security_level"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/functions-v1-environment-variables-secrets.json
================================================
{
    "description": "Potential Secrets in Function Environment Variables (Gen 1)",
    "rationale": "Anyone who can access the function can view the configured secrets. Best practice is to store configuration secrets in Secret Manager (or similar).",
    "dashboard_name": "Functions",
    "path": "functions.projects.id.functions_v1.id",
    "conditions": [
        "or",
        [
            "functions.projects.id.functions_v1.id.environment_variables_secrets",
            "notEmpty",
            ""
        ]
    ],
    "id_suffix": "environment_variables_secrets"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/functions-v1-member.json
================================================
{
    "description": "Functions Accessible by \"_ARG_0_\"",
    "rationale": "Allowing anonymous and/or public access grants permissions to anyone to access the function's configuration and content. This configuration should be restricted to follow the principle of least privilege",
    "references": [
        "https://cloud.google.com/logging/docs/reference/audit/appengine/rest/Shared.Types/SecurityLevel"
    ],
    "dashboard_name": "Functions",
    "path": "functions.projects.id.functions_v1.id",
    "conditions": [
        "or",
        [
            "functions.projects.id.functions_v1.id.bindings",
            "containString",
            "_ARG_0_"
        ]
    ],
    "key": "functions-v1-function-_ARG_0_",
    "arg_names": [
        "Member"
    ],
    "id_suffix": "bindings"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/functions-v1-public-endpoint.json
================================================
{
    "description": "Public Function Endpoint (Gen 1)",
    "rationale": "The Cloud Function's ingress configuration allowed all traffic, potentially exposing undesired functionality. It is recommended that traffic reaching functions be routed via a load balancer, to minimize the attack surface.",
    "dashboard_name": "Functions",
    "display_path": "functions.projects.id.functions_v1.id",
    "path": "functions.projects.id.functions_v1.id.bindings.id",
    "conditions": [
        "and",
        [
            "functions.projects.id.functions_v1.id.ingress_settings",
            "equal",
            "ALLOW_ALL"
        ],
        [
            "functions.projects.id.functions_v1.id.bindings.id.role",
            "equal",
            "roles/viewer"
        ],
        [
            "functions.projects.id.functions_v1.id.bindings.id.members",
            "containString",
            "allUsers"
        ]
    ],
    "id_suffix": "ingress_settings"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/functions-v2-environment-variables-secrets.json
================================================
{
    "description": "Potential Secrets in Function Environment Variables (Gen 2)",
    "rationale": "Anyone who can access the function can view the configured secrets. Best practice is to store configuration secrets in Secret Manager (or similar).",
    "dashboard_name": "Functions",
    "path": "functions.projects.id.functions_v2.id",
    "conditions": [
        "or",
        [
            "functions.projects.id.functions_v2.id.environment_variables_secrets",
            "notEmpty",
            ""
        ]
    ],
    "id_suffix": "environment_variables_secrets"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/functions-v2-public-endpoint.json
================================================
{
    "description": "Public Function Endpoint (Gen 2)",
    "rationale": "The Cloud Function's ingress configuration allowed all traffic, potentially exposing undesired functionality. It is recommended that traffic reaching functions be routed via a load balancer, to minimize the attack surface.",
    "dashboard_name": "Functions",
    "path": "functions.projects.id.functions_v2.id",
    "conditions": [
        "or",
        [
            "functions.projects.id.functions_v2.id.ingress_settings",
            "equal",
            "ALLOW_ALL"
        ]
    ],
    "id_suffix": "ingress_settings"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/iam-gmail-accounts-used.json
================================================
{
    "description": "Gmail Account in Use",
    "rationale": "It is recommended fully-managed corporate Google accounts be used for increased visibility, auditing, and controlling access to Cloud Platform resources. Email accounts based outside of the user's organization, such as personal accounts, should not be used for business purposes.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "1.1"
        },
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "1.1"
        }
    ],
    "references": [
        "https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations#manage-identities",
        "https://support.google.com/work/android/answer/6371476",
        "https://cloud.google.com/sdk/gcloud/reference/organizations/get-iam-policy",
        "https://cloud.google.com/sdk/gcloud/reference/beta/resource-manager/folders/get-iam-policy",
        "https://cloud.google.com/sdk/gcloud/reference/projects/get-iam-policy",
        "https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints",
        "https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains"
    ],
    "dashboard_name": "Users",
    "path": "iam.projects.id.users.id",
    "conditions": [
        "and",
        [
            "iam.projects.id.users.id.name",
            "match",
            ".+@gmail[.]com"
        ]
    ],
    "id_suffix": "name"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/iam-lack-of-service-account-key-rotation.json
================================================
{
    "description": "Lack of User-Managed Service Account Key Rotation",
    "rationale": "Rotating Service Account keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. User-managed Service Account keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen. It should be ensured that keys are rotated every 90 days.
This issue does not apply to system-managed keys, as they are automatically rotated by Google, and are used for signing for a maximum of two weeks. The rotation process is probabilistic, and usage of the new key will gradually ramp up and down over the key's lifetime.",
    "remediation": "From console: 
Delete any external (user-managed) Service Account Key older than 90 days: 
  1. Go to APIs & Services\\Credentials using https://console.cloud.google.com/apis/credentials
  2. In the Section Service Account Keys, for every external (user-managed) service account key where creation date is greater than or equal to the past 90 days, click Delete Bin Icon to Delete Service Account key
 
Create a new external (user-managed) Service Account Key for a Service Account:
  1. Go to APIs & Services\\Credentials using https://console.cloud.google.com/apis/credentials
  2. Click Create Credentials and Select Service Account Key.
  3. Choose the service account in the drop-down list for which an External (user-managed) Service Account key needs to be created.
  4. Select the desired key type format among JSON or P12.
  5. Click Create. It will download the private key. Keep it safe.
  6. Click close if prompted
  7. The site will redirect to the APIs & Services\\Credentials page. Make a note of the new ID displayed in the Service account keys section.
 ",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "1.6"
        },
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "1.7"
        }
    ],
    "references": [
        "https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys",
        "https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/list",
        "https://cloud.google.com/iam/docs/service-accounts",
        "https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys"
    ],
    "dashboard_name": "Service Accounts",
    "display_path": "iam.projects.id.service_accounts.id",
    "path": "iam.projects.id.service_accounts.id.keys.id",
    "conditions": [
        "and",
        [
            "iam.projects.id.service_accounts.id.keys.id.valid_after",
            "olderThan",
            [
                "90",
                "days"
            ]
        ],
        [
            "iam.projects.id.service_accounts.id.keys.id.key_type",
            "equal",
            "USER_MANAGED"
        ]
    ],
    "id_suffix": "valid_after"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/iam-primitive-role-in-use.json
================================================
{
    "description": "Basic Role in Use",
    "rationale": "Basic roles grant significant privileges. In most cases, usage of these roles is not recommended and does not follow security best practice.

Note: This rule may flag Google-Managed Service Accounts. Google services rely on these Service Accounts having access to the project, and recommends not removing or changing the Service Account's role (see https://cloud.google.com/iam/docs/service-accounts#google-managed).",
    "remediation": "From Console: 
  1. Go to IAM & admin/IAM using https://console.cloud.google.com/iam-admin/iam
  2. Got to the Members
  3. Identify User-Managed user created service account with roles containing *Admin or *admin or role matching Editor or role matching Owner
  4. Click the Delete bin icon to remove the role from the member (service account in this case)
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "1.4"
        },
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "1.5"
        }
    ],
    "references": [
        "https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/",
        "https://cloud.google.com/iam/docs/understanding-roles",
        "https://cloud.google.com/iam/docs/understanding-service-accounts"
    ],
    "dashboard_name": "Bindings",
    "path": "iam.projects.id.bindings.id",
    "conditions": [
        "and",
        [
            "iam.projects.id.bindings.id.name",
            "containAtLeastOneOf",
            [
                "owner",
                "editor",
                "viewer"
            ]
        ]
    ],
    "id_suffix": "name"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/iam-role-account-separation-duties-is-false.json
================================================
{
    "description": "Separation of Duties Not Enforced for Service Account",
    "rationale": "Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud IAM-service accounts, this could be an action such as using a service account to access resources that user should not normally have access to. No user should have Service Account Admin and Service Account User roles assigned at the same time.",
    "remediation": "From console:
  1. Go to IAM & Admin/IAM using https://console.cloud.google.com/iam-admin/iam.
  2. For any member having both Service Account Admin and Service account User roles granted/assigned, click the Delete Bin icon to remove either role from the member.
     Removal of a role should be done based on the business requirements.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "1.8"
        }
    ],
    "references": [
        "https://cloud.google.com/iam/docs/service-accounts",
        "https://cloud.google.com/iam/docs/understanding-roles",
        "https://cloud.google.com/iam/docs/granting-changing-revoking-access"
    ],
    "dashboard_name": "Project",
    "path": "iam.projects.id.bindings_separation_duties.id",
    "conditions": [
        "and",
        [
            "iam.projects.id.bindings_separation_duties.id.account_separation_duties",
            "false",
            ""
        ]
    ],
    "id_suffix": "account_separation_duties"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/iam-role-assigned-to-domain.json
================================================
{
    "description": "IAM Role Assigned to Domain",
    "rationale": "Roles granted to Workspace domains grant permissions to all users of the domain's Organization, which goes against the principle of least privilege.",
    "references": [
        "https://cloud.google.com/iam/docs/understanding-roles",
        "https://cloud.google.com/iam/docs/using-iam-securely"
    ],
    "dashboard_name": "Bindings",
    "path": "iam.projects.id.bindings.id",
    "conditions": [
        "and",
        [
            "iam.projects.id.bindings.id.members.domains",
            "notEmpty",
            ""
        ]
    ],
    "id_suffix": "domains"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/iam-role-assigned-to-user.json
================================================
{
    "description": "IAM Role Assigned to User",
    "rationale": "Best practices recommends granting roles to a Google Suite group instead of to individual users when possible. It is easier to add members to and remove members from a group instead of updating a Cloud IAM policy to add or remove users.",
    "references": [
        "https://cloud.google.com/iam/docs/understanding-roles",
        "https://cloud.google.com/iam/docs/using-iam-securely"
    ],
    "dashboard_name": "Bindings",
    "path": "iam.projects.id.bindings.id",
    "conditions": [
        "and",
        [
            "iam.projects.id.bindings.id.members.users",
            "notEmpty",
            ""
        ]
    ],
    "id_suffix": "users"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/iam-role-kms-separation-duties-is-false.json
================================================
{
    "description": "Separation of Duties Not Enforced for KMS",
    "rationale": "Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice. No user(s) should have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at the same time.",
    "remediation": "From console:
  1. Go to IAM & Admin/IAM using https://console.cloud.google.com/iam-admin/iam.
  2. For any member having Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles granted/assigned, click the Delete Bin icon to remove either role from the member.
     Removal of a role should be done based on the business requirements.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "1.11"
        }
    ],
    "references": [
        "https://cloud.google.com/kms/docs/separation-of-duties"
    ],
    "dashboard_name": "Project",
    "path": "iam.projects.id.bindings_separation_duties.id",
    "conditions": [
        "and",
        [
            "iam.projects.id.bindings_separation_duties.id.kms_separation_duties",
            "false",
            ""
        ]
    ],
    "id_suffix": "kms_separation_duties"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/iam-sa-has-admin-privileges.json
================================================
{
    "description": "Service Account with Admin Privileges",
    "rationale": "Service accounts represent service-level security of the Resources (application or a VM) which can be determined by the roles assigned to it. Enrolling Service Accounts with administrative privileges grants full access to assigned application or a VM, Service Account Access holder can user.

Note: This rule may flag Google-Managed Service Accounts. Google services rely on these Service Accounts having access to the project, and recommends not removing or changing the Service Account's role",
    "remediation": "From Console: 
  1. Go to IAM & admin/IAM using https://console.cloud.google.com/iam-admin/iam
  2. Got to the Members
  3. Identify User-Managed user created service account with roles containing *Admin or *admin or role matching Editor or role matching Owner
  4. Click the Delete bin icon to remove the role from the member (service account in this case)
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "1.4"
        },
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "1.5"
        }
    ],
    "references": [
        "https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/",
        "https://cloud.google.com/iam/docs/understanding-roles",
        "https://cloud.google.com/iam/docs/understanding-service-accounts"
    ],
    "dashboard_name": "Bindings",
    "path": "iam.projects.id.bindings.id",
    "conditions": [
        "and",
        [
            "or",
            [
                "iam.projects.id.bindings.id.name",
                "containAtLeastOneOf",
                [
                    "editor",
                    "owner"
                ]
            ],
            [
                "iam.projects.id.bindings.id.name",
                "match",
                ".*admin"
            ]
        ],
        [
            "iam.projects.id.bindings.id.members.service_accounts",
            "notEmpty",
            ""
        ]
    ],
    "id_suffix": "service_accounts"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/iam-service-account-user-member.json
================================================
{
    "description": "_ARG_1_",
    "rationale": "Access to the Service Account User role (roles/iam.serviceAccountUser) should be restricted, as members granted this role on a service account can use it to indirectly access all the resources to which the service account has access. ",
    "references": [
        "https://cloud.google.com/iam/docs/service-accounts#user-role"
    ],
    "dashboard_name": "Service Accounts",
    "display_path": "iam.projects.id.service_accounts.id",
    "path": "iam.projects.id.service_accounts.id.bindings.id",
    "conditions": [
        "and",
        [
            "iam.projects.id.service_accounts.id.bindings.id.members",
            "containAtLeastOneOf",
            "_ARG_0_"
        ]
    ],
    "key": "iam-service-account-user-_ARG_0_",
    "arg_names": [
        "Member",
        "Description"
    ]
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/iam-service-account-with-user-managed-keys.json
================================================
{
    "description": "User-Managed Service Account Keys",
    "rationale": "It is recommended to prevent use of user-managed service account keys, as anyone who has access to the keys will be able to access resources through the service account. Best practice recommends using GCP-managed keys, which are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis.",
    "remediation": "From Console: 
  1. Go to the IAM page in the GCP Console using https://console.cloud.google.com/iam-admin/iam
  2. In the left navigation pane, click Service accounts. All service accounts and their corresponding keys are listed.
  3. Click the service account.
  4. Click the edit and delete the keys.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "1.3"
        },
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "1.4"
        }
    ],
    "references": [
        "https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys",
        "https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts"
    ],
    "dashboard_name": "Service Accounts",
    "display_path": "iam.projects.id.service_accounts.id",
    "path": "iam.projects.id.service_accounts.id.keys.id",
    "conditions": [
        "and",
        [
            "iam.projects.id.service_accounts.id.keys.id.key_type",
            "equal",
            "USER_MANAGED"
        ]
    ],
    "id_suffix": "key_type"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/iam-user-has-sa-user-role.json
================================================
{
    "description": "User with Privileged Service Account Roles at the Project Level",
    "rationale": "Granting the iam.serviceAccountUser, iam.serviceAccountTokenCreator, or iam.serviceAccountActor role to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future. This can result into elevation of privileges by using service accounts and corresponding Compute Engine instances.",
    "remediation": "From console: 
  1. Go to the IAM page in the GCP Console by visiting: https://console.cloud.google.com/iam-admin/iam.
  2. Click on the filter table text bar. Type Role: Service Account User
  3. Click the Delete Bin icon in front of the role Service Account User for every user listed as a result of a filter.
  4. Click on the filter table text bar. Type Role: Service Account Token Creator
  5. Click the Delete Bin icon in front of the role Service Account Token Creator for every user listed as a result of a filter.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "1.5"
        },
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "1.6"
        }
    ],
    "references": [
        "https://cloud.google.com/iam/docs/service-accounts",
        "https://cloud.google.com/iam/docs/granting-changing-revoking-access",
        "https://cloud.google.com/iam/docs/understanding-roles",
        "https://cloud.google.com/iam/docs/granting-changing-revoking-access",
        "https://console.cloud.google.com/iam-admin/iam"
    ],
    "dashboard_name": "Bindings",
    "path": "iam.projects.id.bindings.id",
    "conditions": [
        "and",
        [
            "iam.projects.id.bindings.id.name",
            "containAtLeastOneOf",
            [
                "iam.serviceAccountUser",
                "iam.serviceAccountTokenCreator",
                "iam.serviceAccountActor"
            ]
        ]
    ],
    "id_suffix": "user_has_sa_user_role"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kms-cryptokeys-anonymously-publicly-accessible.json
================================================
{
    "description": "Cloud KMS Cryptokeys Anonymously or Publicly Accessible",
    "rationale": "Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the data set. Such access might not be desirable if sensitive data is stored at the location. In this case, ensure that anonymous and/or public access to a Cloud KMS cryptokey is not allowed.",
    "remediation": "From command line:
  1. List all Cloud KMS Cryptokeys: 
     gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'
  2. Remove IAM policy binding for a KMS key to remove access to allUsers and allAuthenticatedUsers using the below command.
     gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]' 
     gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "1.9"
        }
    ],
    "references": [
        "https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding",
        "https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy",
        "https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy",
        "https://cloud.google.com/kms/docs/resource-hierarchy#key_resource_id"
    ],
    "dashboard_name": "KMS Bindings",
    "display_path": "kms.projects.id.keyrings.id",
    "path": "kms.projects.id.keyrings.id.keys.id.kms_iam_policy.id",
    "conditions": [
        "and",
        [
            "kms.projects.id.keyrings.id.keys.id.state",
            "equal",
            "ENABLED"
        ],
        [
            "kms.projects.id.keyrings.id.keys.id.kms_iam_policy.id.anonymous_public_accessible",
            "false",
            ""
        ]
    ],
    "id_suffix": "anonymous_public_accessible"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kms-encryption-keys-not-rotated.json
================================================
{
    "description": "KMS Encryption Not Rotated within 90 Days",
    "rationale": "Set a key rotation period and starting time. A key can be created with a specified rotation period, which is the time between when new key versions are generated automatically. A key is used to protect some corpus of data. A collection of files could be encrypted with the same key and people with decrypt permissions on that key would be able to decrypt those files. Therefore, it's necessary to make sure the rotation period is set to a specific time.",
    "remediation": "From console:
  1. Got to Cryptographic Keys by visiting: https://console.cloud.google.com/security/kms.
  2. Click on the specific key ring
  3. From the list of keys, choose the specific key and Click on Right side pop up the blade (3 dots).
  4. Click on Edit rotation period.
  5. On the pop-up window, Select a new rotation period in days which should be less than 90 and then choose Starting on date (date from which the rotation period begins).
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "1.10"
        }
    ],
    "references": [
        "https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation",
        "https://cloud.google.com/kms/docs/re-encrypt-data"
    ],
    "dashboard_name": "Keys",
    "display_path": "kms.projects.id.keyrings.id",
    "path": "kms.projects.id.keyrings.id.keys.id",
    "conditions": [
        "and",
        [
            "kms.projects.id.keyrings.id.keys.id.state",
            "equal",
            "ENABLED"
        ],
        [
            "or",
            [
                "kms.projects.id.keyrings.id.keys.id.rotation_period",
                "equal",
                "None"
            ],
            [
                "kms.projects.id.keyrings.id.keys.id.rotation_period",
                "moreThan",
                "90"
            ]
        ],
        [
            "or",
            [
                "kms.projects.id.keyrings.id.keys.id.next_rotation_time_days",
                "equal",
                "None"
            ],
            [
                "kms.projects.id.keyrings.id.keys.id.next_rotation_time_days",
                "moreThan",
                "90"
            ]
        ]
    ],
    "id_suffix": "rotation_period"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-basic-authentication-enabled.json
================================================
{
    "description": "Basic Authentication Enabled",
    "rationale": "Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.10"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.8.1"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_authn_methods",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#evaluation_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.basic_authentication_enabled",
            "true",
            ""
        ]
    ],
    "id_suffix": "basic_authentication_enabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-certificate-authentication-enabled.json
================================================
{
    "description": "Certificate Authentication Enabled",
    "rationale": "Unless applications use the client certificate authentication method, it should be disabled.",
    "compliance": [
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.8.2"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_authn_methods",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#evaluation_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.client_certificate_enabled",
            "true",
            ""
        ]
    ],
    "id_suffix": "client_certificate_enabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-cluster-alias-ip-disabled.json
================================================
{
    "description": "Alias IP Disabled",
    "rationale": "With Alias IPs ranges enabled, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.13"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.6.2"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_network_access_to_the_control_plane_and_nodes",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.alias_ip_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "alias_ip_disabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-cluster-application-layer-encryption-disabled.json
================================================
{
    "description": "Application-Layer Secrets Encryption Disabled",
    "rationale": "By default, GKE encrypts customer content stored at rest, including Secrets. GKE handles and manages this default encryption without any additional action.
Application-layer Secrets Encryption provides an additional layer of security for sensitive data, such as user defined Secrets and Secrets required for the operation of the cluster, such as service account keys, which are all stored in etcd.
Using this functionality, you can use a key, that you manage in Cloud KMS, to encrypt data at the application layer. This protects against attackers in the event that they manage to gain access to etcd.",
    "compliance": [
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.3.1"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "application_layer_encryption_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "application_layer_encryption_enabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-cluster-binary-authorization-disabled.json
================================================
{
    "description": "Binary Authorization Disabled",
    "rationale": "Binary Authorization provides software supply-chain security for images that you deploy to GKE from Google Container Registry (GCR) or another container image registry.
Binary Authorization requires images to be signed by trusted authorities during the development process. These signatures are then validated at deployment time. By enforcing validation, you can gain tighter control over your container environment by ensuring only verified images are integrated into the build-and-release process.",
    "compliance": [
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.10.5"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/binary-authorization/"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.binary_authorization_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "binary_authorization_enabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-cluster-has-no-labels.json
================================================
{
    "description": "Clusters Lacking Labels",
    "rationale": "Labels enable users to map their own organizational structures onto system objects in a loosely coupled fashion, without requiring clients to store these mappings. Labels can also be used to apply specific security settings and auto configure objects at creation.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.5"
        }
    ],
    "references": [
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_namespaces_and_rbac_to_restrict_access_to_cluster_resources"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.has_labels",
            "false",
            ""
        ]
    ],
    "id_suffix": "has_no_labels"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-cluster-logging-disabled.json
================================================
{
    "description": "Cluster Logging Disabled",
    "rationale": "You should enable cluster logging and use a logging service so your cluster can export logs about its activities.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.1"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.7.1"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://kubernetes.io/docs/tasks/debug-application-cluster/audit/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#stackdriver_logging",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.logging_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "logging_disabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-cluster-master-authorized-networks-disabled.json
================================================
{
    "description": "Master Authorized Networks Disabled",
    "rationale": "Master authorized networks blocks untrusted IP addresses from outside Google Cloud Platform. Addresses from inside GCP can still reach your master through HTTPS provided that they have the necessary Kubernetes credentials.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.4"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.6.3"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-networks",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_network_access_to_the_control_plane_and_nodes",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.master_authorized_networks_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "master_authorized_networks_disabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-cluster-metadata-server-disabled.json
================================================
{
    "description": "GKE Metadata Server Disabled",
    "rationale": "Every GKE node stores its metadata on a metadata server. Some of this metadata, such as kubelet credentials and the VM instance identity token, is sensitive and should not be exposed to a Kubernetes workload.
Enabling the GKE Metadata server prevents pods (that are not running on the host network) from accessing this metadata and facilitates Workload Identity.
When unspecified, the default setting allows running pods to have full access to the node's underlying metadata server.",
    "compliance": [
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.4.2"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata#concealment"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "metadata_server_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "metadata_server_enabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-cluster-monitoring-disabled.json
================================================
{
    "description": "Cluster Monitoring Disabled",
    "rationale": "You should enable cluster monitoring and use a monitoring service so your cluster can export metrics about its activities.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.2"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.7.1"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#stackdriver_logging",
        "https://cloud.google.com/monitoring/kubernetes-engine#about-skm",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.monitoring_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "monitoring_disabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-cluster-network-policy-disabled.json
================================================
{
    "description": "Network Policy Disabled",
    "rationale": "By default, pods are non-isolated; they accept traffic from any source. Pods become isolated by having a NetworkPolicy that selects them. Once there is any NetworkPolicy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any NetworkPolicy.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.11"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.6.7"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_with_network_policy",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/security-overview#network_security",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.network_policy_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "network_policy_disabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-cluster-pod-security-policy-config-disabled.json
================================================
{
    "description": "Pod Security Policy Disabled",
    "rationale": "A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.",
    "remediation": "Enable the Pod Security Policy. By default, Pod Security Policy is disabled when you create a new cluster.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.14"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.10.3"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.pod_security_policy_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "pod_security_policy_enabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-cluster-private-endpoint-disabled.json
================================================
{
    "description": "Private Cluster Endpoint Disabled",
    "rationale": "In a private cluster, the master node has two endpoints, a private and public endpoint. The private endpoint is the internal IP address of the master, behind an internal load balancer in the master's VPC network. Nodes communicate with the master using the private endpoint. The public endpoint enables the Kubernetes API to be accessed from outside the master's VPC network.
Although Kubernetes API requires an authorized token to perform sensitive actions, a vulnerability could potentially expose the Kubernetes publicly with unrestricted access. Additionally, an attacker may be able to identify the current cluster and Kubernetes API version and determine whether it is vulnerable to an attack.
Unless required, disabling public endpoint will help prevent such threats, and require the attacker to be on the master's VPC network to perform any attack on the Kubernetes API.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.15"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.6.4"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_network_access_to_the_control_plane_and_nodes",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.private_endpoint_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "private_endpoint_enabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-cluster-private-google-access-disabled.json
================================================
{
    "description": "Private Google Access Disabled",
    "rationale": "Enabling Private Google Access allows hosts on a subnetwork to use a private IP address to reach Google APIs rather than an external IP address.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.16"
        }
    ],
    "references": [
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_network_access_to_the_control_plane_and_nodes"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.private_ip_google_access_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "private_ip_google_access_disabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-cluster-release-channel.json
================================================
{
    "description": "Cluster Not Subscribed to Release Channel",
    "rationale": "Release Channels signal a graduating level of stability and production-readiness. These are based on observed performance of GKE clusters running that version and represent experience and confidence in the cluster version.
The Regular release channel upgrades every few weeks and is for production users who need features not yet offered in the Stable channel. These versions have passed internal validation, but don't have enough historical data to guarantee their stability. Known issues generally have known workarounds.
The Stable release channel upgrades every few months and is for production users who need stability above all else, and for whom frequent upgrades are too risky. These versions have passed internal validation and have been shown to be stable and reliable in production, based on the observed performance of those clusters.
Critical security patches are delivered to all release channels.",
    "compliance": [
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.5.4"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/release-channels"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.release_channel",
            "containNoneOf",
            [
                "REGULAR",
                "STABLE"
            ]
        ]
    ],
    "id_suffix": "release_channel"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-cluster-shielded-nodes-disabled.json
================================================
{
    "description": "Shielded GKE Nodes Disabled",
    "rationale": "Shielded GKE nodes protects clusters against boot- or kernel-level malware or rootkits which persist beyond infected OS.
Shielded GKE nodes run firmware which is signed and verified using Google's Certificate Authority, ensuring that the nodes' firmware is unmodified and establishing the root of trust for Secure Boot. GKE node identity is strongly protected via virtual Trusted Platform Module (vTPM) and verified remotely by the master node before the node joins the cluster.",
    "compliance": [
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.5.5"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.shielded_nodes_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "shielded_nodes_enabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-cluster-workload-identity-disabled.json
================================================
{
    "description": "Workload Identity Disabled",
    "rationale": "Enabling Workload Identity manages the distribution and rotation of Service account keys for the workloads to use.
Kubernetes workloads should not use cluster node service accounts to authenticate to Google Cloud APIs. Each Kubernetes Workload that needs to authenticate to other Google services using Cloud IAM should be provisioned a dedicated Service account.",
    "compliance": [
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.2.2"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "workload_identity_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "workload_identity_enabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-dashboard-enabled.json
================================================
{
    "description": "Kubernetes Dashboard Enabled",
    "rationale": "You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. The Cloud Console provides much of the same functionality, so you don't need this functionality.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.6"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.10.1"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#disable_kubernetes_dashboard",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.dashboard_status",
            "equal",
            "Enabled"
        ]
    ],
    "id_suffix": "dashboard_status"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-default-service-account-used.json
================================================
{
    "description": "Default Service Account in Use",
    "rationale": "Each GKE node has a Service Account associated with it. By default, nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. You should create and use a minimally privileged service account to run your GKE cluster instead of using the Compute Engine default service account.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.17"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.2.1"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.service_account",
            "equal",
            "default"
        ]
    ],
    "id_suffix": "default_service_account_used"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-legacy-abac-enabled.json
================================================
{
    "description": "Legacy Authorization (ABAC) Enabled",
    "rationale": "The legacy authorizer in Kubernetes grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.3"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.8.4"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#leave_abac_disabled_default_for_110",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.legacy_abac_enabled",
            "true",
            ""
        ]
    ],
    "id_suffix": "legacy_abac_enabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-legacy-metadata-endpoints-enabled.json
================================================
{
    "description": "Legacy Metadata Endpoints Enabled",
    "rationale": "The instance metadata server exposed legacy v0.1 and v1beta1 endpoints, which do not enforce metadata query headers. This is a feature in the v1 APIs that makes it more difficult for a potential attacker to retrieve instance metadata, such as Server-Side Request Forgery (SSRF). Unless specifically required, we recommend you disable these legacy APIs.",
    "compliance": [
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.4.1"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#protect_node_metadata_default_for_112",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "display_path": "kubernetesengine.projects.id.clusters.id",
    "path": "kubernetesengine.projects.id.clusters.id.node_pools.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.node_pools.id.legacy_metadata_endpoints_enabled",
            "true",
            ""
        ]
    ],
    "id_suffix": "legacy_metadata_endpoints_enabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-node-auto-repair-disabled.json
================================================
{
    "description": "Nodes with Auto-Repair Disabled",
    "rationale": "Auto-repair helps maintain the cluster nodes in a healthy, running state.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.7"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.5.2"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-repair",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "display_path": "kubernetesengine.projects.id.clusters.id",
    "path": "kubernetesengine.projects.id.clusters.id.node_pools.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.node_pools.id.auto_repair_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "auto_repair_disabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-node-auto-upgrade-disabled.json
================================================
{
    "description": "Nodes with Auto-Upgrade Disabled",
    "rationale": "Auto-upgrades automatically ensures that security updates are applied and kept up to date.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.8"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.5.3"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-upgrades",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "display_path": "kubernetesengine.projects.id.clusters.id",
    "path": "kubernetesengine.projects.id.clusters.id.node_pools.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.node_pools.id.auto_upgrade_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "auto_upgrade_disabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-node-container-optimized-os-not-used.json
================================================
{
    "description": "Lack of Container-Optimized OS Node Images",
    "rationale": "It is recommended to use container-optimized OS images, as they provide improved support, security and stability.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.9"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.5.1"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/container-optimized-os/docs/concepts/features-and-benefits",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/node-images"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.image_type",
            "containNoneOf",
            [
                "COS",
                "COS_CONTAINERD"
            ]
        ]
    ],
    "id_suffix": "container_optimized_os_not_used"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-node-integrity-monitoring-disabled.json
================================================
{
    "description": "Nodes with Integrity Monitoring Disabled",
    "rationale": "The Integrity Monitoring feature should be enabled for GKE cluster nodes in order to monitor and automatically check the runtime boot integrity of shielded cluster nodes using Cloud Monitoring service.",
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes"
    ],
    "dashboard_name": "Clusters",
    "display_path": "kubernetesengine.projects.id.clusters.id",
    "path": "kubernetesengine.projects.id.clusters.id.node_pools.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.node_pools.id.integrity_monitoring_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "integrity_monitoring_enabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-node-secure-boot-disabled.json
================================================
{
    "description": "Nodes with Secure Boot Disabled",
    "rationale": "The Secure Boot feature should be enabled for GKE cluster nodes in order to protect them against malware and rootkits. Secure Boot helps ensure that the system runs only authentic software by verifying the digital signature of all boot components, and halting the boot process if the signature verification fails.",
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes"
    ],
    "dashboard_name": "Clusters",
    "display_path": "kubernetesengine.projects.id.clusters.id",
    "path": "kubernetesengine.projects.id.clusters.id.node_pools.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.node_pools.id.secure_boot_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "secure_boot_enabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-private-nodes-disabled.json
================================================
{
    "description": "Private Cluster Nodes Disabled",
    "rationale": "Private Nodes are nodes with no public IP addresses. Disabling public IP addresses on cluster nodes restricts access to only internal networks, forcing attackers to obtain local network access before attempting to compromise the underlying Kubernetes hosts.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.15"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.6.5"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_network_access_to_the_control_plane_and_nodes",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.private_nodes_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "private_nodes_enabled"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/kubernetesengine-scopes-not-limited.json
================================================
{
    "description": "Lack of Access Scope Limitation",
    "rationale": "If you are not creating a separate service account for your nodes, you should limit the scopes of the node service account to reduce the oportunity for privilege escalation. This ensures that the default service account does not have permissions beyond those necessary to run your cluster. While the default scopes are limited, they may include scopes beyond the minimally required ones needed to run your cluster. If you are accessing private images in Google Container Registry, the minimally required scopes are only logging.write, monitoring, and devstorage.read_only.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.18"
        }
    ],
    "references": [
        "https://cloud.google.com/kubernetes-engine/docs/how-to/access-scopes"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.has_limited_scopes",
            "false",
            ""
        ]
    ],
    "id_suffix": "scopes_not_limited"
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/memorystore-redis-instance-auth-not-enabled.json
================================================
{
    "description": "Memory Instance Allows Unauthenticated Connections",
    "rationale": "All incoming connections to Cloud Memorystore databases should require the use of authentication and SSL.",
    "compliance": [],
    "references": [
        "https://cloud.google.com/memorystore/docs/redis/managing-auth"
    ],
    "dashboard_name": "Redis Instances",
    "path": "cloudmemorystore.projects.id.redis_instances.id",
    "conditions": [
        "and",
        [
            "cloudmemorystore.projects.id.redis_instances.id.auth_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "auth_enabled"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/memorystore-redis-instance-ssl-not-required.json
================================================
{
    "description": "Memory Instance Not Requiring SSL for Incoming Connections",
    "rationale": "All incoming connections to Cloud Memorystore databases should require the use of SSL.",
    "compliance": [],
    "references": [
        "https://cloud.google.com/memorystore/docs/redis/securing-tls-connections"
    ],
    "dashboard_name": "Redis Instances",
    "path": "cloudmemorystore.projects.id.redis_instances.id",
    "conditions": [
        "and",
        [
            "cloudmemorystore.projects.id.redis_instances.id.ssl_required",
            "false",
            ""
        ]
    ],
    "id_suffix": "ssl_required"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/stackdriverlogging-metric-filter-does-not-exist-audit-config-changes.json
================================================
{
    "description": "Log Metric Filter Doesn't Exist for Audit Configuration Changes",
    "rationale": "Configuring the metric filter and alerts for audit configuration changes ensures the recommended state of audit configuration is maintained so that all activities in the project are audit-able at any point in time.",
    "remediation": "From console: 
  1. Go to Logging/Logs by visiting https://console.cloud.google.com/logs/metrics and click \"CREATE METRIC\".
  2. Click the down arrow symbol on the Filter Bar at the rightmost corner and select Convert to Advanced Filter.
  3. Clear any text and add: 
      protoPayload.methodName=\"SetIamPolicy\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*
  4. Click Submit Filter. The logs display based on the filter text entered by the user.
  5. In the Metric Editor menu on the right,fill out the name field. Set Units to 1(default) and the Type to Counter. This ensures that the log metric counts the number of log entries matching the advanced logs query.
  6. Click CreateMetric.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "2.5"
        }
    ],
    "references": [
        "https://cloud.google.com/logging/docs/logs-based-metrics/",
        "https://cloud.google.com/monitoring/custom-metrics/",
        "https://cloud.google.com/monitoring/alerts/",
        "https://cloud.google.com/logging/docs/reference/tools/gcloud-logging",
        "https://cloud.google.com/logging/docs/audit/configure-data-access#getiampolicy-setiampolicy"
    ],
    "dashboard_name": "Logging Configurations",
    "path": "stackdriverlogging.projects.id.logging_metrics.id",
    "conditions": [
        "and",
        [
            "stackdriverlogging.projects.id.logging_metrics.id.audit_config_change",
            "false",
            ""
        ]
    ],
    "id_suffix": "audit_config_change"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/stackdriverlogging-metric-filter-does-not-exist-cloud-storage-iam-permission-changes.json
================================================
{
    "description": "Log Metric Filter Doesn't Exist for Cloud Storage IAM Permission Changes",
    "rationale": "Monitoring changes to cloud storage bucket permissions may reduce the time needed to detect and correct permissions on sensitive cloud storage buckets and objects inside the bucket.",
    "remediation": "From console: 
  1. Go to Logging/Logs by visiting https://console.cloud.google.com/logs/metrics and click \"CREATE METRIC\".
  2. Click the down arrow symbol on the Filter Bar at the rightmost corner and select Convert to Advanced Filter.
  3. Clear any text and add: 
      resource.type=gcs_bucket AND protoPayload.methodName=\"storage.setIamPermissions\"
  4. Click Submit Filter. The logs display based on the filter text entered by the user.
  5. In the Metric Editor menu on the right,fill out the name field. Set Units to 1(default) and the Type to Counter. This ensures that the log metric counts the number of log entries matching the advanced logs query.
  6. Click CreateMetric.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "2.10"
        }
    ],
    "references": [
        "https://cloud.google.com/logging/docs/logs-based-metrics/",
        "https://cloud.google.com/monitoring/custom-metrics/",
        "https://cloud.google.com/monitoring/alerts/",
        "https://cloud.google.com/logging/docs/reference/tools/gcloud-logging",
        "https://cloud.google.com/storage/docs",
        "https://cloud.google.com/storage/docs/access-control/iam-roles"
    ],
    "dashboard_name": "Logging Configurations",
    "path": "stackdriverlogging.projects.id.logging_metrics.id",
    "conditions": [
        "and",
        [
            "stackdriverlogging.projects.id.logging_metrics.id.cloud_storage_iam_permission_change",
            "false",
            ""
        ]
    ],
    "id_suffix": "cloud_storage_iam_permission_change"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/stackdriverlogging-metric-filter-does-not-exist-custom-role-changes.json
================================================
{
    "description": "Log Metric Filter Doesn't Exist for Custom Role Changes",
    "rationale": "Google Cloud IAM provides predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources. However, to cater to organization-specific needs, Cloud IAM also provides the ability to create custom roles. Project owners and administrators with the Organization Role Administrator role or the IAM Role Administrator role can create custom roles. Monitoring role creation, deletion and updating activities will help in identifying any over-privileged role at early stages.",
    "remediation": "From console: 
  1. Go to Logging/Logs by visiting https://console.cloud.google.com/logs/metrics and click \"CREATE METRIC\".
  2. Click the down arrow symbol on the Filter Bar at the rightmost corner and select Convert to Advanced Filter.
  3. Clear any text and add: 
      resource.type=\"iam_role\" AND protoPayload.methodName =  \"google.iam.admin.v1.CreateRole\" OR protoPayload.methodName=\"google.iam.admin.v1.DeleteRole\" OR protoPayload.methodName=\"google.iam.admin.v1.UpdateRole\"
  4. Click Submit Filter. The logs display based on the filter text entered by the user.
  5. In the Metric Editor menu on the right,fill out the name field. Set Units to 1(default) and the Type to Counter. This ensures that the log metric counts the number of log entries matching the advanced logs query.
  6. Click CreateMetric.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "2.6"
        }
    ],
    "references": [
        "https://cloud.google.com/logging/docs/logs-based-metrics/",
        "https://cloud.google.com/monitoring/custom-metrics/",
        "https://cloud.google.com/monitoring/alerts/",
        "https://cloud.google.com/logging/docs/reference/tools/gcloud-logging",
        "https://cloud.google.com/iam/docs/understanding-custom-roles"
    ],
    "dashboard_name": "Logging Configurations",
    "path": "stackdriverlogging.projects.id.logging_metrics.id",
    "conditions": [
        "and",
        [
            "stackdriverlogging.projects.id.logging_metrics.id.custom_role_change",
            "false",
            ""
        ]
    ],
    "id_suffix": "custom_role_change"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/stackdriverlogging-metric-filter-does-not-exist-project-ownership-assignment.json
================================================
{
    "description": "Log Metric Filter Doesn't Exist for Project Ownership Assignments/Changes",
    "rationale": "Project ownership has the highest level of privileges on a project. To avoid misuse of project resources, the project ownership assignment/change actions mentioned above should be monitored and alerted to concerned recipients.",
    "remediation": "From console: 
  1. Go to Logging/Logs by visiting https://console.cloud.google.com/logs/metrics and click \"CREATE METRIC\".
  2. Click the down arrow symbol on the Filter Bar at the rightmost corner and select Convert to Advanced Filter.
  3. Clear any text and add: 
      (protoPayload.serviceName=\"cloudresourcemanager.googleapis.com\") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\"REMOVE\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\"ADD\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\")
  4. Click Submit Filter. The logs display based on the filter text entered by the user.
  5. In the Metric Editor menu on the right,fill out the name field. Set Units to 1(default) and the Type to Counter. This ensures that the log metric counts the number of log entries matching the advanced logs query.
  6. Click CreateMetric.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "2.4"
        }
    ],
    "references": [
        "https://cloud.google.com/logging/docs/logs-based-metrics/",
        "https://cloud.google.com/monitoring/custom-metrics/",
        "https://cloud.google.com/monitoring/alerts/",
        "https://cloud.google.com/logging/docs/reference/tools/gcloud-logging"
    ],
    "dashboard_name": "Logging Configurations",
    "path": "stackdriverlogging.projects.id.logging_metrics.id",
    "conditions": [
        "and",
        [
            "stackdriverlogging.projects.id.logging_metrics.id.project_ownership_assignments",
            "false",
            ""
        ]
    ],
    "id_suffix": "project_ownership_assignments"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/stackdriverlogging-metric-filter-does-not-exist-sql-instance-config-changes.json
================================================
{
    "description": "Log Metric Filter Doesn't Exist for SQL Instance Configuration Changes",
    "rationale": "Monitoring changes to SQL instance configuration changes may reduce the time needed to detect and correct misconfigurations done on the SQL server.",
    "remediation": "From console: 
  1. Go to Logging/Logs by visiting https://console.cloud.google.com/logs/metrics and click \"CREATE METRIC\".
  2. Click the down arrow symbol on the Filter Bar at the rightmost corner and select Convert to Advanced Filter.
  3. Clear any text and add: 
      protoPayload.methodName=\"cloudsql.instances.update\"
  4. Click Submit Filter. The logs display based on the filter text entered by the user.
  5. In the Metric Editor menu on the right,fill out the name field. Set Units to 1(default) and the Type to Counter. This ensures that the log metric counts the number of log entries matching the advanced logs query.
  6. Click CreateMetric.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "2.11"
        }
    ],
    "references": [
        "https://cloud.google.com/logging/docs/logs-based-metrics/",
        "https://cloud.google.com/monitoring/custom-metrics/",
        "https://cloud.google.com/monitoring/alerts/",
        "https://cloud.google.com/logging/docs/reference/tools/gcloud-logging",
        "https://cloud.google.com/storage/docs",
        "https://cloud.google.com/sql/docs/",
        "https://cloud.google.com/sql/docs/mysql/",
        "https://cloud.google.com/sql/docs/postgres/"
    ],
    "dashboard_name": "Logging Configurations",
    "path": "stackdriverlogging.projects.id.logging_metrics.id",
    "conditions": [
        "and",
        [
            "stackdriverlogging.projects.id.logging_metrics.id.sql_instance_conf_change",
            "false",
            ""
        ]
    ],
    "id_suffix": "sql_instance_conf_change"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/stackdriverlogging-metric-filter-does-not-exist-vpc-network-changes.json
================================================
{
    "description": "Log Metric Filter Doesn't Exist for VPC Network Changes",
    "rationale": "It is possible to have more than one VPC within a project. In addition, it is also possible to create a peer connection between two VPCs enablingnetwork traffic to route between VPCs.Monitoring changes to a VPC will help ensure VPC traffic flow is not getting impacted.",
    "remediation": "From console: 
  1. Go to Logging/Logs by visiting https://console.cloud.google.com/logs/metrics and click \"CREATE METRIC\".
  2. Click the down arrow symbol on the Filter Bar at the rightmost corner and select Convert to Advanced Filter.
  3. Clear any text and add: 
     resource.type=gce_network AND jsonPayload.event_subtype=\"compute.networks.insert\" \n85| P a g eOR jsonPayload.event_subtype=\"compute.networks.patch\" OR jsonPayload.event_subtype=\"compute.networks.delete\"  OR jsonPayload.event_subtype=\"compute.networks.removePeering\" OR jsonPayload.event_subtype=\"compute.networks.addPeering\" 
  4. Click Submit Filter. The logs display based on the filter text entered by the user.
  5. In the Metric Editor menu on the right,fill out the name field. Set Units to 1(default) and the Type to Counter. This ensures that the log metric counts the number of log entries matching the advanced logs query.
  6. Click CreateMetric.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "2.9"
        }
    ],
    "references": [
        "https://cloud.google.com/logging/docs/logs-based-metrics/",
        "https://cloud.google.com/monitoring/custom-metrics/",
        "https://cloud.google.com/monitoring/alerts/",
        "https://cloud.google.com/logging/docs/reference/tools/gcloud-logging",
        "https://cloud.google.com/vpc/docs/overview"
    ],
    "dashboard_name": "Logging Configurations",
    "path": "stackdriverlogging.projects.id.logging_metrics.id",
    "conditions": [
        "and",
        [
            "stackdriverlogging.projects.id.logging_metrics.id.vpc_network_change",
            "false",
            ""
        ]
    ],
    "id_suffix": "vpc_network_change"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/stackdriverlogging-metric-filter-does-not-exist-vpc-network-firewall-rule-changes.json
================================================
{
    "description": "Log Metric Filter Doesn't Exist for VPC Network Firewall Rule Changes",
    "rationale": "Monitoring for Create or Update Firewall rule events gives insight to network access changes and may reduce the time it takes to detect suspicious activity.",
    "remediation": "From console: 
  1. Go to Logging/Logs by visiting https://console.cloud.google.com/logs/metrics and click \"CREATE METRIC\".
  2. Click the down arrow symbol on the Filter Bar at the rightmost corner and select Convert to Advanced Filter.
  3. Clear any text and add: 
      resource.type=\"gce_firewall_rule\" AND jsonPayload.event_subtype=\"compute.firewalls.patch\" OR jsonPayload.event_subtype=\"compute.firewalls.insert\"
  4. Click Submit Filter. The logs display based on the filter text entered by the user.
  5. In the Metric Editor menu on the right,fill out the name field. Set Units to 1(default) and the Type to Counter. This ensures that the log metric counts the number of log entries matching the advanced logs query.
  6. Click CreateMetric.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "2.7"
        }
    ],
    "references": [
        "https://cloud.google.com/logging/docs/logs-based-metrics/",
        "https://cloud.google.com/monitoring/custom-metrics/",
        "https://cloud.google.com/monitoring/alerts/",
        "https://cloud.google.com/logging/docs/reference/tools/gcloud-logging",
        "https://cloud.google.com/vpc/docs/firewalls"
    ],
    "dashboard_name": "Logging Configurations",
    "path": "stackdriverlogging.projects.id.logging_metrics.id",
    "conditions": [
        "and",
        [
            "stackdriverlogging.projects.id.logging_metrics.id.vpc_network_firewall_rule_change",
            "false",
            ""
        ]
    ],
    "id_suffix": "vpc_network_firewall_rule_change"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/stackdriverlogging-metric-filter-does-not-exist-vpc-network-route-changes.json
================================================
{
    "description": "Log Metric Filter Doesn't Exist for VPC Network Route Changes",
    "rationale": "Google Cloud Platform (GCP) routes define the paths network traffic takes from a VM instance to another destination. The other destination can be inside the organization VPC network (such as another VM) or outside of it. Every route consists of a destination and a next hop. Traffic whose destination IP is within the destination range is sent to the next hop for delivery. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.",
    "remediation": "From console: 
  1. Go to Logging/Logs by visiting https://console.cloud.google.com/logs/metrics and click \"CREATE METRIC\".
  2. Click the down arrow symbol on the Filter Bar at the rightmost corner and select Convert to Advanced Filter.
  3. Clear any text and add: 
      resource.type=\"gce_route\" AND jsonPayload.event_subtype=\"compute.routes.delete\" OR jsonPayload.event_subtype=\"compute.routes.insert\"
  4. Click Submit Filter. The logs display based on the filter text entered by the user.
  5. In the Metric Editor menu on the right,fill out the name field. Set Units to 1(default) and the Type to Counter. This ensures that the log metric counts the number of log entries matching the advanced logs query.
  6. Click CreateMetric.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "2.8"
        }
    ],
    "references": [
        "https://cloud.google.com/logging/docs/logs-based-metrics/",
        "https://cloud.google.com/monitoring/custom-metrics/",
        "https://cloud.google.com/monitoring/alerts/",
        "https://cloud.google.com/logging/docs/reference/tools/gcloud-logging",
        "https://cloud.google.com/storage/docs/access-control/iam"
    ],
    "dashboard_name": "Logging Configurations",
    "path": "stackdriverlogging.projects.id.logging_metrics.id",
    "conditions": [
        "and",
        [
            "stackdriverlogging.projects.id.logging_metrics.id.vpc_network_route_change",
            "false",
            ""
        ]
    ],
    "id_suffix": "vpc_network_route_change"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/stackdriverlogging-no-export-sinks.json
================================================
{
    "description": "Lack of Export Sinks",
    "rationale": "Export sinks for Stackdriver logging were not found. As a result, logs would be deleted after the configured retention period, and would not be backed up.",
    "references": [
        "https://cloud.google.com/logging",
        "https://cloud.google.com/logging/docs/export"
    ],
    "dashboard_name": "Logging Configurations",
    "display_path": "stackdriverlogging.projects.id.sinks",
    "path": "stackdriverlogging.projects.id",
    "conditions": [
        "and",
        [
            "stackdriverlogging.projects.id.sinks",
            "empty",
            ""
        ]
    ]
}


================================================
FILE: ScoutSuite/providers/gcp/rules/findings/stackdrivermonitoring-alerts-does-not-exist-audit-config-changes.json
================================================
{
    "description": "Alerts Doesn't Exist for Audit Configuration Changes",
    "rationale": "Configuring the metric filter and alerts for audit configuration changes ensures the recommended state of audit configuration is maintained so that all activities in the project are audit-able at any point in time.",
    "remediation": "From console: 
  1. Identify the audit configuration changes metric under the section User-defined Metrics at https://console.cloud.google.com/logs/metrics.
  2. Click the 3-dot icon in the rightmost column for the desired metric and select Create alert from Metric. A new page opens.
  3. Fill out the alert policy configuration and click Save. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:: 
     Set `Aggregator` to `Count`
     Set `Configuration`: 
     -Condition: above 
     -Threshold: 0 
     -For: most recent value 
  4. Configure the desired notifications channels in the section Notifications.
  5. Name the policy and click Save.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "2.5"
        }
    ],
    "references": [
        "https://cloud.google.com/logging/docs/logs-based-metrics/",
        "https://cloud.google.com/monitoring/custom-metrics/",
        "https://cloud.google.com/monitoring/alerts/",
        "https://cloud.google.com/logging/docs/reference/tools/gcloud-logging",
        "https://cloud.google.com/logging/docs/audit/configure-data-access#getiampolicy-setiampolicy"
    ],
    "dashboard_name": "Monitoring Alerts",
    "path": "stackdrivermonitoring.projects.id.monitoring_alert_policies.id",
    "conditions": [
        "and",
        [
            "stackdrivermonitoring.projects.id.monitoring_alert_policies.id.audit_config_change",
            "false",
            ""
        ]
    ],
    "id_suffix": "audit_config_change"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/stackdrivermonitoring-alerts-does-not-exist-cloud-storage-iam-permission-changes.json
================================================
{
    "description": "Alerts Doesn't Exist for Cloud Storage IAM Permission Changes",
    "rationale": "Monitoring changes to cloud storage bucket permissions may reduce the time needed to detect and correct permissions on sensitive cloud storage buckets and objects inside the bucket.",
    "remediation": "From console: 
  1. Identify the cloud storage IAM permission changes metric under the section User-defined Metrics at https://console.cloud.google.com/logs/metrics.
  2. Click the 3-dot icon in the rightmost column for the desired metric and select Create alert from Metric. A new page opens.
  3. Fill out the alert policy configuration and click Save. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:: 
     Set `Aggregator` to `Count`
     Set `Configuration`: 
     -Condition: above 
     -Threshold: 0 
     -For: most recent value 
  4. Configure the desired notifications channels in the section Notifications.
  5. Name the policy and click Save.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "2.10"
        }
    ],
    "references": [
        "https://cloud.google.com/logging/docs/logs-based-metrics/",
        "https://cloud.google.com/monitoring/custom-metrics/",
        "https://cloud.google.com/monitoring/alerts/",
        "https://cloud.google.com/logging/docs/reference/tools/gcloud-logging",
        "https://cloud.google.com/storage/docs",
        "https://cloud.google.com/storage/docs/access-control/iam-roles"
    ],
    "dashboard_name": "Monitoring Alerts",
    "path": "stackdrivermonitoring.projects.id.monitoring_alert_policies.id",
    "conditions": [
        "and",
        [
            "stackdrivermonitoring.projects.id.monitoring_alert_policies.id.cloud_storage_iam_permission_change",
            "false",
            ""
        ]
    ],
    "id_suffix": "cloud_storage_iam_permission_change"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/stackdrivermonitoring-alerts-does-not-exist-custom-role-changes.json
================================================
{
    "description": "Alerts Doesn't Exist for Custom Role Changes",
    "rationale": "Google Cloud IAM provides predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources. However, to cater to organization-specific needs, Cloud IAM also provides the ability to create custom roles. Project owners and administrators with the Organization Role Administrator role or the IAM Role Administrator role can create custom roles. Monitoring role creation, deletion and updating activities will help in identifying any over-privileged role at early stages.",
    "remediation": "From console: 
  1. Identify the custom role changes metric under the section User-defined Metrics at https://console.cloud.google.com/logs/metrics.
  2. Click the 3-dot icon in the rightmost column for the desired metric and select Create alert from Metric. A new page opens.
  3. Fill out the alert policy configuration and click Save. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:: 
     Set `Aggregator` to `Count`
     Set `Configuration`: 
     -Condition: above 
     -Threshold: 0 
     -For: most recent value 
  4. Configure the desired notifications channels in the section Notifications.
  5. Name the policy and click Save.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "2.6"
        }
    ],
    "references": [
        "https://cloud.google.com/logging/docs/logs-based-metrics/",
        "https://cloud.google.com/monitoring/custom-metrics/",
        "https://cloud.google.com/monitoring/alerts/",
        "https://cloud.google.com/logging/docs/reference/tools/gcloud-logging",
        "https://cloud.google.com/iam/docs/understanding-custom-roles"
    ],
    "dashboard_name": "Monitoring Alerts",
    "path": "stackdrivermonitoring.projects.id.monitoring_alert_policies.id",
    "conditions": [
        "and",
        [
            "stackdrivermonitoring.projects.id.monitoring_alert_policies.id.custom_role_change",
            "false",
            ""
        ]
    ],
    "id_suffix": "custom_role_change"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/stackdrivermonitoring-alerts-does-not-exist-project-ownership-assignment.json
================================================
{
    "description": "Alerts Doesn't Exist for Project Ownership Assignments/Changes",
    "rationale": "Project ownership has the highest level of privileges on a project. To avoid misuse of project resources, the project ownership assignment/change actions mentioned above should be monitored and alerted to concerned recipients.",
    "remediation": "From console: 
  1. Identify the project ownership assignment/changes metric under the section User-defined Metrics at https://console.cloud.google.com/logs/metrics.
  2. Click the 3-dot icon in the rightmost column for the desired metric and select Create alert from Metric. A new page opens.
  3. Fill out the alert policy configuration and click Save. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:: 
     Set `Aggregator` to `Count`
     Set `Configuration`: 
     -Condition: above 
     -Threshold: 0 
     -For: most recent value 
  4. Configure the desired notifications channels in the section Notifications.
  5. Name the policy and click Save.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "2.4"
        }
    ],
    "references": [
        "https://cloud.google.com/logging/docs/logs-based-metrics/",
        "https://cloud.google.com/monitoring/custom-metrics/",
        "https://cloud.google.com/monitoring/alerts/",
        "https://cloud.google.com/logging/docs/reference/tools/gcloud-logging"
    ],
    "dashboard_name": "Monitoring Alerts",
    "path": "stackdrivermonitoring.projects.id.monitoring_alert_policies.id",
    "conditions": [
        "and",
        [
            "stackdrivermonitoring.projects.id.monitoring_alert_policies.id.project_ownership_assignments",
            "false",
            ""
        ]
    ],
    "id_suffix": "project_ownership_assignments"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/stackdrivermonitoring-alerts-does-not-exist-sql-instance-config-changes.json
================================================
{
    "description": "Alerts Doesn't Exist for SQL Instance Configuration Changes",
    "rationale": "Monitoring changes to SQL instance configuration changes may reduce the time needed to detect and correct misconfigurations done on the SQL server.",
    "remediation": "From console: 
  1. Identify the sql instance configuration changes metric under the section User-defined Metrics at https://console.cloud.google.com/logs/metrics.
  2. Click the 3-dot icon in the rightmost column for the desired metric and select Create alert from Metric. A new page opens.
  3. Fill out the alert policy configuration and click Save. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:: 
     Set `Aggregator` to `Count`
     Set `Configuration`: 
     -Condition: above 
     -Threshold: 0 
     -For: most recent value 
  4. Configure the desired notifications channels in the section Notifications.
  5. Name the policy and click Save.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "2.11"
        }
    ],
    "references": [
        "https://cloud.google.com/logging/docs/logs-based-metrics/",
        "https://cloud.google.com/monitoring/custom-metrics/",
        "https://cloud.google.com/monitoring/alerts/",
        "https://cloud.google.com/logging/docs/reference/tools/gcloud-logging",
        "https://cloud.google.com/storage/docs",
        "https://cloud.google.com/sql/docs/",
        "https://cloud.google.com/sql/docs/mysql/",
        "https://cloud.google.com/sql/docs/postgres/"
    ],
    "dashboard_name": "Monitoring Alerts",
    "path": "stackdrivermonitoring.projects.id.monitoring_alert_policies.id",
    "conditions": [
        "and",
        [
            "stackdrivermonitoring.projects.id.monitoring_alert_policies.id.sql_instance_conf_change",
            "false",
            ""
        ]
    ],
    "id_suffix": "sql_instance_conf_change"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/stackdrivermonitoring-alerts-does-not-exist-vpc-network-changes.json
================================================
{
    "description": "Alerts Doesn't Exist for VPC Network Changes",
    "rationale": "It is possible to have more than one VPC within a project. In addition, it is also possible to create a peer connection between two VPCs enablingnetwork traffic to route between VPCs. Monitoring changes to a VPC will help ensure VPC traffic flow is not getting impacted.",
    "remediation": "From console: 
  1. Identify the vpc network changes metric under the section User-defined Metrics at https://console.cloud.google.com/logs/metrics.
  2. Click the 3-dot icon in the rightmost column for the desired metric and select Create alert from Metric. A new page opens.
  3. Fill out the alert policy configuration and click Save. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:: 
     Set `Aggregator` to `Count`
     Set `Configuration`: 
     -Condition: above 
     -Threshold: 0 
     -For: most recent value 
  4. Configure the desired notifications channels in the section Notifications.
  5. Name the policy and click Save.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "2.9"
        }
    ],
    "references": [
        "https://cloud.google.com/logging/docs/logs-based-metrics/",
        "https://cloud.google.com/monitoring/custom-metrics/",
        "https://cloud.google.com/monitoring/alerts/",
        "https://cloud.google.com/logging/docs/reference/tools/gcloud-logging",
        "https://cloud.google.com/vpc/docs/overview"
    ],
    "dashboard_name": "Monitoring Alerts",
    "path": "stackdrivermonitoring.projects.id.monitoring_alert_policies.id",
    "conditions": [
        "and",
        [
            "stackdrivermonitoring.projects.id.monitoring_alert_policies.id.vpc_network_change",
            "false",
            ""
        ]
    ],
    "id_suffix": "vpc_network_change"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/stackdrivermonitoring-alerts-does-not-exist-vpc-network-firewall-rule-changes.json
================================================
{
    "description": "Alerts Doesn't Exist for VPC Network Firewall Rule Changes",
    "rationale": "Monitoring for Create or Update Firewall rule events gives insight to network access changes and may reduce the time it takes to detect suspicious activity.",
    "remediation": "From console: 
  1. Identify the vpc network firewall rule changes metric under the section User-defined Metrics at https://console.cloud.google.com/logs/metrics.
  2. Click the 3-dot icon in the rightmost column for the desired metric and select Create alert from Metric. A new page opens.
  3. Fill out the alert policy configuration and click Save. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:: 
     Set `Aggregator` to `Count`
     Set `Configuration`: 
     -Condition: above 
     -Threshold: 0 
     -For: most recent value 
  4. Configure the desired notifications channels in the section Notifications.
  5. Name the policy and click Save.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "2.7"
        }
    ],
    "references": [
        "https://cloud.google.com/logging/docs/logs-based-metrics/",
        "https://cloud.google.com/monitoring/custom-metrics/",
        "https://cloud.google.com/monitoring/alerts/",
        "https://cloud.google.com/logging/docs/reference/tools/gcloud-logging",
        "https://cloud.google.com/vpc/docs/firewalls"
    ],
    "dashboard_name": "Monitoring Alerts",
    "path": "stackdrivermonitoring.projects.id.monitoring_alert_policies.id",
    "conditions": [
        "and",
        [
            "stackdrivermonitoring.projects.id.monitoring_alert_policies.id.vpc_network_firewall_rule_change",
            "false",
            ""
        ]
    ],
    "id_suffix": "vpc_network_firewall_rule_change"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/findings/stackdrivermonitoring-alerts-does-not-exist-vpc-network-route-changes.json
================================================
{
    "description": "Alerts Doesn't Exist for VPC Network Route Changes",
    "rationale": "Google Cloud Platform (GCP) routes define the paths network traffic takes from a VM instance to another destination. The other destination can be inside the organization VPC network (such as another VM) or outside of it. Every route consists of a destination and a next hop. Traffic whose destination IP is within the destination range is sent to the next hop for delivery. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.",
    "remediation": "From console: 
  1. Identify the vpc network route changes metric under the section User-defined Metrics at https://console.cloud.google.com/logs/metrics.
  2. Click the 3-dot icon in the rightmost column for the desired metric and select Create alert from Metric. A new page opens.
  3. Fill out the alert policy configuration and click Save. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:: 
     Set `Aggregator` to `Count`
     Set `Configuration`: 
     -Condition: above 
     -Threshold: 0 
     -For: most recent value 
  4. Configure the desired notifications channels in the section Notifications.
  5. Name the policy and click Save.
",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.1.0",
            "reference": "2.8"
        }
    ],
    "references": [
        "https://cloud.google.com/logging/docs/logs-based-metrics/",
        "https://cloud.google.com/monitoring/custom-metrics/",
        "https://cloud.google.com/monitoring/alerts/",
        "https://cloud.google.com/logging/docs/reference/tools/gcloud-logging",
        "https://cloud.google.com/storage/docs/access-control/iam"
    ],
    "dashboard_name": "Monitoring Alerts",
    "path": "stackdrivermonitoring.projects.id.monitoring_alert_policies.id",
    "conditions": [
        "and",
        [
            "stackdrivermonitoring.projects.id.monitoring_alert_policies.id.vpc_network_route_change",
            "false",
            ""
        ]
    ],
    "id_suffix": "vpc_network_route_change"
}

================================================
FILE: ScoutSuite/providers/gcp/rules/rulesets/cis-1.0.0.json
================================================
{
    "about": "This ruleset attempts to cover as many recommendations from the CIS Google Cloud Platform Foundation v1.0.0.",
    "rules": {
        "cloudsql-allows-root-login-from-any-host.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-instance-ssl-not-required.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudstorage-bucket-member.json": [
            {
                "args": [
                    "allUsers",
                    "Bucket with 'allUsers' permissions"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "allAuthenticatedUsers",
                    "Bucket with 'allAuthenticatedUsers' permissions"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "cloudstorage-bucket-no-logging.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-gmail-accounts-used.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-lack-of-service-account-key-rotation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-sa-has-admin-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-service-account-with-user-managed-keys.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-user-has-sa-user-role.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-basic-authentication-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-certificate-authentication-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-alias-ip-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-has-no-labels.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-logging-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-master-authorized-networks-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-monitoring-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-network-policy-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-pod-security-policy-config-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-private-google-access-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-dashboard-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-default-service-account-used.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-legacy-abac-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-legacy-metadata-endpoints-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-node-auto-repair-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-node-auto-upgrade-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-node-container-optimized-os-not-used.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-private-nodes-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-scopes-not-limited.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ]
    }
}


================================================
FILE: ScoutSuite/providers/gcp/rules/rulesets/cis-1.1.0.json
================================================
{
    "about": "This ruleset attempts to cover as many recommendations from the CIS Google Cloud Platform Foundation v1.1.0.",
    "rules": {
        "cloudsql-instances-public-ips.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cloudsql-mysql-instances-local-infile-on.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-postgresql-instances-log-checkpoints-off.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-postgresql-instances-log-connections-off.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-postgresql-instances-log-disconnections-off.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-postgresql-instances-log-lock-waits-off.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-postgresql-instances-log-min-duration-not-set-1.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-postgresql-instances-log-min-messages-not-set.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-postgresql-instances-log-temp-files-not-set-0.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-sqlservers-instances-contained-database-authentication-on.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-sqlservers-instances-cross-db-ownership-chaining-on.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudstorage-uniform-bucket-level-access-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-instance-block-project-ssh-keys-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-instance-connecting-serial-ports-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-instance-default-service-account.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-instance-disk-not-csek-encrypted.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-instance-full-api-access.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-instance-ip-forwarding-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-instance-os-login-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-instance-public-ip-adresses.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-instance-shielded-vm-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-network-default-in-use.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-network-legacy-in-use.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "dns-zones-dnssec-not-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "dns-zones-key-signing-key-using-rsasha1": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "dns-zones-zone-signing-key-using-rsasha1": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-role-account-separation-duties-is-false.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-role-kms-separation-duties-is-false.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kms-cryptokeys-anonymously-publicly-accessible.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "kms-encryption-keys-not-rotated.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdriverlogging-metric-filter-does-not-exist-audit-config-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdriverlogging-metric-filter-does-not-exist-cloud-storage-iam-permission-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdriverlogging-metric-filter-does-not-exist-custom-role-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdriverlogging-metric-filter-does-not-exist-project-ownership-assignment.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdriverlogging-metric-filter-does-not-exist-sql-instance-config-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdriverlogging-metric-filter-does-not-exist-vpc-network-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdriverlogging-metric-filter-does-not-exist-vpc-network-firewall-rule-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdriverlogging-metric-filter-does-not-exist-vpc-network-route-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdrivermonitoring-alerts-does-not-exist-audit-config-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdrivermonitoring-alerts-does-not-exist-cloud-storage-iam-permission-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdrivermonitoring-alerts-does-not-exist-custom-role-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdrivermonitoring-alerts-does-not-exist-project-ownership-assignment.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdrivermonitoring-alerts-does-not-exist-sql-instance-config-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdrivermonitoring-alerts-does-not-exist-vpc-network-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdrivermonitoring-alerts-does-not-exist-vpc-network-firewall-rule-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdrivermonitoring-alerts-does-not-exist-vpc-network-route-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ]
    }
}


================================================
FILE: ScoutSuite/providers/gcp/rules/rulesets/default.json
================================================
{
    "about": "This ruleset consists of numerous rules that are considered standard by NCC Group. The rules enabled range from violations of well-known security best practices to gaps resulting from less-known security implications of provider-specific mechanisms. Additional rules exist, some of them requiring extra-parameters to be configured, and some of them being applicable to a limited number of users.",
    "rules": {
        "bigquery-dataset-member.json": [
            {
                "args": [
                    "allUsers"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "allAuthenticatedUsers"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "bigquery-encryption-no-cmk.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-allows-root-login-from-any-host.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-instance-backups-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-instance-is-open-to-public-range.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cloudsql-instance-is-open-to-the-world.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cloudsql-instance-no-binary-logging.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-instance-ssl-not-required.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-instance-with-no-backups.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-instances-public-ips.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cloudsql-mysql-instances-local-infile-on.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-postgresql-instances-log-checkpoints-off.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-postgresql-instances-log-connections-off.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-postgresql-instances-log-disconnections-off.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-postgresql-instances-log-lock-waits-off.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-postgresql-instances-log-min-duration-not-set-1.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-postgresql-instances-log-min-messages-not-set.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-postgresql-instances-log-temp-files-not-set-0.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-sqlservers-instances-contained-database-authentication-on.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudsql-sqlservers-instances-cross-db-ownership-chaining-on.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudstorage-bucket-member.json": [
            {
                "args": [
                    "allUsers"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "allAuthenticatedUsers"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "cloudstorage-bucket-no-public-access-prevention.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudstorage-bucket-no-logging.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudstorage-bucket-no-versioning.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cloudstorage-uniform-bucket-level-access-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-firewall-default-rule-in-use.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-firewall-rule-allows-all-ports.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-firewall-rule-allows-internal-traffic.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-firewall-rule-allows-port-range.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-firewall-rule-allows-public-access.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-firewall-rule-opens-all-ports-to-all.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-firewall-rule-opens-sensitive-port-to-all.json": [
            {
                "args": [
                    "INGRESS"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-instance-block-project-ssh-keys-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-instance-connecting-serial-ports-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-instance-default-service-account.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-instance-disk-not-csek-encrypted.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-instance-disk-with-no-snapshot.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-instance-full-api-access.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-instance-ip-forwarding-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-instance-os-login-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-instance-public-ip-adresses.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-instance-shielded-vm-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-instance-with-deletion-protection-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-loadbalancer-forwarding-rule-forwards-sensitive-port.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-loadbalancer-global-forwarding-rule-forwards-sensitive-port.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-network-default-in-use.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-network-legacy-in-use.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-network-with-no-instances.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-old-disk-snapshot.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "computeengine-vpc-flow-logs-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "dns-zones-dnssec-not-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "dns-zones-key-signing-key-using-rsasha1.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "dns-zones-zone-signing-key-using-rsasha1.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "functions-v1-allowing-http.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "functions-v1-environment-variables-secrets.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "functions-v1-member.json": [
            {
                "args": [
                    "allUsers"
                ],
                "enabled": true,
                "level": "danger"
            },
            {
                "args": [
                    "allAuthenticatedUsers"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "functions-v1-public-endpoint.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "functions-v2-environment-variables-secrets.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "functions-v2-public-endpoint.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-gmail-accounts-used.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-lack-of-service-account-key-rotation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-primitive-role-in-use.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-role-account-separation-duties-is-false.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-role-assigned-to-domain.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "iam-role-assigned-to-user.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-role-kms-separation-duties-is-false.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-sa-has-admin-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-service-account-user-member.json": [
            {
                "args": [
                    "allUsers",
                    "Service Account with 'allUsers' Service Account User"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "allAuthenticatedUsers",
                    "Service Account with 'allAuthenticatedUsers' Service Account User"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-service-account-with-user-managed-keys.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "iam-user-has-sa-user-role.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kms-cryptokeys-anonymously-publicly-accessible.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "kms-encryption-keys-not-rotated.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-basic-authentication-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-certificate-authentication-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-alias-ip-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-application-layer-encryption-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-binary-authorization-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-has-no-labels.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-logging-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-master-authorized-networks-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-metadata-server-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-monitoring-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-network-policy-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-pod-security-policy-config-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-private-endpoint-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-private-google-access-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-release-channel.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-shielded-nodes-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-workload-identity-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-dashboard-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-default-service-account-used.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-legacy-abac-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-legacy-metadata-endpoints-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-node-auto-repair-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-node-auto-upgrade-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-node-container-optimized-os-not-used.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-node-integrity-monitoring-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-node-secure-boot-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-private-nodes-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-scopes-not-limited.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "memorystore-redis-instance-auth-not-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "memorystore-redis-instance-ssl-not-required.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdriverlogging-metric-filter-does-not-exist-audit-config-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdriverlogging-metric-filter-does-not-exist-cloud-storage-iam-permission-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdriverlogging-metric-filter-does-not-exist-custom-role-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdriverlogging-metric-filter-does-not-exist-project-ownership-assignment.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdriverlogging-metric-filter-does-not-exist-sql-instance-config-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdriverlogging-metric-filter-does-not-exist-vpc-network-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdriverlogging-metric-filter-does-not-exist-vpc-network-firewall-rule-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdriverlogging-metric-filter-does-not-exist-vpc-network-route-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdriverlogging-no-export-sinks.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdrivermonitoring-alerts-does-not-exist-audit-config-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdrivermonitoring-alerts-does-not-exist-cloud-storage-iam-permission-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdrivermonitoring-alerts-does-not-exist-custom-role-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdrivermonitoring-alerts-does-not-exist-project-ownership-assignment.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdrivermonitoring-alerts-does-not-exist-sql-instance-config-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdrivermonitoring-alerts-does-not-exist-vpc-network-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdrivermonitoring-alerts-does-not-exist-vpc-network-firewall-rule-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "stackdrivermonitoring-alerts-does-not-exist-vpc-network-route-changes.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ]
    }
}


================================================
FILE: ScoutSuite/providers/gcp/rules/rulesets/filters.json
================================================
{
    "about": "Default set of filters for Scout",
    "rules": {}
}


================================================
FILE: ScoutSuite/providers/gcp/services.py
================================================
from ScoutSuite.providers.base.services import BaseServicesConfig
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.gcp.resources.cloudsql.base import CloudSQL
from ScoutSuite.providers.gcp.resources.memorystore.base import MemoryStore
from ScoutSuite.providers.gcp.resources.cloudstorage.base import CloudStorage
from ScoutSuite.providers.gcp.resources.gce.base import ComputeEngine
from ScoutSuite.providers.gcp.resources.iam.base import IAM
from ScoutSuite.providers.gcp.resources.kms.base import KMS
from ScoutSuite.providers.gcp.resources.dns.base import DNS
from ScoutSuite.providers.gcp.resources.functions.base import Functions
from ScoutSuite.providers.gcp.resources.bigquery.base import BigQuery
from ScoutSuite.providers.gcp.resources.stackdriverlogging.base import StackdriverLogging
from ScoutSuite.providers.gcp.resources.stackdrivermonitoring.base import StackdriverMonitoring
from ScoutSuite.providers.gcp.resources.gke.base import KubernetesEngine


class GCPServicesConfig(BaseServicesConfig):

    def __init__(self, credentials=None, default_project_id=None,
                 project_id=None, folder_id=None, organization_id=None, all_projects=None,
                 **kwargs):

        super().__init__(credentials)

        facade = GCPFacade(default_project_id, project_id, folder_id, organization_id, all_projects)

        self.cloudsql = CloudSQL(facade)
        self.cloudmemorystore = MemoryStore(facade)
        self.cloudstorage = CloudStorage(facade)
        self.computeengine = ComputeEngine(facade)
        self.functions = Functions(facade)
        self.bigquery = BigQuery(facade)
        self.iam = IAM(facade)
        self.kms = KMS(facade)
        self.stackdriverlogging = StackdriverLogging(facade)
        self.stackdrivermonitoring = StackdriverMonitoring(facade)
        self.kubernetesengine = KubernetesEngine(facade)
        self.dns = DNS(facade)

    def _is_provider(self, provider_name):
        return provider_name == 'gcp'


================================================
FILE: ScoutSuite/providers/gcp/utils.py
================================================
from ScoutSuite.core.console import print_exception


def is_throttled(exception):
    """
    Determines whether the exception is due to API throttling.

    :param exception:                   Exception raised
    :return:                            True if it's a throttling exception else False
    """
    throttled_errors = [
        'Quota exceeded',
        'API_SHARED_QUOTA_EXHAUSTED',
        'RATE_LIMIT_EXCEEDED'
    ]
    try:
        if any(error in str(exception) for error in throttled_errors):
            return True
        else:
            return False
    except Exception as e:
        print_exception(f'Unable to validate exception {exception} for GCP throttling: {e}')
        return False


================================================
FILE: ScoutSuite/providers/kubernetes/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/kubernetes/authentication_strategy.py
================================================
import logging
import enum

from google.auth.credentials import Credentials as GCPCredentials
from kubernetes import config, client
from ScoutSuite.providers.base.authentication_strategy import AuthenticationStrategy
from ScoutSuite.providers.aws.authentication_strategy import AWSAuthenticationStrategy, AWSCredentials
from ScoutSuite.providers.azure.authentication_strategy import AzureAuthenticationStrategy, AzureCredentials
from ScoutSuite.providers.gcp.authentication_strategy import GCPAuthenticationStrategy


class KubernetesCredentials:
    def __init__(self) -> None:
        self.cluster_provider: str = None
        self.cluster_context: str = None
        self.api_client: client.ApiClient = None
        self.fetch_local: bool = False
        
        self.aws: AWSCredentials = None
        self.azure: AzureCredentials = None
        self.gcp: GCPCredentials = None

class ClusterProvider(enum.Enum):
    # Azure
    AKS = 'aks'
    # AWS
    EKS = 'eks'
    # GCP
    GKE = 'gke'

class ResourceTemplates(enum.Enum):
    RESOURCE_CONTAINERS = 'kubernetes_resource_containers'
    RESOURCE_HOST = 'kubernetes_resource_host'

class KubernetesAuthenticationStrategy(AuthenticationStrategy):
    '''
    Implements authentication for the Kubernetes provider.
    '''

    def authenticate(self, **kwargs):
        '''Obtain credentials to interact with the Kubernetes cluster'''

        logging.getLogger('kubernetes.client.rest').setLevel(logging.ERROR)

        cluster_provider = kwargs.get('kubernetes_cluster_provider')
        config_file = kwargs.get('kubernetes_config_file')
        context = kwargs.get('kubernetes_context')
        persist_config = kwargs.get('kubernetes_persist_config')
        fetch_local = kwargs.get('kubernetes_fetch_local')

        credentials = KubernetesCredentials()
        if cluster_provider in [ClusterProvider.AKS.value]:
            subscription_id = subscription_id=kwargs.get('kubernetes_azure_subscription_id')
            credentials.azure = AzureAuthenticationStrategy().authenticate(cli=True, subscription_id=subscription_id)

        elif cluster_provider in [ClusterProvider.EKS.value]:
            credentials.aws = AWSAuthenticationStrategy().authenticate()

        elif cluster_provider in [ClusterProvider.GKE.value]:
            credentials.gcp = GCPAuthenticationStrategy().authenticate(user_account=True)

        config.load_kube_config(config_file, context, None, persist_config)

        credentials.cluster_provider = cluster_provider
        credentials.cluster_context = context or config.list_kube_config_contexts(config_file)[1]['context']['cluster']
        credentials.api_client = config.new_client_from_config(config_file, context, persist_config)
        credentials.fetch_local = fetch_local

        return credentials


================================================
FILE: ScoutSuite/providers/kubernetes/facade/__init__.py
================================================
from ScoutSuite.providers.azure.facade.loggingmonitoring import LoggingMonitoringFacade
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.kubernetes.authentication_strategy import ClusterProvider, KubernetesCredentials
from ScoutSuite.providers.kubernetes.facade.core import CoreFacade
from ScoutSuite.providers.kubernetes.facade.eks import EKSFacade
from ScoutSuite.providers.kubernetes.facade.extra import ExtraFacade
from ScoutSuite.providers.kubernetes.facade.version import VersionFacade


class KubernetesFacade:
    def __init__(self, credentials: KubernetesCredentials):
        self.eks = None
        self.azure_monitoring = None
        self.gcp = None

        self.core = CoreFacade(credentials)
        self.extra = ExtraFacade(credentials)
        self.version = VersionFacade(credentials)

        if credentials.cluster_provider == ClusterProvider.AKS.value:
            self.azure_monitoring = LoggingMonitoringFacade(credentials)

        elif credentials.cluster_provider == ClusterProvider.EKS.value:
            self.eks = EKSFacade(credentials)

        elif credentials.cluster_provider == ClusterProvider.GKE.value:
            self.gcp = GCPFacade(credentials)


================================================
FILE: ScoutSuite/providers/kubernetes/facade/base.py
================================================
from json import dumps, loads
from yaml import safe_dump

from google.auth.credentials import Credentials as GCPCredentials
from kubernetes.client.exceptions import ApiException

from ScoutSuite.core.console import print_error, print_info
from ScoutSuite.providers.aws.authentication_strategy import AWSCredentials
from ScoutSuite.providers.azure.authentication_strategy import AzureCredentials
from ScoutSuite.providers.kubernetes.authentication_strategy import ClusterProvider, KubernetesCredentials
from ScoutSuite.providers.kubernetes.utils import format_api_version, format_resource_id, format_resource_kind, format_resource_name


from ScoutSuite import __version__


class KubernetesBaseFacade:
    def continue_upon_exception(function):
        def continue_upon_exception_callback(self, **kwargs):
            try:
                return function(self, **kwargs)
            except ApiException as api_exception:
                print(api_exception)
                print_error(f'[{api_exception.__class__.__name__}] {function.__module__}.{function.__name__}: {api_exception.reason}')
                return None
            except Exception as exception:
                print(exception)
                print_error(f'[{exception.__class__.__name__}] {function.__module__}.{function.__name__}: {exception}')
                return None
        return continue_upon_exception_callback

    def __init__(self, credentials: KubernetesCredentials) -> None:
        self.resource_definitions = None
        self.data = None
        self.cluster_provider = None
        self.api_client = credentials.api_client
        self.api_client.user_agent = f'Scout Suite {__version__}'

        if isinstance(credentials, AzureCredentials):
            self.cluster_provider = ClusterProvider.AKS.value
        elif isinstance(credentials, AWSCredentials):
            self.cluster_provider = ClusterProvider.EKS.value
        elif isinstance(credentials, GCPCredentials):
            self.cluster_provider = ClusterProvider.GKE.value

    def get(self, path) -> dict:
        if not path:
            return {}
        if path[0] != '/':
            path = '/' + path
        print_info(f'GET {path}')

        try:
            return loads(self.api_client.call_api(path, 'GET', auth_settings=['BearerToken'], response_type='json', _preload_content=False)[0].data)
        except:
            print_error(f'Failed to get {path}')
            return None

    @classmethod
    def parse_data(self, raw_resources):
        parsed_output = {}

        for kind in raw_resources or {}:
            resources = {}
            resource_exists = False

            for raw_version in raw_resources[kind]:
                resource_items = raw_resources[kind][raw_version]
                if len(resource_items) == 0: continue

                resource_exists = True

                version = format_api_version(raw_version)
                resources[version] = {
                    'namespaced': False,
                    'namespaces': {},
                    'resources': {}
                }

                for item in resource_items:
                    metadata: dict = item['metadata']
                    name: str = metadata['name']
                    namespace: str = metadata.get('namespace')
                    formatted_id: str = format_resource_id(name, namespace)

                    formatted_data: dict = {
                        'json': dumps(item, indent=2, separators=(',', ': ')),
                        'yaml': safe_dump(item),
                        'data': item,
                        'metadata': metadata,
                        'stringified_metadata': safe_dump(metadata),
                        'stringified_data': {},
                        'stringified_annotations': safe_dump(metadata.get('annotations')) if metadata.get('annotations') else None,
                        'version': raw_version,
                        'kind': kind
                    }

                    del formatted_data['data']['metadata']
                    for key in formatted_data['data']:
                        formatted_data['stringified_data'][key] = safe_dump(formatted_data['data'][key])

                    owner_references = metadata.get('ownerReferences', [])
                    if len(owner_references) > 0:
                        formatted_data['ownerReferences'] = []
                        for ref in owner_references:
                            formatted_kind = format_resource_kind(ref['kind'])
                            formatted_version = format_api_version(ref['apiVersion'])
                            formatted_name = format_resource_name(ref['name'])

                            text = f'''{ref['apiVersion']}/{ref['kind']}/{ref['name']}'''
                            if namespace and ref['kind'] != 'Node':
                                formatted_name = format_resource_id(formatted_name, namespace)
                                text = f'''[{namespace}] ''' + text

                            formatted_data['ownerReferences'].append({
                                'href': f'''#services.{formatted_kind}.{formatted_version}.{formatted_name}.view'''.replace('"', '\\"'),
                                'text': text,
                            })

                    role_ref = item.get('roleRef')
                    if role_ref:
                        ref_api_group = role_ref.get('apiGroup')
                        ref_kind = role_ref.get('kind')
                        ref_name = role_ref.get('name')

                        ref_text = f'''{ref_api_group}/{ref_kind}/{ref_name}'''
                        if namespace:
                            ref_text = f'[{namespace}] {ref_text}'
                            ref_name = f'[{namespace}] {ref_name}'

                        ref_href = f'''#services.{format_resource_kind(ref_kind)}.{version}.{format_resource_id(ref_name, namespace)}.view'''
                        formatted_data['roleRef'] = {
                            'href': ref_href,
                            'text': ref_text,
                        }

                    resources[version]['resources'][formatted_id] = formatted_data
                    if namespace:
                        resources[version]['namespaced'] = True
                        resources[version]['namespaces'][format_resource_name(namespace)] = namespace

            if resource_exists:
                parsed_output[format_resource_kind(kind)] = resources

        return parsed_output

================================================
FILE: ScoutSuite/providers/kubernetes/facade/core.py
================================================
from ScoutSuite.core.console import print_error
from ScoutSuite.providers.kubernetes.facade.base import KubernetesBaseFacade


class CoreFacade(KubernetesBaseFacade):
    def __init__(self, credentials):
        super().__init__(credentials)

    def get_resource_definitions(self) -> dict:
        if self.resource_definitions != None:
            return self.resource_definitions

        self.resource_definitions = {}
        for version in self.get('/api')['versions']:
            self.resource_definitions[version] = self.get(f'/api/{version}')['resources']

        return self.resource_definitions

    def get_resources(self) -> dict:
        if self.data != None: return self.data

        data = {}
        core_resource_definitions = self.get_resource_definitions()

        for version in core_resource_definitions:
            core_resources = core_resource_definitions[version]
            for api_resource in core_resources:
                if 'list' not in api_resource['verbs']: continue
                endpoint = f'''/api/{version}/{api_resource['name']}'''
                
                resources = self.get(endpoint)
                if not resources:
                    continue
                
                resource_items = resources['items']
                kind = api_resource['kind']

                # Redact sensitive resources
                if kind in ['Secret']:
                    for i in range(len(resource_items)):
                        # Do not naively assume all secrets have `data`
                        secret_data = resource_items[i].get('data')
                        if not secret_data: continue

                        # Do not assume `data` is a dictionary either
                        if type(secret_data) == dict:
                            for key in secret_data:
                                resource_items[i]['data'][key] = 'REDACTED'
                        elif type(secret_data) == str:
                            resource_items[i]['data'] = 'REDACTED'
                        elif type(secret_data) == list:
                            for j in range(len(secret_data)):
                                resource_items[i]['data'][j] = 'REDACTED'

                data[kind] = data.get(kind, {})
                data[kind][version] = resource_items

        self.data = self.parse_data(data)
        return self.data

================================================
FILE: ScoutSuite/providers/kubernetes/facade/eks.py
================================================
from ScoutSuite.providers.kubernetes.authentication_strategy import KubernetesCredentials
from ScoutSuite.providers.kubernetes.facade.base import KubernetesBaseFacade


class EKSFacade(KubernetesBaseFacade):
    cluster = None

    def __init__(self, credentials: KubernetesCredentials, **kwargs):
        super().__init__(credentials)
        self.context = credentials.cluster_context
        self.session = credentials.aws.session
        self.region = self.session.region_name
        self.eks_client = self.session.client('eks', self.region, **kwargs)

    @KubernetesBaseFacade.continue_upon_exception
    def get_cluster(self, **kwargs):
        if not self.cluster:
            self.cluster = self.eks_client.describe_cluster(name=self.context.split('.')[0], **kwargs)
        return self.cluster['cluster']

================================================
FILE: ScoutSuite/providers/kubernetes/facade/extra.py
================================================
from ScoutSuite.core.console import print_error
from ScoutSuite.providers.kubernetes.facade.base import KubernetesBaseFacade


class ExtraFacade(KubernetesBaseFacade):
    def __init__(self, credentials):
        super().__init__(credentials)
        self.api_groups = None

    def get_resource_definitions(self) -> dict:
        if self.resource_definitions != None:
            return self.resource_definitions

        self.resource_definitions = self.get('/apis')

        return self.resource_definitions

    def get_resources(self) -> dict:
        if self.data != None: return self.data

        data = {}

        extra_resources = self.get_resource_definitions()
        for group in extra_resources['groups']:
            for version in group['versions']:
                endpoint = f'''/apis/{version['groupVersion']}'''

                api_resources = self.get(endpoint)
                if not api_resources:
                    continue

                for api_resource in api_resources['resources']:
                    if 'list' not in api_resource['verbs']: continue
                    endpoint = f'''/apis/{version['groupVersion']}/{api_resource['name']}'''

                    api_resources = self.get(endpoint)
                    if not api_resources:
                        continue

                    resources = self.get(endpoint)['items']
                    key = api_resource['kind']
                    data[key] = data.get(key, {})
                    data[key][version['groupVersion']] = resources

        self.data = self.parse_data(data)
        return self.data

================================================
FILE: ScoutSuite/providers/kubernetes/facade/version.py
================================================
from ScoutSuite.core.console import print_info
from ScoutSuite.providers.kubernetes.facade.base import KubernetesBaseFacade


class VersionFacade(KubernetesBaseFacade):
    def __init__(self, credentials):
        super().__init__(credentials)

    def get_versions(self) -> dict:
        if self.data != None:
            return self.data

        self.data = self.get('/version')

        return self.data


================================================
FILE: ScoutSuite/providers/kubernetes/metadata.json
================================================
{
  "_scout_suite_aggregation": {
    "rbac": {
      "resources": {},
      "summaries": {
        "dangerous_grants": {
          "path": "services.rbac.dangerous_grants"
        },
        "dodgy_subjects": {
          "path": "services.rbac.dodgy_subjects"
        },
        "permissive_bindings": {
          "path": "services.rbac.permissive_bindings"
        }
      }
    },
    "workload": {
      "resources": {},
      "summaries": {
        "images": {
          "path": "services.workload.images"
        }
      }
    }
  },
  "a": {
    "loggingmonitoring": {
      "resources": {
        "diagnostic_settings": {
          "path": "services.loggingmonitoring.subscriptions.id.diagnostic_settings"
        },
        "log_alerts": {
          "path": "services.loggingmonitoring.subscriptions.id.log_alerts"
        },
        "log_profiles": {
          "path": "services.loggingmonitoring.subscriptions.id.log_profiles"
        },
        "resources_logging": {
          "path": "services.loggingmonitoring.subscriptions.id.resources_logging"
        }
      }
    }
  },
  "e": {
    "eks": {
      "resources": {
        "encryption": {
          "path": "services.eks.encryption"
        },
        "logging": {
          "path": "services.eks.logging"
        },
        "v_p_c": {
          "path": "services.eks.v_p_c"
        }
      }
    }
  },
  "g": {
    "kubernetesengine": {
      "resources": {
        "clusters": {
          "path": "services.kubernetesengine.projects.id.clusters"
        },
        "node_pools": {
          "path": "services.kubernetesengine.projects.id.node_pools"
        }
      }
    }
  },
  "v": {
    "version": {
      "resources": {
        "details": {
          "cols": 1,
          "path": "services.version.details"
        }
      }
    }
  }
}

================================================
FILE: ScoutSuite/providers/kubernetes/provider.py
================================================
import os
import re

from ScoutSuite.core.ruleset import Ruleset
from ScoutSuite.providers.base.provider import BaseProvider
from ScoutSuite.providers.kubernetes.authentication_strategy import ClusterProvider, KubernetesCredentials
from ScoutSuite.providers.kubernetes.resources.workload import Workload
from ScoutSuite.providers.kubernetes.services import KubernetesServicesConfig
from ScoutSuite.utils import formatted_service_name

class KubernetesProvider(BaseProvider):
    """
    Implements provider for Kubernetes
    """

    services_requiring_finding_deduplication = {
        'daemon_set': True,
        'deployment': True,
        'replica_set': True,
        'stateful_set': True,
        'pod': True,
    }

    composite_resources = {
        'loggingmonitoring': True,
        'eks': True,
        'kubernetesengine': True,
        'rbac': True,
        'version': True,
        'workload': True
    }

    def __init__(self, **kwargs):
        report_dir = kwargs.get('report_dir')
        timestamp = kwargs.get('timestamp')
        resources = kwargs.get('resources') or []
        skipped_resources = kwargs.get('skipped_resources') or []
        result_format = kwargs.get('result_format', 'json')

        self.credentials: KubernetesCredentials = kwargs.get('credentials')
        self.metadata_path = f'{os.path.split(os.path.abspath(__file__))[0]}/metadata.json'
        self.environment = 'kubernetes'
        self.provider_code = 'kubernetes'
        self.result_format = result_format
        self.services_config = KubernetesServicesConfig
        self.account_id = self.credentials.cluster_context
        self.provider_name = formatted_service_name.get(self.credentials.cluster_provider) or 'Kubernetes'

        self.original_containers = {
            'cron_job': [],
            'deployment': [],
            'job': [],
            'pod': [],
            'pod_template': [],
            'replica_set': [],
            'stateful_set': [],
        }

        super().__init__(report_dir, timestamp, resources, skipped_resources, result_format)

    def get_report_name(self):
        """
        Returns the name of the report using the provider's configuration
        """
        return f'''kubernetes-{self.credentials.cluster_context.replace(':', '-')}'''

    def preprocessing(self, ip_ranges=None, ip_ranges_name_key=None):
        provider = self.credentials.cluster_provider

        # delete cloud-specific services if necessary
        if provider != ClusterProvider.AKS.value:
            # TODO: have actual AKS findings
            if self.metadata.get(ClusterProvider.AKS.value[0]) and self.metadata[ClusterProvider.AKS.value[0]].get('loggingmonitoring'):
                del self.metadata[ClusterProvider.AKS.value[0]]['loggingmonitoring']
        if provider != ClusterProvider.EKS.value:
            if self.metadata.get(ClusterProvider.EKS.value[0]) and self.metadata[ClusterProvider.EKS.value[0]].get(ClusterProvider.EKS.value):
                del self.metadata[ClusterProvider.EKS.value[0]][ClusterProvider.EKS.value]
        if provider != ClusterProvider.GKE.value:
            if self.metadata.get(ClusterProvider.GKE.value[0]) and self.metadata[ClusterProvider.GKE.value[0]].get('kubernetesengine'):
                del self.metadata[ClusterProvider.GKE.value[0]]['kubernetesengine']

        # delete empty service groups
        service_groups_to_delete = []
        for service_group_name in self.metadata:
            if len(self.metadata[service_group_name]) == 0:
                service_groups_to_delete.append(service_group_name)

        for group_name in service_groups_to_delete:
            del self.metadata[group_name]

        for service_name in Workload.container_path_prefixes:
            keys = Workload.container_path_prefixes[service_name]
            service = self.services.get(service_name)
            if not service: continue
            versions = self._get_resource_versions(service)
            for version in versions:
                resources = service[version]['resources']
                for resource_id in resources:
                    spec = resources[resource_id]
                    for key in keys:
                        spec = spec[key]

                    containers = spec['containers']
                    self.original_containers[service_name] = list(containers)
                    init_containers = spec.get('initContainers', [])
                    ephemeral_containers = spec.get('ephemeralContainers', [])

                    containers.extend(init_containers)
                    containers.extend(ephemeral_containers)

        return super().preprocessing(ip_ranges, ip_ranges_name_key)

    def postprocessing(self, current_time, ruleset: Ruleset, run_parameters):
        self._postprocess_regular_resources()
        self._postprocess_composite_resource('workload')
        self._postprocess_composite_resource('rbac')
        
        for service_name in Workload.container_path_prefixes:
            keys = Workload.container_path_prefixes[service_name]
            service = self.services.get(service_name)
            if not service: continue
            versions = self._get_resource_versions(service)
            for version in versions:
                resources = service[version]['resources']
                for resource_id in resources:
                    spec = resources[resource_id]
                    for key in keys:
                        spec = spec[key]

                    spec['containers'] = self.original_containers[service_name]

        ## TODO: This needs to look better.
        # service_names = self._get_resource_versions(self.services['workload'])
        # for service_name in service_names:
        #     for finding_name in self.services[service_name]['findings']:
        #         self.services['workload']['findings'][finding_name] = self.services[service_name]['findings'][finding_name]

        return super().postprocessing(current_time, ruleset, run_parameters)

    def _get_resource_versions(self, service: dict):
        versions = filter(lambda key: service.get(f'{key}_count') != None, service)
        return list(versions)

    def _load_resource_metadata(self, service_group, service_name, versions):
        self.metadata[service_group] = self.metadata.get(service_group, {})
        self.metadata[service_group][service_name] = self.metadata[service_group].get(service_name, {})
        self.metadata[service_group][service_name]['resources'] = self.metadata[service_group][service_name].get('resources', {})
        self.metadata[service_group][service_name]['summaries'] = self.metadata[service_group][service_name].get('summaries', {})

        for version in versions:
            self.metadata[service_group][service_name]['resources'][version] = {
                'path': f'services.{service_name}.{version}'
            }

    def _postprocess_regular_resources(self):
        for service_name in self.services:
            service_group = service_name[0]
            service = self.services[service_name]

            if self.composite_resources.get(service_name): continue

            service_requires_finding_deduplication = self.services_requiring_finding_deduplication.get(service_name, False)

            versions = self._get_resource_versions(service)
            self._load_resource_metadata(service_group, service_name, versions)

            # post-process findings
            standalone_resources = {}
            standalone_resources_tampered = False

            for version in versions:
                # finding de-duplication
                if not service_requires_finding_deduplication: continue
                service_resources = self.services[service_name][version]['resources']
                for name in service_resources:
                    if not service_resources[name].get('ownerReferences'):
                        standalone_resources[f'''{service_name}.{version}.resources.{name}'''] = True
                        standalone_resources_tampered = True

            # remove resources that have owner references from findings
            findings = self.services[service_name]['findings']
            for finding_name in findings:
                finding = findings[finding_name]

                actual_finding_items = []
                for finding_item in finding['items']:
                    # e.g. pod.v1.resources.pod-name
                    if '.'.join(finding_item.split('.')[:4]) in standalone_resources:
                        actual_finding_items.append(finding_item)

                if standalone_resources_tampered:
                    finding['items'] = actual_finding_items
                    finding['checked_items'] = len(standalone_resources)
                    finding['flagged_items'] = min(finding['checked_items'], len(finding['items']))

                for version in versions:
                    items = finding['items']
                    for i in range(len(items)):
                        expression = f'^{service_name}\.{version}\.resources'
                        items[i] = re.sub(expression, f'{service_name}.{version}', items[i])

    def _postprocess_composite_resource(self, composite_resource_name):
        service_group  = '_scout_suite_aggregation'
        self.metadata[service_group] = self.metadata.get(service_group, {})

        service = self.services[composite_resource_name]
        versions = self._get_resource_versions(service)
        self._load_resource_metadata(service_group, composite_resource_name, versions)

================================================
FILE: ScoutSuite/providers/kubernetes/resources/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/kubernetes/resources/aks.py
================================================
from ScoutSuite.providers.azure.resources.subscriptions import Subscriptions
from ScoutSuite.providers.azure.resources.loggingmonitoring.log_profiles import LogProfiles
from ScoutSuite.providers.azure.resources.loggingmonitoring.diagnostic_settings import DiagnosticSettings
from ScoutSuite.providers.azure.resources.loggingmonitoring.activity_log_alerts import ActivityLogAlerts
from ScoutSuite.providers.azure.resources.loggingmonitoring.resources import Resources


class AKS(Subscriptions):
    _children = [
        (LogProfiles, 'log_profiles'),
        (DiagnosticSettings, 'diagnostic_settings'),
        (ActivityLogAlerts, 'log_alerts'),
        (Resources, 'resources_logging')
    ]


================================================
FILE: ScoutSuite/providers/kubernetes/resources/base.py
================================================
"""This module provides implementations for Resources for Kubernetes."""

from ScoutSuite.providers.kubernetes.facade import KubernetesFacade
from ScoutSuite.providers.base.resources.base import CompositeResources, Resources


class KubernetesResources(Resources):
    """This is the base class for Kubernetes resources."""

    def __init__(self, resources):
        self.resources = resources

    async def fetch_all(self):
        for version in self.resources:
            data = self.resources[version]
            self[version] = data
            self[f'''{version}_count'''] = len(data['resources'])

class KubernetesResourcesWithFacade(Resources):
    """This is the base class for Kubernetes resources."""

    def __init__(self, facade: KubernetesFacade):
        super().__init__(facade)
        self.facade = facade
    
    def save(self, data):
        if not data: return
        for version in data:
            self[version] = data[version]

class KubernetesCompositeResources(KubernetesResourcesWithFacade, CompositeResources):
    """This class represents a collection of KubernetesResources. Classes extending KubernetesResourcesWithFacade should define a
    "_children" attribute which consists of a list of tuples describing the children. The tuples are expected to
    respect the following format: (, ). The child_name is used by indicates the name under
    which the child will be stored in the parent object.
    """

    async def fetch_all(self):
        for child_class, child_name in self._children:
            data: KubernetesResourcesWithFacade = child_class(self.facade)
            await data.fetch_all()

            self[child_name] = {}
            for version in data:
                self[child_name][version] = 1
                self[f'{child_name}_{version}'] = data[version]
                self[f'{child_name}_{version}_count'] = len(data[version]['resources'])

================================================
FILE: ScoutSuite/providers/kubernetes/resources/eks.py
================================================
from ScoutSuite.providers.kubernetes.resources.base import KubernetesCompositeResources, KubernetesResourcesWithFacade


class ControlPlaneLogging(KubernetesResourcesWithFacade):
    async def fetch_all(self):
        if not self.facade.eks:
            return

        cluster = self.facade.eks.get_cluster()

        '''
        Example output of `logging_configs`:
        [
            {'types': ['controllerManager', 'scheduler'], 'enabled': True},
            {'types': ['api', 'audit', 'authenticator'], 'enabled': False}
        ]
        '''
        logging_config = cluster['logging']['clusterLogging']
        for item in logging_config:
            for log_type in item['types']:
                item['name'] = log_type
                item['id'] = log_type
                self[log_type] = {
                    'name': log_type,
                    'id': log_type,
                    'enabled': item['enabled']
                }

class KMSEncryption(KubernetesResourcesWithFacade):
    async def fetch_all(self):
        if not self.facade.eks:
            return

        cluster = self.facade.eks.get_cluster()
        encryption_config = cluster.get('encryptionConfig') or []

        for item in encryption_config:
            arn = item['provider']['keyArn']
            item['name'] = arn
            item['id'] = arn
            self[arn] = item

class ResourcesVPCConfig(KubernetesResourcesWithFacade):
    async def fetch_all(self):
        if not self.facade.eks:
            return

        cluster = self.facade.eks.get_cluster()
        vpc_config = cluster['resourcesVpcConfig']

        self[vpc_config['vpcId']] = cluster['resourcesVpcConfig']
        self[vpc_config['vpcId']]['id'] = vpc_config['vpcId']
        self[vpc_config['vpcId']]['name'] = vpc_config['vpcId']

class EKS(KubernetesCompositeResources):
    _children = [
        (ControlPlaneLogging, 'logging'),
        (KMSEncryption, 'encryption'),
        (ResourcesVPCConfig, 'v_p_c'),
    ]


================================================
FILE: ScoutSuite/providers/kubernetes/resources/fake_network_policy.py
================================================
from ScoutSuite.providers.kubernetes.resources.base import KubernetesResourcesWithFacade


class FakeNetworkPolicy(KubernetesResourcesWithFacade):
    '''Created to display network policy findings in the event that the cluster has no network policies.'''

    async def fetch_all(self):
        self['v1'] = {}
        self['v1_count'] = 0

================================================
FILE: ScoutSuite/providers/kubernetes/resources/gke.py
================================================
from ScoutSuite.providers.gcp.resources.gke.clusters import Clusters
from ScoutSuite.providers.gcp.resources.projects import Projects


class GKE(Projects):
    _children = [
        (Clusters, 'clusters')
    ]

================================================
FILE: ScoutSuite/providers/kubernetes/resources/rbac.py
================================================
from ScoutSuite.providers.kubernetes.resources.base import KubernetesCompositeResources, KubernetesResourcesWithFacade


class ClusterRoles(KubernetesResourcesWithFacade):
    async def fetch_all(self):
        data = self.facade.extra.get_resources().get('cluster_role')
        self.save(data)

class ClusterRoleBindings(KubernetesResourcesWithFacade):
    async def fetch_all(self):
        data = self.facade.extra.get_resources().get('cluster_role_binding')
        self.save(data)

class Roles(KubernetesResourcesWithFacade):
    async def fetch_all(self):
        data = self.facade.extra.get_resources().get('role')
        self.save(data)

class RoleBindings(KubernetesResourcesWithFacade):
    async def fetch_all(self):
        data = self.facade.extra.get_resources().get('role_binding')
        self.save(data)

class RBAC(KubernetesCompositeResources):
    _children = [
        (ClusterRoles, 'cluster_role'),
        (ClusterRoleBindings, 'cluster_role_binding'),
        (Roles, 'role'),
        (RoleBindings, 'role_binding'),
    ]

    PERMISSIVE_BINDING_KEYWORDS = ['admin', 'secret', 'manage', 'root']
    DODGY_SUBJECTS = ['system:unauthenticated', 'system:authenticated', 'system:anonymous']
    DANGEROUS_GRANTS = [
        ('create', 'pods'),
        ('create', 'pods/exec'),
        ('get', 'secrets'),
        ('get', 'configmaps'),
        ('escalate', ''),
        ('impersonate', ''),
    ]

    KEY_PERMISSIVE_BINDINGS = 'permissive_bindings'
    KEY_DODGY_SUBJECTS = 'dodgy_subjects'
    KEY_DANGEROUS_GRANTS = 'dangerous_grants'

    async def finalize(self):
        self[self.KEY_PERMISSIVE_BINDINGS] = {}
        self[self.KEY_DODGY_SUBJECTS] = {}
        self[self.KEY_DANGEROUS_GRANTS] = {}

        for child_name in ['cluster_role_binding', 'role_binding']:
            for version in self[child_name]:
                resources = self[f'{child_name}_{version}']['resources']
                for binding_name in resources:
                    binding = resources[binding_name]
                    role_name: str = binding['metadata']['name']

                    # set permissive bindings for cluster roles and roles
                    for keyword in self.PERMISSIVE_BINDING_KEYWORDS:
                        if keyword.lower() in role_name.lower():
                            self[self.KEY_PERMISSIVE_BINDINGS][f'''{binding['kind']}/{role_name}'''] = binding

                    # set dodgy subjects
                    for subject in binding['data'].get('subjects') or []:
                        if subject['name'] in self.DODGY_SUBJECTS:
                            subject_namespace = f'''[{subject['namespace']}] ''' if subject.get('namespace') else ''
                            action = f'''{subject_namespace}{binding['version']}/{subject['kind']}/{subject['name']}'''
                            dodgy_subjects = self[self.KEY_DODGY_SUBJECTS].get(action, [])
                            dodgy_subjects.append(binding)
                            self[self.KEY_DODGY_SUBJECTS][action] = dodgy_subjects

        for dangerous_verb, dangerous_resource in self.DANGEROUS_GRANTS:
            action = f'{dangerous_verb} {dangerous_resource}' if dangerous_resource else dangerous_verb
            self[self.KEY_DANGEROUS_GRANTS][action] = []

            child_name = 'cluster_role'
            for version in self[child_name]:
                resources = self[f'{child_name}_{version}']['resources']
                for role_name in resources:
                    role = resources[role_name]

                    for rule in role['data'].get('rules') or []:

                        verb_is_dangerous = False
                        resource_is_dangerous = False

                        for verb in rule['verbs']:
                            if verb in ['*', dangerous_verb]:
                                verb_is_dangerous = True
                                break

                        for _resources in rule.get('resources') or []:
                            if _resources in ['*', dangerous_resource] or dangerous_resource == '':
                                dangerous_resource = _resources
                                resource_is_dangerous = True
                                break

                        if not (verb_is_dangerous and resource_is_dangerous):
                            continue

                        binding_child_name = 'cluster_role_binding'
                        for binding_version in self[binding_child_name]:
                            binding_resources = self[f'{binding_child_name}_{binding_version}']['resources']
                            for binding_name in binding_resources:
                                binding = binding_resources[binding_name]

                                if binding['data']['roleRef']['name'] != role_name.split('_')[-1]:
                                    continue

                                subjects = binding['data']['subjects'] or []
                                if len(subjects) == 0:
                                    continue

                                for subject in subjects:
                                    self[self.KEY_DANGEROUS_GRANTS][action].append({
                                        'kind': subject['kind'],
                                        'name': subject['name'],
                                        'verb': dangerous_verb,
                                        'resource': dangerous_resource or '-',
                                        'binding_kind': binding['data']['roleRef']['kind'],
                                        'binding_name': binding['metadata']['name'],
                                        'namespace': subject.get('namespace') or '-'
                                    })


================================================
FILE: ScoutSuite/providers/kubernetes/resources/version.py
================================================
from ScoutSuite.providers.kubernetes.resources.base import KubernetesResourcesWithFacade


class KubernetesVersions(KubernetesResourcesWithFacade):
    async def fetch_all(self):
        details = self.facade.version.get_versions()
        self['details'] = {
            'v1': details
        }
        self['details_count'] = len(details)


================================================
FILE: ScoutSuite/providers/kubernetes/resources/workload.py
================================================
from ScoutSuite.providers.kubernetes.resources.base import KubernetesCompositeResources, KubernetesResourcesWithFacade

class Pod(KubernetesResourcesWithFacade):
    async def fetch_all(self):
        data = self.facade.core.get_resources().get('pod')
        self.save(data)

class PodTemplate(KubernetesResourcesWithFacade):
    async def fetch_all(self):
        data = self.facade.core.get_resources().get('pod_template')
        self.save(data)

class CronJob(KubernetesResourcesWithFacade):
    async def fetch_all(self):
        data = self.facade.extra.get_resources().get('cron_job')
        self.save(data)

class DaemonSet(KubernetesResourcesWithFacade):
    async def fetch_all(self):
        data = self.facade.extra.get_resources().get('daemon_set')
        self.save(data)

class Deployment(KubernetesResourcesWithFacade):
    async def fetch_all(self):
        data = self.facade.extra.get_resources().get('deployment')
        self.save(data)

class Job(KubernetesResourcesWithFacade):
    async def fetch_all(self):
        data = self.facade.extra.get_resources().get('job')
        self.save(data)

class ReplicaSet(KubernetesResourcesWithFacade):
    async def fetch_all(self):
        data = self.facade.extra.get_resources().get('replica_set')
        self.save(data)

class StatefulSet(KubernetesResourcesWithFacade):
    async def fetch_all(self):
        data = self.facade.extra.get_resources().get('stateful_set')
        self.save(data)

class Workload(KubernetesCompositeResources):
    _children = [
        (Pod, 'pod'),
        (PodTemplate, 'pod_template'),
        (CronJob, 'cron_job'),
        (DaemonSet, 'daemon_set'),
        (Deployment, 'deployment'),
        (Job, 'job'),
        (ReplicaSet, 'replica_set'),
        (StatefulSet, 'stateful_set')
    ]

    container_path_prefixes = {
        'pod': ['data', 'spec'],
        'daemon_set': ['data', 'spec', 'template', 'spec'],
        'deployment': ['data', 'spec', 'template', 'spec'],
        'replica_set': ['data', 'spec', 'template', 'spec'],
        'pod_template': ['data', 'spec', 'template', 'spec'],
        'stateful_set': ['data', 'spec', 'template', 'spec'],
        'job': ['data', 'spec', 'template', 'spec'],
        'cron_job': ['data', 'spec', 'jobTemplate', 'spec', 'template', 'spec']
    }

    async def finalize(self):
        self['images'] = []

        for _, child_name in self._children:
            for version in self[child_name]:
                resources = self[f'{child_name}_{version}']['resources']
                for resource_name in resources:
                    spec = resources[resource_name]
                    for key in self.container_path_prefixes[child_name]:
                        spec = spec[key]

                    containers = spec['containers']
                    for container in containers:
                        self['images'].append(container['image'])

                    init_containers = spec.get('initContainers', [])
                    for container in init_containers:
                        self['images'].append(container['image'])

                    ephemeral_containers = spec.get('ephemeralContainers', [])
                    for container in ephemeral_containers:
                        self['images'].append(container['image'])

        self['images'] = list(set(self['images']))
        self['images'].sort()

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/configmap-unnecessary-secrets.json
================================================
{
    "description": "Unnecessary Secrets in ConfigMap",
    "rationale": "Kubernetes administrators are encouraged to review secrets in ConfigMap manifests and remove the unnecessary ones.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/configmap/"
    ],
    "dashboard_name": "ConfigMaps",
    "display_path": "config_map.v1.id",
    "path": "config_map.v1.resources.id",
    "conditions": [
        "or",
        [
            "data",
            "notNull",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/cron-job-apparmor-annotation-missing.json
================================================
{
    "description": "AppArmor Annotation Missing",
    "rationale": "The container.apparmor.security.beta.kubernetes.io annotation is missing. A compromised container with AppArmor disabled makes privilege escalation easier.",
    "references": [
        "https://kubernetes.io/docs/tutorials/security/apparmor/"
    ],
    "dashboard_name": "CronJobs",
    "display_path": "cron_job.v1-batch.id",
    "path": "cron_job.v1-batch.resources.id",
    "conditions": [
        "or",
        [
            "cron_job.v1-batch.resources.id.metadata",
            "withoutKey",
            "annotations"
        ],
        [
            "cron_job.v1-batch.resources.id.metadata.annotations",
            "withoutKey",
            "container.apparmor.security.beta.kubernetes.io"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/cron-job-automounted-service-account-token.json
================================================
{
    "description": "Automounted Service Account Token",
    "rationale": "Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
    ],
    "dashboard_name": "CronJobs",
    "display_path": "cron_job.v1-batch.id",
    "path": "cron_job.v1-batch.resources.id",
    "conditions": [
        "or",
        [
            "cron_job.v1-batch.resources.id.data.spec",
            "withoutKey",
            "automountServiceAccountToken"
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.automountServiceAccountToken",
            "null",
            ""
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.automountServiceAccountToken",
            "true",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/cron-job-container-ability-to-modify-root-filesystem.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Ability to Modify Root Filesystem",
    "rationale": "Root filesystems should be read-only where possible.",
    "remediation": "spec.jobTemplate.spec.template.spec.(c|initC|ephemeralC)ontainers[].securityContext.readOnlyRootFilesystem should be explicitly set to true for the affected containers.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "CronJobs",
    "display_path": "cron_job.v1-batch.id",
    "path": "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext.readOnlyRootFilesystem",
            "null",
            ""
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext.readOnlyRootFilesystem",
            "false",
            ""
        ]
    ],
    "id_suffix": "readOnlyRootFilesystem"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/cron-job-container-allowing-privilege-escalation.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Allowing Privilege Escalation",
    "rationale": "A container should disallow privilege escalation where possible. allowPrivilegeEscalation should be explicitly set to false.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "CronJobs",
    "display_path": "cron_job.v1-batch.id",
    "path": "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "null",
            ""
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "true",
            ""
        ]
    ],
    "id_suffix": "allowPrivilegeEscalation"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/cron-job-container-running-as-root-group.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Running As Root Group",
    "rationale": "Where possible, runAsGroup should be set to a value greater than 0.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "CronJobs",
    "display_path": "cron_job.v1-batch.id",
    "path": "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "and",
            [
                "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.securityContext",
                "notNull",
                ""
            ],
            [
                "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.securityContext.runAsGroup",
                "equal",
                "0"
            ]
        ],
        [
            "and",
            [
                "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext",
                "notNull",
                ""
            ],
            [
                "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext.runAsGroup",
                "equal",
                "0"
            ]
        ]
    ],
    "id_suffix": "runAsGroup"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/cron-job-container-running-as-root-user.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Running As Root User",
    "rationale": "Where possible, runAsUser should be set to a value greater than 0.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "CronJobs",
    "display_path": "cron_job.v1-batch.id",
    "path": "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "and",
            [
                "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.securityContext",
                "notNull",
                ""
            ],
            [
                "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.securityContext.runAsUser",
                "equal",
                "0"
            ]
        ],
        [
            "and",
            [
                "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext",
                "notNull",
                ""
            ],
            [
                "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext.runAsUser",
                "equal",
                "0"
            ]
        ]
    ],
    "id_suffix": "runAsUser"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/cron-job-container-with-overly-permissive-capabilities.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer with Permissive Capabilities",
    "rationale": "A container should drop all and add the necessary capabilities by default.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "CronJobs",
    "display_path": "cron_job.v1-batch.id",
    "path": "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext",
            "withoutKey",
            "capabilities"
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext.capabilities",
            "null",
            ""
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext.capabilities.drop",
            "null",
            ""
        ]
    ],
    "id_suffix": "capabilities.drop"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/cron-job-container-with-possible-root-privileges.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer with Possible Root Privileges",
    "rationale": "Where possible, runAsNonRoot should be set to true to prevent the container from running as root.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "CronJobs",
    "display_path": "cron_job.v1-batch.id",
    "path": "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id",
    "conditions": [
        "and",
        [
            "or",
            [
                "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.securityContext.runAsNonRoot",
                "null",
                ""
            ],
            [
                "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.securityContext.runAsNonRoot",
                "false",
                ""
            ]
        ],
        [
            "or",
            [
                "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext.runAsNonRoot",
                "null",
                ""
            ],
            [
                "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext.runAsNonRoot",
                "false",
                ""
            ]
        ]
    ],
    "id_suffix": "runAsNonRoot"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/cron-job-host-ipc-true.json
================================================
{
    "description": "CronJobs Using Host IPC",
    "rationale": "A compromised pod with hostIPC set to true in PodSpec can be used as a pivot to the host IPC.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "CronJobs",
    "display_path": "cron_job.v1-batch.id",
    "path": "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec",
    "conditions": [
        "and",
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec",
            "withKey",
            "host_ipc"
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.host_ipc",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_ipc"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/cron-job-host-network-true.json
================================================
{
    "description": "CronJobs Using Host Networking",
    "rationale": "A compromised pod with hostNetwork set to true in PodSpec can be used as a pivot to the host network.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "CronJobs",
    "display_path": "cron_job.v1-batch.id",
    "path": "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec",
    "conditions": [
        "and",
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec",
            "withKey",
            "host_network"
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.host_network",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_network"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/cron-job-host-pid-true.json
================================================
{
    "description": "CronJobs Using Host PID",
    "rationale": "A compromised pod with hostPID set to true in PodSpec can be used as a pivot to the host PID.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "CronJobs",
    "display_path": "cron_job.v1-batch.id",
    "path": "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec",
    "conditions": [
        "and",
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec",
            "withKey",
            "host_pid"
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.host_pid",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_pid"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/cron-job-kubernetes-container-manifest-hardening.json
================================================
{
    "description": "Kubernetes Container/InitContainer/EphemeralContainer Manifest Hardening",
    "rationale": "Several security options in the affected resources could be enabled to harden assocated containers.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://www.cisecurity.org/benchmark/docker/"
    ],
    "dashboard_name": "CronJobs",
    "display_path": "cron_job.v1-batch.id",
    "path": "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext",
            "withoutKey",
            "allowPrivilegeEscalation"
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext",
            "withoutKey",
            "readOnlyRootFilesystem"
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext",
            "withoutKey",
            "capabilities"
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "null",
            ""
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext.readOnlyRootFilesystem",
            "null",
            ""
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext.capabilities",
            "null",
            ""
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext.capabilities.drop",
            "null",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/cron-job-privileged-container-running.json
================================================
{
    "description": "Privileged Container/InitContainer/EphemeralContainer Running",
    "rationale": "Access to privileged container may result in privilege escalation. Administrators are encouraged to remove the privileged status of a pod if unncessary.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"
    ],
    "dashboard_name": "CronJobs",
    "display_path": "cron_job.v1-batch.id",
    "path": "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id",
    "conditions": [
        "and",
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext",
            "notNull",
            ""
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.securityContext.privileged",
            "true",
            ""
        ]
    ],
    "id_suffix": "privileged"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/cron-job-resources-without-defined-cpu-limit.json
================================================
{
    "description": "Resources without Defined CPU Limit",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "CronJobs",
    "display_path": "cron_job.v1-batch.id",
    "path": "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "cpu"
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.resources.limits.cpu",
            "null",
            ""
        ]
    ],
    "id_suffix": "cpu"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/cron-job-resources-without-defined-limits.json
================================================
{
    "description": "Resources without Defined Limits",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "CronJobs",
    "display_path": "cron_job.v1-batch.id",
    "path": "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.resources",
    "conditions": [
        "or",
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.resources",
            "withoutKey",
            "limits"
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "memory"
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "cpu"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/cron-job-resources-without-defined-memory-limit.json
================================================
{
    "description": "Resources without Defined Memory Limit",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "CronJobs",
    "display_path": "cron_job.v1-batch.id",
    "path": "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "memory"
        ],
        [
            "cron_job.v1-batch.resources.id.data.spec.jobTemplate.spec.template.spec.containers.id.resources.limits.memory",
            "null",
            ""
        ]
    ],
    "id_suffix": "memory"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/daemonset-apparmor-annotation-missing.json
================================================
{
    "description": "AppArmor Annotation Missing",
    "rationale": "The container.apparmor.security.beta.kubernetes.io annotation is missing. A compromised container with AppArmor disabled makes privilege escalation easier.",
    "references": [
        "https://kubernetes.io/docs/tutorials/security/apparmor/"
    ],
    "dashboard_name": "DaemonSets",
    "display_path": "daemon_set.v1-apps.id",
    "path": "daemon_set.v1-apps.resources.id",
    "conditions": [
        "or",
        [
            "daemon_set.v1-apps.resources.id.metadata",
            "withoutKey",
            "annotations"
        ],
        [
            "daemon_set.v1-apps.resources.id.metadata.annotations",
            "withoutKey",
            "container.apparmor.security.beta.kubernetes.io"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/daemonset-automounted-service-account-token.json
================================================
{
    "description": "Automounted Service Account Token",
    "rationale": "Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
    ],
    "dashboard_name": "DaemonSets",
    "display_path": "daemon_set.v1-apps.id",
    "path": "daemon_set.v1-apps.resources.id",
    "conditions": [
        "or",
        [
            "daemon_set.v1-apps.resources.id.data.spec",
            "withoutKey",
            "automountServiceAccountToken"
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.automountServiceAccountToken",
            "null",
            ""
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.automountServiceAccountToken",
            "true",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/daemonset-container-ability-to-modify-root-filesystem.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Ability to Modify Root Filesystem",
    "rationale": "Root filesystems should be read-only where possible.",
    "remediation": "spec.template.spec.(c|initC|ephemeralC)ontainers[].securityContext.readOnlyRootFilesystem should be explicitly set to true for the affected containers.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "DaemonSets",
    "display_path": "daemon_set.v1-apps.id",
    "path": "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "null",
            ""
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.readOnlyRootFilesystem",
            "null",
            ""
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.readOnlyRootFilesystem",
            "false",
            ""
        ]
    ],
    "id_suffix": "readOnlyRootFilesystem"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/daemonset-container-allowing-privilege-escalation.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Allowing Privilege Escalation",
    "rationale": "A container should disallow privilege escalation where possible. allowPrivilegeEscalation should be explicitly set to false.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "DaemonSets",
    "display_path": "daemon_set.v1-apps.id",
    "path": "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "null",
            ""
        ],
        [
            "daemonset.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "null",
            ""
        ],
        [
            "daemonset.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "true",
            ""
        ]
    ],
    "id_suffix": "allowPrivilegeEscalation"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/daemonset-container-running-as-root-group.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Running As Root Group",
    "rationale": "Where possible, runAsGroup should be set to a value greater than 0.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "DaemonSets",
    "display_path": "daemon_set.v1-apps.id",
    "path": "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "and",
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "notNull",
            ""
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.runAsGroup",
            "equal",
            "0"
        ]
    ],
    "id_suffix": "runAsGroup"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/daemonset-container-running-as-root-user.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Running As Root User",
    "rationale": "Where possible, runAsUser should be set to a value greater than 0.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "DaemonSets",
    "display_path": "daemon_set.v1-apps.id",
    "path": "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "and",
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "notNull",
            ""
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.runAsUser",
            "equal",
            "0"
        ]
    ],
    "id_suffix": "runAsUser"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/daemonset-container-with-overly-permissive-capabilities.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer with Permissive Capabilities",
    "rationale": "A container should drop all and add the necessary capabilities by default.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "DaemonSets",
    "display_path": "daemon_set.v1-apps.id",
    "path": "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "null",
            ""
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "capabilities"
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities",
            "null",
            ""
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities.drop",
            "null",
            ""
        ]
    ],
    "id_suffix": "capabilities.drop"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/daemonset-container-with-possible-root-privileges.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer with Possible Root Privileges",
    "rationale": "Where possible, runAsNonRoot should be set to true to prevent the container from running as root.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "DaemonSets",
    "display_path": "daemon_set.v1-apps.id",
    "path": "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "null",
            ""
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.runAsNonRoot",
            "null",
            ""
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.runAsNonRoot",
            "false",
            ""
        ]
    ],
    "id_suffix": "runAsNonRoot"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/daemonset-host-ipc-true.json
================================================
{
    "description": "DaemonSets Using Host IPC",
    "rationale": "A compromised pod with hostIPC set to true in PodSpec can be used as a pivot to the host IPC.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "DaemonSets",
    "display_path": "daemon_set.v1-apps.id",
    "path": "daemon_set.v1-apps.resources.id.data.spec.template.spec",
    "conditions": [
        "and",
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec",
            "withKey",
            "host_ipc"
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.host_ipc",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_ipc"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/daemonset-host-network-true.json
================================================
{
    "description": "DaemonSets Using Host Networking",
    "rationale": "A compromised pod with hostNetwork set to true in PodSpec can be used as a pivot to the host network.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "DaemonSets",
    "display_path": "daemon_set.v1-apps.id",
    "path": "daemon_set.v1-apps.resources.id.data.spec.template.spec",
    "conditions": [
        "and",
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec",
            "withKey",
            "host_network"
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.host_network",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_network"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/daemonset-host-pid-true.json
================================================
{
    "description": "DaemonSets Using Host PID",
    "rationale": "A compromised pod with hostPID set to true in PodSpec can be used as a pivot to the host PID.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "DaemonSets",
    "display_path": "daemon_set.v1-apps.id",
    "path": "daemon_set.v1-apps.resources.id.data.spec.template.spec",
    "conditions": [
        "and",
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec",
            "withKey",
            "host_pid"
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.host_pid",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_pid"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/daemonset-kubernetes-container-manifest-hardening.json
================================================
{
    "description": "Kubernetes Container/InitContainer/EphemeralContainer Manifest Hardening",
    "rationale": "Several security options in the affected resources could be enabled to harden assocated containers.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://www.cisecurity.org/benchmark/docker/"
    ],
    "dashboard_name": "DaemonSets",
    "display_path": "daemon_set.v1-apps.id",
    "path": "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "null",
            ""
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "allowPrivilegeEscalation"
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "readOnlyRootFilesystem"
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "capabilities"
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "null",
            ""
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.readOnlyRootFilesystem",
            "null",
            ""
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities",
            "null",
            ""
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities.drop",
            "null",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/daemonset-privileged-container-running.json
================================================
{
    "description": "Privileged Container/InitContainer/EphemeralContainer Running",
    "rationale": "Access to privileged container may result in privilege escalation. Administrators are encouraged to remove the privileged status of a pod if unncessary.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"
    ],
    "dashboard_name": "DaemonSets",
    "display_path": "daemon_set.v1-apps.id",
    "path": "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "and",
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "notNull",
            ""
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.privileged",
            "true",
            ""
        ]
    ],
    "id_suffix": "privileged"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/daemonset-resources-without-defined-cpu-limit.json
================================================
{
    "description": "Resources without Defined CPU Limit",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "DaemonSets",
    "display_path": "daemon_set.v1-apps.id",
    "path": "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "cpu"
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits.cpu",
            "null",
            ""
        ]
    ],
    "id_suffix": "cpu"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/daemonset-resources-without-defined-limits.json
================================================
{
    "description": "Resources without Defined Limits",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "DaemonSets",
    "display_path": "daemon_set.v1-apps.id",
    "path": "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources",
    "conditions": [
        "or",
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources",
            "withoutKey",
            "limits"
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "and",
            [
                "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
                "withoutKey",
                "memory"
            ],
            [
                "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
                "withoutKey",
                "cpu"
            ]
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/daemonset-resources-without-defined-memory-limit.json
================================================
{
    "description": "Resources without Defined Memory Limit",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "DaemonSets",
    "display_path": "daemon_set.v1-apps.id",
    "path": "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "memory"
        ],
        [
            "daemon_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits.memory",
            "null",
            ""
        ]
    ],
    "id_suffix": "memory"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/deployment-apparmor-annotation-missing.json
================================================
{
    "description": "AppArmor Annotation Missing",
    "rationale": "The container.apparmor.security.beta.kubernetes.io annotation is missing. A compromised container with AppArmor disabled makes privilege escalation easier.",
    "references": [
        "https://kubernetes.io/docs/tutorials/security/apparmor/"
    ],
    "dashboard_name": "Deployments",
    "display_path": "deployment.v1-apps.id",
    "path": "deployment.v1-apps.resources.id",
    "conditions": [
        "or",
        [
            "deployment.v1-apps.resources.id.metadata",
            "withoutKey",
            "annotations"
        ],
        [
            "deployment.v1-apps.resources.id.metadata.annotations",
            "withoutKey",
            "container.apparmor.security.beta.kubernetes.io"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/deployment-automounted-service-account-token.json
================================================
{
    "description": "Automounted Service Account Token",
    "rationale": "Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
    ],
    "dashboard_name": "Deployments",
    "display_path": "deployment.v1-apps.id",
    "path": "deployment.v1-apps.resources.id",
    "conditions": [
        "or",
        [
            "deployment.v1-apps.resources.id.data.spec",
            "withoutKey",
            "automountServiceAccountToken"
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.automountServiceAccountToken",
            "null",
            ""
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.automountServiceAccountToken",
            "true",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/deployment-container-ability-to-modify-root-filesystem.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Ability to Modify Root Filesystem",
    "rationale": "Root filesystems should be read-only where possible.",
    "remediation": "spec.template.spec.(c|initC|ephemeralC)ontainers[].securityContext.readOnlyRootFilesystem should be explicitly set to true for the affected containers.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Deployments",
    "display_path": "deployment.v1-apps.id",
    "path": "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.readOnlyRootFilesystem",
            "null",
            ""
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.readOnlyRootFilesystem",
            "false",
            ""
        ]
    ],
    "id_suffix": "readOnlyRootFilesystem"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/deployment-container-allowing-privilege-escalation.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Allowing Privilege Escalation",
    "rationale": "A container should disallow privilege escalation where possible. allowPrivilegeEscalation should be explicitly set to false.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Deployments",
    "display_path": "deployment.v1-apps.id",
    "path": "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "null",
            ""
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "true",
            ""
        ]
    ],
    "id_suffix": "allowPrivilegeEscalation"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/deployment-container-running-as-root-group.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Running As Root Group",
    "rationale": "Where possible, runAsGroup should be set to a value greater than 0.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Deployments",
    "display_path": "deployment.v1-apps.id",
    "path": "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "and",
            [
                "deployment.v1-apps.resources.id.data.spec.template.spec.securityContext",
                "notNull",
                ""
            ],
            [
                "deployment.v1-apps.resources.id.data.spec.template.spec.securityContext.runAsGroup",
                "equal",
                "0"
            ]
        ],
        [
            "and",
            [
                "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
                "notNull",
                ""
            ],
            [
                "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.runAsGroup",
                "equal",
                "0"
            ]
        ]
    ],
    "id_suffix": "runAsGroup"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/deployment-container-running-as-root-user.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Running As Root User",
    "rationale": "Where possible, runAsUser should be set to a value greater than 0.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Deployments",
    "display_path": "deployment.v1-apps.id",
    "path": "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "and",
            [
                "deployment.v1-apps.resources.id.data.spec.template.spec.securityContext",
                "notNull",
                ""
            ],
            [
                "deployment.v1-apps.resources.id.data.spec.template.spec.securityContext.runAsUser",
                "equal",
                "0"
            ]
        ],
        [
            "and",
            [
                "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
                "notNull",
                ""
            ],
            [
                "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.runAsUser",
                "equal",
                "0"
            ]
        ]
    ],
    "id_suffix": "runAsUser"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/deployment-container-with-overly-permissive-capabilities.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer with Permissive Capabilities",
    "rationale": "A container should drop all and add the necessary capabilities by default.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Deployments",
    "display_path": "deployment.v1-apps.id",
    "path": "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "withoutKey",
            "capabilities"
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities",
            "null",
            ""
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities.drop",
            "null",
            ""
        ]
    ],
    "id_suffix": "capabilities.drop"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/deployment-container-with-possible-root-privileges.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer with Possible Root Privileges",
    "rationale": "Where possible, runAsNonRoot should be set to true to prevent the container from running as root.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Deployments",
    "display_path": "deployment.v1-apps.id",
    "path": "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "and",
        [
            "or",
            [
                "deployment.v1-apps.resources.id.data.spec.template.spec.securityContext.runAsNonRoot",
                "null",
                ""
            ],
            [
                "deployment.v1-apps.resources.id.data.spec.template.spec.securityContext.runAsNonRoot",
                "false",
                ""
            ]
        ],
        [
            "or",
            [
                "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.runAsNonRoot",
                "null",
                ""
            ],
            [
                "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.runAsNonRoot",
                "false",
                ""
            ]
        ]
    ],
    "id_suffix": "runAsNonRoot"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/deployment-host-ipc-true.json
================================================
{
    "description": "Deployments Using Host IPC",
    "rationale": "A compromised pod with hostIPC set to true in PodSpec can be used as a pivot to the host IPC.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Deployments",
    "display_path": "deployment.v1-apps.id",
    "path": "deployment.v1-apps.resources.id.data.spec.template.spec",
    "conditions": [
        "and",
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec",
            "withKey",
            "host_ipc"
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.host_ipc",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_ipc"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/deployment-host-network-true.json
================================================
{
    "description": "Deployments Using Host Networking",
    "rationale": "A compromised pod with hostNetwork set to true in PodSpec can be used as a pivot to the host network.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Deployments",
    "display_path": "deployment.v1-apps.id",
    "path": "deployment.v1-apps.resources.id.data.spec.template.spec",
    "conditions": [
        "and",
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec",
            "withKey",
            "host_network"
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.host_network",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_network"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/deployment-host-pid-true.json
================================================
{
    "description": "Deployments Using Host PID",
    "rationale": "A compromised pod with hostPID set to true in PodSpec can be used as a pivot to the host PID.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Deployments",
    "display_path": "deployment.v1-apps.id",
    "path": "deployment.v1-apps.resources.id.data.spec.template.spec",
    "conditions": [
        "and",
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec",
            "withKey",
            "host_pid"
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.host_pid",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_pid"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/deployment-kubernetes-container-manifest-hardening.json
================================================
{
    "description": "Kubernetes Container/InitContainer/EphemeralContainer Manifest Hardening",
    "rationale": "Several security options in the affected resources could be enabled to harden assocated containers.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://www.cisecurity.org/benchmark/docker/"
    ],
    "dashboard_name": "Deployments",
    "display_path": "deployment.v1-apps.id",
    "path": "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "withoutKey",
            "allowPrivilegeEscalation"
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "withoutKey",
            "readOnlyRootFilesystem"
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "withoutKey",
            "capabilities"
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "null",
            ""
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.readOnlyRootFilesystem",
            "null",
            ""
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities",
            "null",
            ""
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities.drop",
            "null",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/deployment-privileged-container-running.json
================================================
{
    "description": "Privileged Container/InitContainer/EphemeralContainer Running",
    "rationale": "Access to privileged container may result in privilege escalation. Administrators are encouraged to remove the privileged status of a pod if unncessary.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"
    ],
    "dashboard_name": "Deployments",
    "display_path": "deployment.v1-apps.id",
    "path": "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "and",
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "notNull",
            ""
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.privileged",
            "true",
            ""
        ]
    ],
    "id_suffix": "privileged"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/deployment-resources-without-defined-cpu-limit.json
================================================
{
    "description": "Resources without Defined CPU Limit",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "Deployments",
    "display_path": "deployment.v1-apps.id",
    "path": "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "cpu"
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits.cpu",
            "null",
            ""
        ]
    ],
    "id_suffix": "cpu"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/deployment-resources-without-defined-limits.json
================================================
{
    "description": "Resources without Defined Limits",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "Deployments",
    "display_path": "deployment.v1-apps.id",
    "path": "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.resources",
    "conditions": [
        "or",
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.resources",
            "withoutKey",
            "limits"
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "memory"
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "cpu"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/deployment-resources-without-defined-memory-limit.json
================================================
{
    "description": "Resources without Defined Memory Limit",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "Deployments",
    "display_path": "deployment.v1-apps.id",
    "path": "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "memory"
        ],
        [
            "deployment.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits.memory",
            "null",
            ""
        ]
    ],
    "id_suffix": "memory"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/eks-insufficient-control-plane-logging.json
================================================
{
    "description": "Insufficient Control Plane Logging",
    "rationale": "Certain logging options are disabled in the EKS control plane, creating difficulties in asserting accountability.",
    "references": [
        "https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html"
    ],
    "dashboard_name": "Configurations",
    "path": "eks.logging.id",
    "conditions": [
        "or",
        [
            "enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "enabled"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/eks-kms-encryption-disabled.json
================================================
{
    "description": "KMS Encryption Disabled",
    "rationale": "Without KMS encryption, it may be easier to obtain Kubernetes cluster secrets unauthorized.",
    "references": [
        "https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html",
        "https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/",
        "https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html",
        "https://docs.aws.amazon.com/kms/latest/developerguide/overview.html",
        "https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html"
    ],
    "dashboard_name": "Configurations",
    "display_path": "eks.encryption.id",
    "path": "eks",
    "conditions": [
        "or",
        [
            "eks.encryption_count",
            "equal",
            "0"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/eks-publically-accessible-apiserver.json
================================================
{
    "description": "Publically Accessible API Server",
    "rationale": " A publically accessible Kubernetes API server may enable arbitrary view or modification of cluster data.",
    "references": [
        "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
        "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-cluster-resourcesvpcconfig.html"
    ],
    "dashboard_name": "VPC Configs",
    "path": "eks.vpc.config",
    "conditions": [
        "and",
        [
            "eks.vpc.config.endpointPublicAccess",
            "true",
            ""
        ],
        [
            "eks.vpc.config.publicAccessCidrs",
            "containAtLeastOneOf",
            "0.0.0.0/0"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/job-apparmor-annotation-missing.json
================================================
{
    "description": "AppArmor Annotation Missing",
    "rationale": "The container.apparmor.security.beta.kubernetes.io annotation is missing. A compromised container with AppArmor disabled makes privilege escalation easier.",
    "references": [
        "https://kubernetes.io/docs/tutorials/security/apparmor/"
    ],
    "dashboard_name": "Jobs",
    "display_path": "job.v1-batch.id",
    "path": "job.v1-batch.resources.id",
    "conditions": [
        "or",
        [
            "job.v1-batch.resources.id.metadata",
            "withoutKey",
            "annotations"
        ],
        [
            "job.v1-batch.resources.id.metadata.annotations",
            "withoutKey",
            "container.apparmor.security.beta.kubernetes.io"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/job-automounted-service-account-token.json
================================================
{
    "description": "Automounted Service Account Token",
    "rationale": "Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
    ],
    "dashboard_name": "Jobs",
    "display_path": "job.v1-batch.id",
    "path": "job.v1-batch.resources.id",
    "conditions": [
        "or",
        [
            "job.v1-batch.resources.id.data.spec",
            "withoutKey",
            "automountServiceAccountToken"
        ],
        [
            "job.v1-batch.resources.id.data.spec.automountServiceAccountToken",
            "null",
            ""
        ],
        [
            "job.v1-batch.resources.id.data.spec.automountServiceAccountToken",
            "true",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/job-container-ability-to-modify-root-filesystem.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Ability to Modify Root Filesystem",
    "rationale": "Root filesystems should be read-only where possible.",
    "remediation": "spec.template.spec.(c|initC|ephemeralC)ontainers[].securityContext.readOnlyRootFilesystem should be explicitly set to true for the affected containers.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Jobs",
    "display_path": "job.v1-batch.id",
    "path": "job.v1-batch.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext.readOnlyRootFilesystem",
            "null",
            ""
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext.readOnlyRootFilesystem",
            "false",
            ""
        ]
    ],
    "id_suffix": "readOnlyRootFilesystem"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/job-container-allowing-privilege-escalation.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Allowing Privilege Escalation",
    "rationale": "A container should disallow privilege escalation where possible. allowPrivilegeEscalation should be explicitly set to false.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Jobs",
    "display_path": "job.v1-batch.id",
    "path": "job.v1-batch.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "null",
            ""
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "true",
            ""
        ]
    ],
    "id_suffix": "allowPrivilegeEscalation"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/job-container-running-as-root-group.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Running As Root Group",
    "rationale": "Where possible, runAsGroup should be set to a value greater than 0.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Jobs",
    "display_path": "job.v1-batch.id",
    "path": "job.v1-batch.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "and",
            [
                "job.v1-batch.resources.id.data.spec.template.spec.securityContext",
                "notNull",
                ""
            ],
            [
                "job.v1-batch.resources.id.data.spec.template.spec.securityContext.runAsGroup",
                "equal",
                "0"
            ]
        ],
        [
            "and",
            [
                "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext",
                "notNull",
                ""
            ],
            [
                "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext.runAsGroup",
                "equal",
                "0"
            ]
        ]
    ],
    "id_suffix": "runAsGroup"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/job-container-running-as-root-user.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Running As Root User",
    "rationale": "Where possible, runAsUser should be set to a value greater than 0.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Jobs",
    "display_path": "job.v1-batch.id",
    "path": "job.v1-batch.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "and",
            [
                "job.v1-batch.resources.id.data.spec.template.spec.securityContext",
                "notNull",
                ""
            ],
            [
                "job.v1-batch.resources.id.data.spec.template.spec.securityContext.runAsUser",
                "equal",
                "0"
            ]
        ],
        [
            "and",
            [
                "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext",
                "notNull",
                ""
            ],
            [
                "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext.runAsUser",
                "equal",
                "0"
            ]
        ]
    ],
    "id_suffix": "runAsUser"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/job-container-with-overly-permissive-capabilities.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer with Permissive Capabilities",
    "rationale": "A container should drop all and add the necessary capabilities by default.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Jobs",
    "display_path": "job.v1-batch.id",
    "path": "job.v1-batch.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext",
            "withoutKey",
            "capabilities"
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities",
            "null",
            ""
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities.drop",
            "null",
            ""
        ]
    ],
    "id_suffix": "capabilities.drop"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/job-container-with-possible-root-privileges.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer with Possible Root Privileges",
    "rationale": "Where possible, runAsNonRoot should be set to true to prevent the container from running as root.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Jobs",
    "display_path": "job.v1-batch.id",
    "path": "job.v1-batch.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "and",
        [
            "or",
            [
                "job.v1-batch.resources.id.data.spec.template.spec.securityContext.runAsNonRoot",
                "null",
                ""
            ],
            [
                "job.v1-batch.resources.id.data.spec.template.spec.securityContext.runAsNonRoot",
                "false",
                ""
            ]
        ],
        [
            "or",
            [
                "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext.runAsNonRoot",
                "null",
                ""
            ],
            [
                "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext.runAsNonRoot",
                "false",
                ""
            ]
        ]
    ],
    "id_suffix": "runAsNonRoot"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/job-host-ipc-true.json
================================================
{
    "description": "Jobs Using Host IPC",
    "rationale": "A compromised pod with hostIPC set to true in PodSpec can be used as a pivot to the host IPC.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Jobs",
    "display_path": "job.v1-batch.id",
    "path": "job.v1-batch.resources.id.data.spec.template.spec",
    "conditions": [
        "and",
        [
            "job.v1-batch.resources.id.data.spec.template.spec",
            "withKey",
            "host_ipc"
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.host_ipc",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_ipc"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/job-host-network-true.json
================================================
{
    "description": "Jobs Using Host Networking",
    "rationale": "A compromised pod with hostNetwork set to true in PodSpec can be used as a pivot to the host network.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Jobs",
    "display_path": "job.v1-batch.id",
    "path": "job.v1-batch.resources.id.data.spec.template.spec",
    "conditions": [
        "and",
        [
            "job.v1-batch.resources.id.data.spec.template.spec",
            "withKey",
            "host_network"
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.host_network",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_network"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/job-host-pid-true.json
================================================
{
    "description": "Jobs Using Host PID",
    "rationale": "A compromised pod with hostPID set to true in PodSpec can be used as a pivot to the host PID.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Jobs",
    "display_path": "job.v1-batch.id",
    "path": "job.v1-batch.resources.id.data.spec.template.spec",
    "conditions": [
        "and",
        [
            "job.v1-batch.resources.id.data.spec.template.spec",
            "withKey",
            "host_pid"
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.host_pid",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_pid"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/job-kubernetes-container-manifest-hardening.json
================================================
{
    "description": "Kubernetes Container/InitContainer/EphemeralContainer Manifest Hardening",
    "rationale": "Several security options in the affected resources could be enabled to harden assocated containers.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://www.cisecurity.org/benchmark/docker/"
    ],
    "dashboard_name": "Jobs",
    "display_path": "job.v1-batch.id",
    "path": "job.v1-batch.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext",
            "withoutKey",
            "allowPrivilegeEscalation"
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext",
            "withoutKey",
            "readOnlyRootFilesystem"
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext",
            "withoutKey",
            "capabilities"
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "null",
            ""
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext.readOnlyRootFilesystem",
            "null",
            ""
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities",
            "null",
            ""
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities.drop",
            "null",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/job-privileged-container-running.json
================================================
{
    "description": "Privileged Container/InitContainer/EphemeralContainer Running",
    "rationale": "Access to privileged container may result in privilege escalation. Administrators are encouraged to remove the privileged status of a pod if unncessary.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"
    ],
    "dashboard_name": "Jobs",
    "display_path": "job.v1-batch.id",
    "path": "job.v1-batch.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "and",
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext",
            "notNull",
            ""
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.securityContext.privileged",
            "true",
            ""
        ]
    ],
    "id_suffix": "privileged"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/job-resources-without-defined-cpu-limit.json
================================================
{
    "description": "Resources without Defined CPU Limit",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "Jobs",
    "display_path": "job.v1-batch.id",
    "path": "job.v1-batch.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "cpu"
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.resources.limits.cpu",
            "null",
            ""
        ]
    ],
    "id_suffix": "cpu"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/job-resources-without-defined-limits.json
================================================
{
    "description": "Resources without Defined Limits",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "Jobs",
    "display_path": "job.v1-batch.id",
    "path": "job.v1-batch.resources.id.data.spec.template.spec.containers.id.resources",
    "conditions": [
        "or",
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.resources",
            "withoutKey",
            "limits"
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "memory"
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "cpu"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/job-resources-without-defined-memory-limit.json
================================================
{
    "description": "Resources without Defined Memory Limit",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "Jobs",
    "display_path": "job.v1-batch.id",
    "path": "job.v1-batch.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "memory"
        ],
        [
            "job.v1-batch.resources.id.data.spec.template.spec.containers.id.resources.limits.memory",
            "null",
            ""
        ]
    ],
    "id_suffix": "memory"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-basic-authentication-enabled.json
================================================
{
    "description": "Basic Authentication Enabled",
    "rationale": "Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.10"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.8.1"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_authn_methods",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#evaluation_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.basic_authentication_enabled",
            "true",
            ""
        ]
    ],
    "id_suffix": "basic_authentication_enabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-certificate-authentication-enabled.json
================================================
{
    "description": "Certificate Authentication Enabled",
    "rationale": "Unless applications use the client certificate authentication method, it should be disabled.",
    "compliance": [
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.8.2"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_authn_methods",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#evaluation_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.client_certificate_enabled",
            "true",
            ""
        ]
    ],
    "id_suffix": "client_certificate_enabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-cluster-alias-ip-disabled.json
================================================
{
    "description": "Alias IP Disabled",
    "rationale": "With Alias IPs ranges enabled, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.13"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.6.2"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_network_access_to_the_control_plane_and_nodes",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.alias_ip_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "alias_ip_disabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-cluster-application-layer-encryption-disabled.json
================================================
{
    "description": "Application-Layer Secrets Encryption Disabled",
    "rationale": "By default, GKE encrypts customer content stored at rest, including Secrets. GKE handles and manages this default encryption without any additional action.
Application-layer Secrets Encryption provides an additional layer of security for sensitive data, such as user defined Secrets and Secrets required for the operation of the cluster, such as service account keys, which are all stored in etcd.
Using this functionality, you can use a key, that you manage in Cloud KMS, to encrypt data at the application layer. This protects against attackers in the event that they manage to gain access to etcd.",
    "compliance": [
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.3.1"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "application_layer_encryption_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "application_layer_encryption_enabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-cluster-binary-authorization-disabled.json
================================================
{
    "description": "Binary Authorization Disabled",
    "rationale": "Binary Authorization provides software supply-chain security for images that you deploy to GKE from Google Container Registry (GCR) or another container image registry.
Binary Authorization requires images to be signed by trusted authorities during the development process. These signatures are then validated at deployment time. By enforcing validation, you can gain tighter control over your container environment by ensuring only verified images are integrated into the build-and-release process.",
    "compliance": [
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.10.5"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/binary-authorization/"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.binary_authorization_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "binary_authorization_enabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-cluster-has-no-labels.json
================================================
{
    "description": "Clusters Lacking Labels",
    "rationale": "Labels enable users to map their own organizational structures onto system objects in a loosely coupled fashion, without requiring clients to store these mappings. Labels can also be used to apply specific security settings and auto configure objects at creation.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.5"
        }
    ],
    "references": [
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_namespaces_and_rbac_to_restrict_access_to_cluster_resources"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.has_labels",
            "false",
            ""
        ]
    ],
    "id_suffix": "has_no_labels"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-cluster-logging-disabled.json
================================================
{
    "description": "Cluster Logging Disabled",
    "rationale": "You should enable cluster logging and use a logging service so your cluster can export logs about its activities.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.1"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.7.1"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://kubernetes.io/docs/tasks/debug-application-cluster/audit/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#stackdriver_logging",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.logging_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "logging_disabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-cluster-master-authorized-networks-disabled.json
================================================
{
    "description": "Master Authorized Networks Disabled",
    "rationale": "Master authorized networks blocks untrusted IP addresses from outside Google Cloud Platform. Addresses from inside GCP can still reach your master through HTTPS provided that they have the necessary Kubernetes credentials.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.4"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.6.3"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-networks",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_network_access_to_the_control_plane_and_nodes",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.master_authorized_networks_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "master_authorized_networks_disabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-cluster-metadata-server-disabled.json
================================================
{
    "description": "GKE Metadata Server Disabled",
    "rationale": "Every GKE node stores its metadata on a metadata server. Some of this metadata, such as kubelet credentials and the VM instance identity token, is sensitive and should not be exposed to a Kubernetes workload.
Enabling the GKE Metadata server prevents pods (that are not running on the host network) from accessing this metadata and facilitates Workload Identity.
When unspecified, the default setting allows running pods to have full access to the node's underlying metadata server.",
    "compliance": [
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.4.2"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata#concealment"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "metadata_server_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "metadata_server_enabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-cluster-monitoring-disabled.json
================================================
{
    "description": "Cluster Monitoring Disabled",
    "rationale": "You should enable cluster monitoring and use a monitoring service so your cluster can export metrics about its activities.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.2"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.7.1"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#stackdriver_logging",
        "https://cloud.google.com/monitoring/kubernetes-engine#about-skm",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.monitoring_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "monitoring_disabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-cluster-network-policy-disabled.json
================================================
{
    "description": "Network Policy Disabled",
    "rationale": "By default, pods are non-isolated; they accept traffic from any source. Pods become isolated by having a NetworkPolicy that selects them. Once there is any NetworkPolicy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any NetworkPolicy.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.11"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.6.7"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_with_network_policy",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/security-overview#network_security",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.network_policy_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "network_policy_disabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-cluster-pod-security-policy-config-disabled.json
================================================
{
    "description": "Pod Security Policy Disabled",
    "rationale": "A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.",
    "remediation": "Enable the Pod Security Policy. By default, Pod Security Policy is disabled when you create a new cluster.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.14"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.10.3"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.pod_security_policy_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "pod_security_policy_enabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-cluster-private-endpoint-disabled.json
================================================
{
    "description": "Private Cluster Endpoint Disabled",
    "rationale": "In a private cluster, the master node has two endpoints, a private and public endpoint. The private endpoint is the internal IP address of the master, behind an internal load balancer in the master's VPC network. Nodes communicate with the master using the private endpoint. The public endpoint enables the Kubernetes API to be accessed from outside the master's VPC network.
Although Kubernetes API requires an authorized token to perform sensitive actions, a vulnerability could potentially expose the Kubernetes publicly with unrestricted access. Additionally, an attacker may be able to identify the current cluster and Kubernetes API version and determine whether it is vulnerable to an attack.
Unless required, disabling public endpoint will help prevent such threats, and require the attacker to be on the master's VPC network to perform any attack on the Kubernetes API.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.15"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.6.4"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_network_access_to_the_control_plane_and_nodes",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.private_endpoint_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "private_endpoint_enabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-cluster-private-google-access-disabled.json
================================================
{
    "description": "Private Google Access Disabled",
    "rationale": "Enabling Private Google Access allows hosts on a subnetwork to use a private IP address to reach Google APIs rather than an external IP address.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.16"
        }
    ],
    "references": [
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_network_access_to_the_control_plane_and_nodes"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.private_ip_google_access_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "private_ip_google_access_disabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-cluster-release-channel.json
================================================
{
    "description": "Cluster Not Subscribed to Release Channel",
    "rationale": "Release Channels signal a graduating level of stability and production-readiness. These are based on observed performance of GKE clusters running that version and represent experience and confidence in the cluster version.
The Regular release channel upgrades every few weeks and is for production users who need features not yet offered in the Stable channel. These versions have passed internal validation, but don't have enough historical data to guarantee their stability. Known issues generally have known workarounds.
The Stable release channel upgrades every few months and is for production users who need stability above all else, and for whom frequent upgrades are too risky. These versions have passed internal validation and have been shown to be stable and reliable in production, based on the observed performance of those clusters.
Critical security patches are delivered to all release channels.",
    "compliance": [
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.5.4"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/release-channels"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.release_channel",
            "containNoneOf",
            [
                "REGULAR",
                "STABLE"
            ]
        ]
    ],
    "id_suffix": "release_channel"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-cluster-shielded-nodes-disabled.json
================================================
{
    "description": "Shielded GKE Nodes Disabled",
    "rationale": "Shielded GKE nodes protects clusters against boot- or kernel-level malware or rootkits which persist beyond infected OS.
Shielded GKE nodes run firmware which is signed and verified using Google's Certificate Authority, ensuring that the nodes' firmware is unmodified and establishing the root of trust for Secure Boot. GKE node identity is strongly protected via virtual Trusted Platform Module (vTPM) and verified remotely by the master node before the node joins the cluster.",
    "compliance": [
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.5.5"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.shielded_nodes_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "shielded_nodes_enabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-cluster-workload-identity-disabled.json
================================================
{
    "description": "Workload Identity Disabled",
    "rationale": "Enabling Workload Identity manages the distribution and rotation of Service account keys for the workloads to use.
Kubernetes workloads should not use cluster node service accounts to authenticate to Google Cloud APIs. Each Kubernetes Workload that needs to authenticate to other Google services using Cloud IAM should be provisioned a dedicated Service account.",
    "compliance": [
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.2.2"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "workload_identity_enabled",
            "true",
            ""
        ]
    ],
    "id_suffix": "workload_identity_enabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-dashboard-enabled.json
================================================
{
    "description": "Kubernetes Dashboard Enabled",
    "rationale": "You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. The Cloud Console provides much of the same functionality, so you don't need this functionality.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.6"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.10.1"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#disable_kubernetes_dashboard",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.dashboard_status",
            "equal",
            "Enabled"
        ]
    ],
    "id_suffix": "dashboard_status"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-default-service-account-used.json
================================================
{
    "description": "Default Service Account in Use",
    "rationale": "Each GKE node has a Service Account associated with it. By default, nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. You should create and use a minimally privileged service account to run your GKE cluster instead of using the Compute Engine default service account.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.17"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.2.1"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.service_account",
            "equal",
            "default"
        ]
    ],
    "id_suffix": "default_service_account_used"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-legacy-abac-enabled.json
================================================
{
    "description": "Legacy Authorization (ABAC) Enabled",
    "rationale": "The legacy authorizer in Kubernetes grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.3"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.8.4"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#leave_abac_disabled_default_for_110",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.legacy_abac_enabled",
            "true",
            ""
        ]
    ],
    "id_suffix": "legacy_abac_enabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-legacy-metadata-endpoints-enabled.json
================================================
{
    "description": "Legacy Metadata Endpoints Enabled",
    "rationale": "The instance metadata server exposed legacy v0.1 and v1beta1 endpoints, which do not enforce metadata query headers. This is a feature in the v1 APIs that makes it more difficult for a potential attacker to retrieve instance metadata, such as Server-Side Request Forgery (SSRF). Unless specifically required, we recommend you disable these legacy APIs.",
    "compliance": [
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.4.1"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#protect_node_metadata_default_for_112",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "display_path": "kubernetesengine.projects.id.clusters.id",
    "path": "kubernetesengine.projects.id.clusters.id.node_pools.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.node_pools.id.legacy_metadata_endpoints_enabled",
            "true",
            ""
        ]
    ],
    "id_suffix": "legacy_metadata_endpoints_enabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-node-auto-repair-disabled.json
================================================
{
    "description": "Nodes with Auto-Repair Disabled",
    "rationale": "Auto-repair helps maintain the cluster nodes in a healthy, running state.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.7"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.5.2"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-repair",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "display_path": "kubernetesengine.projects.id.clusters.id",
    "path": "kubernetesengine.projects.id.clusters.id.node_pools.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.node_pools.id.auto_repair_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "auto_repair_disabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-node-auto-upgrade-disabled.json
================================================
{
    "description": "Nodes with Auto-Upgrade Disabled",
    "rationale": "Auto-upgrades automatically ensures that security updates are applied and kept up to date.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.8"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.5.3"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-upgrades",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on"
    ],
    "dashboard_name": "Clusters",
    "display_path": "kubernetesengine.projects.id.clusters.id",
    "path": "kubernetesengine.projects.id.clusters.id.node_pools.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.node_pools.id.auto_upgrade_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "auto_upgrade_disabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-node-container-optimized-os-not-used.json
================================================
{
    "description": "Lack of Container-Optimized OS Node Images",
    "rationale": "It is recommended to use container-optimized OS images, as they provide improved support, security and stability.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.9"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.5.1"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/container-optimized-os/docs/concepts/features-and-benefits",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/node-images"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.image_type",
            "containNoneOf",
            [
                "COS",
                "COS_CONTAINERD"
            ]
        ]
    ],
    "id_suffix": "container_optimized_os_not_used"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-node-integrity-monitoring-disabled.json
================================================
{
    "description": "Nodes with Integrity Monitoring Disabled",
    "rationale": "The Integrity Monitoring feature should be enabled for GKE cluster nodes in order to monitor and automatically check the runtime boot integrity of shielded cluster nodes using Cloud Monitoring service.",
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes"
    ],
    "dashboard_name": "Clusters",
    "display_path": "kubernetesengine.projects.id.clusters.id",
    "path": "kubernetesengine.projects.id.clusters.id.node_pools.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.node_pools.id.integrity_monitoring_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "integrity_monitoring_enabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-node-secure-boot-disabled.json
================================================
{
    "description": "Nodes with Secure Boot Disabled",
    "rationale": "The Secure Boot feature should be enabled for GKE cluster nodes in order to protect them against malware and rootkits. Secure Boot helps ensure that the system runs only authentic software by verifying the digital signature of all boot components, and halting the boot process if the signature verification fails.",
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes"
    ],
    "dashboard_name": "Clusters",
    "display_path": "kubernetesengine.projects.id.clusters.id",
    "path": "kubernetesengine.projects.id.clusters.id.node_pools.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.node_pools.id.secure_boot_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "secure_boot_enabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-private-nodes-disabled.json
================================================
{
    "description": "Private Cluster Nodes Disabled",
    "rationale": "Private Nodes are nodes with no public IP addresses. Disabling public IP addresses on cluster nodes restricts access to only internal networks, forcing attackers to obtain local network access before attempting to compromise the underlying Kubernetes hosts.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.15"
        },
        {
            "name": "CIS GKE Benchmark",
            "version": "1.0.0",
            "reference": "6.6.5"
        }
    ],
    "references": [
        "https://www.cisecurity.org/benchmark/kubernetes/",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_network_access_to_the_control_plane_and_nodes",
        "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default_values_on",
        "https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.private_nodes_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "private_nodes_enabled"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/kubernetesengine-scopes-not-limited.json
================================================
{
    "description": "Lack of Access Scope Limitation",
    "rationale": "If you are not creating a separate service account for your nodes, you should limit the scopes of the node service account to reduce the oportunity for privilege escalation. This ensures that the default service account does not have permissions beyond those necessary to run your cluster. While the default scopes are limited, they may include scopes beyond the minimally required ones needed to run your cluster. If you are accessing private images in Google Container Registry, the minimally required scopes are only logging.write, monitoring, and devstorage.read_only.",
    "compliance": [
        {
            "name": "CIS Google Cloud Platform Foundations",
            "version": "1.0.0",
            "reference": "7.18"
        }
    ],
    "references": [
        "https://cloud.google.com/kubernetes-engine/docs/how-to/access-scopes"
    ],
    "dashboard_name": "Clusters",
    "path": "kubernetesengine.projects.id.clusters.id",
    "conditions": [
        "and",
        [
            "kubernetesengine.projects.id.clusters.id.has_limited_scopes",
            "false",
            ""
        ]
    ],
    "id_suffix": "scopes_not_limited"
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/logging-monitoring-diagnostic-setting-does-not-exist.json
================================================
{
    "description": "Diagnostic Setting Does Not Exist",
    "rationale": "A diagnostic setting controls how a diagnostic log is exported. By default, logs are retained only for 90 days. Diagnostic settings should be defined so that logs can be exported and stored for a longer duration in order to analyze security activities within an Azure subscription.",
    "remediation": "In the Azure console: 
     
  1. Go to Diagnostic settings
    2.  
  2. Click on Add diagnostic setting.
    3.  
  3.  
  4. Add rules to allow traffic from specific network.
    5. Configure the setting including the export location (This may be Log Analytics/Storage account or Event Hub) 
  5. Click on Save
    6.  
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "5.1.1"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/platform-logs-overview#export-the-activity-log-with-a-log-profile",
        "https://learn.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az_monitor_log_profiles_create",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-5-centralize-security-log-management-and-analysis"
    ],
    "dashboard_name": "Diagnostic Settings",
    "path": "loggingmonitoring.subscriptions.id.diagnostic_settings.id",
    "conditions": [
        "and",
        [
            "loggingmonitoring.subscriptions.id.diagnostic_settings.id.diagnostic_exist",
            "false",
            ""
        ]
    ],
    "id_suffix": "diagnostic_exist"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/logging-monitoring-log-alert-not-exist-create-policy-assignment.json
================================================
{
    "description": "Activity Log Alert Does Not Exist for Create Policy Assignment",
    "rationale": "Monitoring for \"Create Policy Assignment\" events gives insight into changes done in \"azure policy -assignments\" and can reduce the time it takes to detect unsolicited changes.",
    "remediation": "In the Azure console: 
  1. Go to Monitor service on Azure Security Center
  2. Select Alerts blade
  3. Click On New alert Rule
  4. Under Scope, click Select resource
  5. Select the appropriate subscription under Filter by subscription
  6. Select Policy Assignment under Filter by resource type
  7. Select All for Filter by location
  8. Click on the subscription from the entries populated under Resource
  9. Verify Selection preview shows All Policy assignment (policyAssignments) and your selected subscription name
  10. Under Condition click Select Condition
  11. Select Create policy assignment signal
  12. Click Done
  13. Under Action group, select appropriate action group
  14. Under Alert rule details, enter rule name and description
  15. Select appropriate resource group
  16. Check Enable alert rule upon creation checkbox
  17. Click Create alert rule
    18.  
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "5.2.1"
        }
    ],
    "references": [
        "https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement/",
        "https://learn.microsoft.com/en-in/azure/azure-monitor/alerts/alerts-activity-log",
        "https://learn.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate",
        "https://learn.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
    ],
    "dashboard_name": "Alert Rules",
    "path": "loggingmonitoring.subscriptions.id.log_alerts.id",
    "conditions": [
        "or",
        [
            "loggingmonitoring.subscriptions.id.log_alerts.id.create_policy_assignment_exist",
            "false",
            ""
        ],
        [
            "loggingmonitoring.subscriptions.id.log_alerts.id.create_policy_assignment_exist",
            "null",
            ""
        ]
    ],
    "id_suffix": "create_policy_assignment_exist"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/logging-monitoring-log-alert-not-exist-nsg.json
================================================
{
    "description": "Activity Log Alert Does Not Exist for _ARG_0_",
    "rationale": "Monitoring for \"_ARG_0_\" events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.",
    "remediation": "In the Azure console: 
  1. Go to Monitor service on Azure Security Center
  2. Select Alerts blade
  3. Click On New alert Rule
  4. Under Scope, click Select resource
  5. Select the appropriate subscription under Filter by subscription
  6. Select Policy Assignment under Filter by resource type
  7. Select All for Filter by location
  8. Click on the subscription from the entries populated under Resource
  9. Verify Selection preview shows All Policy assignment (policyAssignments) and your selected subscription name
  10. Under Condition click Select Condition
  11. Select Create policy assignment signal
  12. Click Done
  13. Under Action group, select appropriate action group
  14. Under Alert rule details, enter rule name and description
  15. Select appropriate resource group
  16. Check Enable alert rule upon creation checkbox
  17. Click Create alert rule
    18.  
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "_ARG_1_"
        }
    ],
    "references": [
        "https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement/",
        "https://learn.microsoft.com/en-in/azure/azure-monitor/alerts/alerts-activity-log",
        "https://learn.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate",
        "https://learn.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
    ],
    "dashboard_name": "Alert Rules",
    "path": "loggingmonitoring.subscriptions.id.log_alerts.id",
    "conditions": [
        "or",
        [
            "loggingmonitoring.subscriptions.id.log_alerts.id._ARG_2_",
            "false",
            ""
        ],
        [
            "loggingmonitoring.subscriptions.id.log_alerts.id._ARG_2_",
            "null",
            ""
        ]
    ],
    "key": "_ARG_2_",
    "arg_names": [
        "Event",
        "Associated CIS rule",
        "Dictionary Value"
    ],
    "id_suffix": "_ARG_2_"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/logging-monitoring-log-alert-not-exist-security-solution.json
================================================
{
    "description": "Activity Log Alert Does Not Exist for _ARG_0_",
    "rationale": "Monitoring for \"_ARG_0_\" events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.",
    "remediation": "In the Azure console: 
  1. Go to Monitor service on Azure Security Center
  2. Select Alerts blade
  3. Click On New alert Rule
  4. Under Scope, click Select resource
  5. Select the appropriate subscription under Filter by subscription
  6. Select Policy Assignment under Filter by resource type
  7. Select All for Filter by location
  8. Click on the subscription from the entries populated under Resource
  9. Verify Selection preview shows All Policy assignment (policyAssignments) and your selected subscription name
  10. Under Condition click Select Condition
  11. Select Create policy assignment signal
  12. Click Done
  13. Under Action group, select appropriate action group
  14. Under Alert rule details, enter rule name and description
  15. Select appropriate resource group
  16. Check Enable alert rule upon creation checkbox
  17. Click Create alert rule
    18.  
",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "_ARG_1_"
        }
    ],
    "references": [
        "https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement/",
        "https://learn.microsoft.com/en-in/azure/azure-monitor/alerts/alerts-activity-log",
        "https://learn.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate",
        "https://learn.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
    ],
    "dashboard_name": "Alert Rules",
    "path": "loggingmonitoring.subscriptions.id.log_alerts.id",
    "conditions": [
        "or",
        [
            "loggingmonitoring.subscriptions.id.log_alerts.id._ARG_2_",
            "false",
            ""
        ],
        [
            "loggingmonitoring.subscriptions.id.log_alerts.id._ARG_2_",
            "null",
            ""
        ]
    ],
    "key": "_ARG_2_",
    "arg_names": [
        "Event",
        "Associated CIS rule",
        "Dictionary Value"
    ],
    "id_suffix": "_ARG_2_"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/logging-monitoring-logging-key-vault-disabled.json
================================================
{
    "description": "Logging for Azure Key Vault Is Disabled",
    "rationale": "Monitoring how and when key vaults are accessed, and by whom enables an audit trail of interactions with confidential information, keys and certificates managed by Azure Keyvault. Enabling logging for Key Vault saves information in an Azure storage account that the user provides. This creates a new container named insights-logs-auditevent automatically for the specified storage account, andthis same storage account can be used for collecting logs for multiple key vaults.",
    "remediation": "Follow Microsoft Azure documentation and setup Azure Key Vault Logging.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "5.1.5"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/azure/key-vault/general/logging?tabs=Vault",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
    ],
    "dashboard_name": "Key Vaults",
    "path": "loggingmonitoring.subscriptions.id.resources_logging.id",
    "conditions": [
        "and",
        [
            "loggingmonitoring.subscriptions.id.resources_logging.id.diagnostic_key_vault.audit_event_enabled",
            "false",
            ""
        ]
    ],
    "id_suffix": "diagnostic_key_vault_audit_event_enabled"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/logging-monitoring-profile-does-not-capture-all-activities.json
================================================
{
    "description": "Audit Profile Does Not Capture All Activities",
    "rationale": "A log profile controls how the activity log is exported. Configuring the log profile to collect logs for the categories \"write\", \"delete\" and \"action\" ensures that all the control/management plane activities performed on the subscription are exported.",
    "remediation": "On Azure portal there is no provision to check or set categories.",
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "1.2.0",
            "reference": "5.1.2"
        }
    ],
    "references": [
        "https://learn.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az-monitor-log-profiles-update",
        "https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
    ],
    "dashboard_name": "Profile",
    "path": "loggingmonitoring.subscriptions.id.log_profiles.id",
    "conditions": [
        "and",
        [
            "loggingmonitoring.subscriptions.id.log_profiles.id.captures_all_activities",
            "false",
            ""
        ]
    ],
    "id_suffix": "captures_all_activities"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/networkpolicy-unrestricted-cluster-network-access.json
================================================
{
    "description": "Unrestricted Cluster Network Access",
    "rationale": "Unrestricted cluster networks allow any compromised pod to interact with any other pods.",
    "references": [
        "https://kubernetes.io/docs/concepts/cluster-administration/networking/",
        "https://kubernetes.io/docs/concepts/services-networking/network-policies/"
    ],
    "dashboard_name": "Network Policies",
    "display_path": "network_policy.v1.id",
    "path": "network_policy",
    "conditions": [
        "or",
        [
            "network_policy.v1_count",
            "equal",
            "0"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/networkpolicy-unrestricted-cluster-network-egress.json
================================================
{
    "description": "Unrestricted Cluster Network Egress",
    "rationale": "Unrestricted cluster egress controls allow any compromised pod to interact with any other pods.",
    "references": [
        "https://kubernetes.io/docs/concepts/cluster-administration/networking/",
        "https://kubernetes.io/docs/concepts/services-networking/network-policies/"
    ],
    "dashboard_name": "Network Policies",
    "display_path": "network_policy.v1-networking-k8s-io.id",
    "path": "network_policy.v1-networking-k8s-io.resources.id.data.spec.egress.id.data",
    "conditions": [
        "and",
        [
            "network_policy.v1-networking-k8s-io.resources.id.data.spec.egress",
            "notNull",
            ""
        ],
        [
            "network_policy.v1-networking-k8s-io.resources.id.data.spec.egress.id.ports",
            "null",
            ""
        ],
        [
            "network_policy.v1-networking-k8s-io.resources.id.data.spec.egress.id.to",
            "null",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/networkpolicy-unrestricted-cluster-network-ingress.json
================================================
{
    "description": "Unrestricted Cluster Network Ingress",
    "rationale": "Unrestricted cluster ingress controls allow any compromised pod to interact with any other pods.",
    "references": [
        "https://kubernetes.io/docs/concepts/cluster-administration/networking/",
        "https://kubernetes.io/docs/concepts/services-networking/network-policies/"
    ],
    "dashboard_name": "Network Policies",
    "display_path": "network_policy.v1-networking-k8s-io.id",
    "path": "network_policy.v1-networking-k8s-io.resources.id.data.spec",
    "conditions": [
        "or",
        [
            "and",
            [
                "network_policy.v1-networking-k8s-io.resources.id.data.spec",
                "withKey",
                "policy_types"
            ],
            [
                "network_policy.v1-networking-k8s-io.resources.id.data.spec.policy_types",
                "notNull",
                ""
            ],
            [
                "network_policy.v1-networking-k8s-io.resources.id.data.spec.policy_types",
                "notContainString",
                "Ingress"
            ]
        ],
        [
            "and",
            [
                "network_policy.v1-networking-k8s-io.resources.id.data.spec.ingress",
                "notNull",
                ""
            ],
            [
                "network_policy.v1-networking-k8s-io.resources.id.data.spec.ingress.id.ports",
                "null",
                ""
            ],
            [
                "network_policy.v1-networking-k8s-io.resources.id.data.spec.ingress.id.from",
                "null",
                ""
            ]
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/pod-apparmor-annotation-missing.json
================================================
{
    "description": "AppArmor Annotation Missing",
    "rationale": "The container.apparmor.security.beta.kubernetes.io annotation is missing. A compromised container with AppArmor disabled makes privilege escalation easier.",
    "references": [
        "https://kubernetes.io/docs/tutorials/security/apparmor/"
    ],
    "dashboard_name": "Pods",
    "display_path": "pod.v1.id",
    "path": "pod.v1.resources.id",
    "conditions": [
        "or",
        [
            "pod.v1.resources.id.metadata",
            "withoutKey",
            "annotations"
        ],
        [
            "pod.v1.resources.id.metadata.annotations",
            "withoutKey",
            "container.apparmor.security.beta.kubernetes.io"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/pod-automounted-service-account-token.json
================================================
{
    "description": "Automounted Service Account Token",
    "rationale": "Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
    ],
    "dashboard_name": "Pods",
    "display_path": "pod.v1.id",
    "path": "pod.v1.resources.id",
    "conditions": [
        "or",
        [
            "pod.v1.resources.id.data.spec",
            "withoutKey",
            "automountServiceAccountToken"
        ],
        [
            "pod.v1.resources.id.data.spec.automountServiceAccountToken",
            "null",
            ""
        ],
        [
            "pod.v1.resources.id.data.spec.automountServiceAccountToken",
            "true",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/pod-container-ability-to-modify-root-filesystem.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Ability to Modify Root Filesystem",
    "rationale": "Root filesystems should be read-only where possible.",
    "remediation": "spec.(c|initC|ephemeralC)ontainers[].securityContext.readOnlyRootFilesystem should be explicitly set to true for the affected containers.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Pods",
    "display_path": "pod.v1.id",
    "path": "pod.v1.resources.id.data.spec.containers.id",
    "conditions": [
        "or",
        [
            "pod.v1.resources.id.data.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.securityContext.readOnlyRootFilesystem",
            "null",
            ""
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.securityContext.readOnlyRootFilesystem",
            "false",
            ""
        ]
    ],
    "id_suffix": "readOnlyRootFilesystem"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/pod-container-allowing-privilege-escalation.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Allowing Privilege Escalation",
    "rationale": "A container should disallow privilege escalation where possible. allowPrivilegeEscalation should be explicitly set to false.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Pods",
    "display_path": "pod.v1.id",
    "path": "pod.v1.resources.id.data.spec.containers.id",
    "conditions": [
        "or",
        [
            "pod.v1.resources.id.data.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "null",
            ""
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "true",
            ""
        ]
    ],
    "id_suffix": "allowPrivilegeEscalation"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/pod-container-running-as-root-group.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Running As Root Group",
    "rationale": "Where possible, runAsGroup should be set to a value greater than 0.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Pods",
    "display_path": "pod.v1.id",
    "path": "pod.v1.resources.id.data.spec.containers.id",
    "conditions": [
        "or",
        [
            "and",
            [
                "pod.v1.resources.id.data.spec.securityContext",
                "notNull",
                ""
            ],
            [
                "pod.v1.resources.id.data.spec.securityContext.runAsGroup",
                "equal",
                "0"
            ]
        ],
        [
            "and",
            [
                "pod.v1.resources.id.data.spec.containers.id.securityContext",
                "notNull",
                ""
            ],
            [
                "pod.v1.resources.id.data.spec.containers.id.securityContext.runAsGroup",
                "equal",
                "0"
            ]
        ]
    ],
    "id_suffix": "runAsGroup"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/pod-container-running-as-root-user.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Running As Root User",
    "rationale": "Where possible, runAsUser should be set to a value greater than 0.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Pods",
    "display_path": "pod.v1.id",
    "path": "pod.v1.resources.id.data.spec.containers.id",
    "conditions": [
        "or",
        [
            "and",
            [
                "pod.v1.resources.id.data.spec.securityContext",
                "notNull",
                ""
            ],
            [
                "pod.v1.resources.id.data.spec.securityContext.runAsUser",
                "equal",
                "0"
            ]
        ],
        [
            "and",
            [
                "pod.v1.resources.id.data.spec.containers.id.securityContext",
                "notNull",
                ""
            ],
            [
                "pod.v1.resources.id.data.spec.containers.id.securityContext.runAsUser",
                "equal",
                "0"
            ]
        ]
    ],
    "id_suffix": "runAsUser"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/pod-container-with-overly-permissive-capabilities.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer with Permissive Capabilities",
    "rationale": "A container should drop all and add the necessary capabilities by default.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Pods",
    "display_path": "pod.v1.id",
    "path": "pod.v1.resources.id.data.spec.containers.id",
    "conditions": [
        "or",
        [
            "pod.v1.resources.id.data.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.securityContext",
            "withoutKey",
            "capabilities"
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.securityContext.capabilities",
            "null",
            ""
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.securityContext.capabilities.drop",
            "null",
            ""
        ]
    ],
    "id_suffix": "capabilities.drop"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/pod-container-with-possible-root-privileges.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer with Possible Root Privileges",
    "rationale": "Where possible, runAsNonRoot should be set to true to prevent the container from running as root.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Pods",
    "display_path": "pod.v1.id",
    "path": "pod.v1.resources.id.data.spec.containers.id",
    "conditions": [
        "and",
        [
            "or",
            [
                "pod.v1.resources.id.data.spec.securityContext.runAsNonRoot",
                "null",
                ""
            ],
            [
                "pod.v1.resources.id.data.spec.securityContext.runAsNonRoot",
                "false",
                ""
            ]
        ],
        [
            "or",
            [
                "pod.v1.resources.id.data.spec.containers.id.securityContext.runAsNonRoot",
                "null",
                ""
            ],
            [
                "pod.v1.resources.id.data.spec.containers.id.securityContext.runAsNonRoot",
                "false",
                ""
            ]
        ]
    ],
    "id_suffix": "runAsNonRoot"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/pod-helm-tiller-in-use.json
================================================
{
    "description": "Helm/Tiller in Use",
    "rationale": "Helm 2 and Tiller have been deprecated since 2020.",
    "references": [
        "https://helm.sh/blog/helm-v2-deprecation-timeline/",
        "https://github.com/markround/tiller#status"
    ],
    "dashboard_name": "Pods",
    "display_path": "pod.v1.id",
    "path": "pod.v1.resources.id",
    "conditions": [
        "or",
        [
            "pod.v1.resources.id.data.name",
            "containString",
            "tiller"
        ],
        [
            "pod.v1.resources.id.data.name",
            "containString",
            "tiller-deploy"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/pod-host-ipc-true.json
================================================
{
    "description": "Pods Using Host IPC",
    "rationale": "A compromised pod with hostIPC set to true in PodSpec can be used as a pivot to the host IPC.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Pods",
    "display_path": "pod.v1.id",
    "path": "pod.v1.resources.id.data.spec",
    "conditions": [
        "and",
        [
            "pod.v1.resources.id.data.spec",
            "withKey",
            "host_ipc"
        ],
        [
            "pod.v1.resources.id.data.spec.host_ipc",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_ipc"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/pod-host-network-true.json
================================================
{
    "description": "Pods Using Host Networking",
    "rationale": "A compromised pod with hostNetwork set to true in PodSpec can be used as a pivot to the host network.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Pods",
    "display_path": "pod.v1.id",
    "path": "pod.v1.resources.id.data.spec",
    "conditions": [
        "and",
        [
            "pod.v1.resources.id.data.spec",
            "withKey",
            "host_network"
        ],
        [
            "host_network",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_network"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/pod-host-pid-true.json
================================================
{
    "description": "Pods Using Host PID",
    "rationale": "A compromised pod with hostPID set to true in PodSpec can be used as a pivot to the host PID.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Pods",
    "display_path": "pod.v1.id",
    "path": "pod.v1.resources.id.data.spec",
    "conditions": [
        "and",
        [
            "pod.v1.resources.id.data.spec",
            "withKey",
            "host_pid"
        ],
        [
            "pod.v1.resources.id.data.spec.host_pid",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_pid"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/pod-kubernetes-container-manifest-hardening.json
================================================
{
    "description": "Kubernetes Container/InitContainer/EphemeralContainer Manifest Hardening",
    "rationale": "Several security options in the affected resources could be enabled to harden assocated containers.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://www.cisecurity.org/benchmark/docker/"
    ],
    "dashboard_name": "Pods",
    "display_path": "pod.v1.id",
    "path": "pod.v1.resources.id.data.spec.containers.id",
    "conditions": [
        "or",
        [
            "pod.v1.resources.id.data.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.securityContext",
            "withoutKey",
            "allowPrivilegeEscalation"
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.securityContext",
            "withoutKey",
            "readOnlyRootFilesystem"
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.securityContext",
            "withoutKey",
            "capabilities"
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "null",
            ""
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.securityContext.readOnlyRootFilesystem",
            "null",
            ""
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.securityContext.capabilities",
            "null",
            ""
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.securityContext.capabilities.drop",
            "null",
            ""
        ]
    ],
    "id_suffix": "hardening_required"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/pod-privileged-container-running.json
================================================
{
    "description": "Privileged Container/InitContainer/EphemeralContainer Running",
    "rationale": "Access to privileged container may result in privilege escalation. Administrators are encouraged to remove the privileged status of a pod if unncessary. privileged should be explicitly set to false.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "Pods",
    "display_path": "pod.v1.id",
    "path": "pod.v1.resources.id.data.spec.containers.id",
    "conditions": [
        "and",
        [
            "pod.v1.resources.id.data.spec.containers.id.securityContext",
            "notNull",
            ""
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.securityContext.privileged",
            "true",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/pod-resources-without-defined-cpu-limit.json
================================================
{
    "description": "Resources without Defined CPU Limit",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "Pods",
    "display_path": "pod.v1.id",
    "path": "pod.v1.resources.id.data.spec.containers.id",
    "conditions": [
        "or",
        [
            "pod.v1.resources.id.data.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.resources.limits",
            "withoutKey",
            "cpu"
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.resources.limits.cpu",
            "null",
            ""
        ]
    ],
    "id_suffix": "cpu"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/pod-resources-without-defined-limits.json
================================================
{
    "description": "Resources without Defined Limits",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "Pods",
    "display_path": "pod.v1.id",
    "path": "pod.v1.resources.id.data.spec.containers.id",
    "conditions": [
        "or",
        [
            "pod.v1.resources.id.data.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.resources.limits",
            "withoutKey",
            "cpu"
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.resources.limits",
            "withoutKey",
            "memory"
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.resources.limits.cpu",
            "null",
            ""
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.resources.limits.memory",
            "null",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/pod-resources-without-defined-memory-limit.json
================================================
{
    "description": "Resources without Defined Memory Limit",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "Pods",
    "display_path": "pod.v1.id",
    "path": "pod.v1.resources.id.data.spec.containers.id",
    "conditions": [
        "or",
        [
            "pod.v1.resources.id.data.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.resources.limits",
            "withoutKey",
            "memory"
        ],
        [
            "pod.v1.resources.id.data.spec.containers.id.resources.limits.memory",
            "null",
            ""
        ]
    ],
    "id_suffix": "memory"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/podtemplate-apparmor-annotation-missing.json
================================================
{
    "description": "AppArmor Annotation Missing",
    "rationale": "The container.apparmor.security.beta.kubernetes.io annotation is missing. A compromised container with AppArmor disabled makes privilege escalation easier.",
    "references": [
        "https://kubernetes.io/docs/tutorials/security/apparmor/"
    ],
    "dashboard_name": "PodTemplates",
    "display_path": "pod_template.v1-apps.id",
    "path": "pod_template.v1-apps.resources.id",
    "conditions": [
        "or",
        [
            "pod_template.v1-apps.resources.id.metadata",
            "withoutKey",
            "annotations"
        ],
        [
            "pod_template.v1-apps.resources.id.metadata.annotations",
            "withoutKey",
            "container.apparmor.security.beta.kubernetes.io"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/podtemplate-automounted-service-account-token.json
================================================
{
    "description": "Automounted Service Account Token",
    "rationale": "Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
    ],
    "dashboard_name": "PodTemplates",
    "display_path": "pod_template.v1.id",
    "path": "pod_template.v1.resources.id",
    "conditions": [
        "or",
        [
            "pod_template.v1.resources.id.data.spec",
            "withoutKey",
            "automountServiceAccountToken"
        ],
        [
            "pod_template.v1.resources.id.data.sspec.automountServiceAccountToken",
            "null",
            ""
        ],
        [
            "pod_template.v1.resources.id.data.sspec.automountServiceAccountToken",
            "true",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/podtemplate-container-ability-to-modify-root-filesystem.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Ability to Modify Root Filesystem",
    "rationale": "Root filesystems should be read-only where possible.",
    "remediation": "spec.template.spec.(c|initC|ephemeralC)ontainers[].securityContext.readOnlyRootFilesystem should be explicitly set to true for the affected containers.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "PodTemplates",
    "display_path": "pod_template.v1.id",
    "path": "pod_template.v1.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "pod_template.v1.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "pod_template.v1.resources.id.data.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "pod_template.v1.resources.id.data.spec.template.spec.containers.id.securityContext.readOnlyRootFilesystem",
            "null",
            ""
        ],
        [
            "pod_template.v1.resources.id.data.spec.template.spec.containers.id.securityContext.readOnlyRootFilesystem",
            "false",
            ""
        ]
    ],
    "id_suffix": "readOnlyRootFilesystem"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/podtemplate-container-allowing-privilege-escalation.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Allowing Privilege Escalation",
    "rationale": "A container should disallow privilege escalation where possible. allowPrivilegeEscalation should be explicitly set to false.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "PodTemplates",
    "display_path": "pod_template.v1.id",
    "path": "pod_template.v1.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "pod_template.v1.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "pod_template.v1.resources.id.data.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "pod_template.v1.resources.id.data.spec.template.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "null",
            ""
        ],
        [
            "pod_template.v1.resources.id.data.spec.template.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "true",
            ""
        ]
    ],
    "id_suffix": "allowPrivilegeEscalation"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/podtemplate-container-running-as-root-group.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Running As Root Group",
    "rationale": "Where possible, runAsGroup should be set to a value greater than 0.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "PodTemplates",
    "display_path": "pod_template.v1.id",
    "path": "pod_template.v1.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "and",
            [
                "pod_template.v1.resources.id.data.spec.template.spec.securityContext",
                "notNull",
                ""
            ],
            [
                "pod_template.v1.resources.id.data.spec.template.spec.securityContext.runAsGroup",
                "equal",
                "0"
            ]
        ],
        [
            "and",
            [
                "pod_template.v1.resources.id.data.spec.template.spec.containers.id.securityContext",
                "notNull",
                ""
            ],
            [
                "pod_template.v1.resources.id.data.spec.template.spec.containers.id.securityContext.runAsGroup",
                "equal",
                "0"
            ]
        ]
    ],
    "id_suffix": "runAsGroup"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/podtemplate-container-running-as-root-user.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Running As Root User",
    "rationale": "Where possible, runAsUser should be set to a value greater than 0.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "PodTemplates",
    "display_path": "pod_template.v1.id",
    "path": "pod_template.v1.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "and",
            [
                "pod_template.v1.resources.id.data.spec.template.spec.securityContext",
                "notNull",
                ""
            ],
            [
                "pod_template.v1.resources.id.data.spec.template.spec.securityContext.runAsUser",
                "equal",
                "0"
            ]
        ],
        [
            "and",
            [
                "pod_template.v1.resources.id.data.spec.template.spec.containers.id.securityContext",
                "notNull",
                ""
            ],
            [
                "pod_template.v1.resources.id.data.spec.template.spec.containers.id.securityContext.runAsUser",
                "equal",
                "0"
            ]
        ]
    ],
    "id_suffix": "runAsUser"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/podtemplate-container-with-overly-permissive-capabilities.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer with Permissive Capabilities",
    "rationale": "A container should drop all and add the necessary capabilities by default.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "PodTemplates",
    "display_path": "pod_template.v1.id",
    "path": "pod_template.v1.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "pod_template.v1.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "pod_template.v1.resources.id.data.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "pod_template.v1.resources.id.data.spec.template.spec.containers.id.securityContext",
            "withoutKey",
            "capabilities"
        ],
        [
            "pod_template.v1.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities",
            "null",
            ""
        ],
        [
            "pod_template.v1.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities.drop",
            "null",
            ""
        ]
    ],
    "id_suffix": "capabilities.drop"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/podtemplate-container-with-possible-root-privileges.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer with Possible Root Privileges",
    "rationale": "Where possible, runAsNonRoot should be set to true to prevent the container from running as root.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "PodTemplates",
    "display_path": "pod_template.v1.id",
    "path": "pod_template.v1.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "and",
        [
            "or",
            [
                "pod_template.v1.resources.id.data.spec.template.spec.securityContext.runAsNonRoot",
                "null",
                ""
            ],
            [
                "pod_template.v1.resources.id.data.spec.template.spec.securityContext.runAsNonRoot",
                "false",
                ""
            ]
        ],
        [
            "or",
            [
                "pod_template.v1.resources.id.data.spec.template.spec.containers.id.securityContext.runAsNonRoot",
                "null",
                ""
            ],
            [
                "pod_template.v1.resources.id.data.spec.template.spec.containers.id.securityContext.runAsNonRoot",
                "false",
                ""
            ]
        ]
    ],
    "id_suffix": "runAsNonRoot"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/podtemplate-host-ipc-true.json
================================================
{
    "description": "PodTemplates Using Host IPC",
    "rationale": "A compromised pod with hostIPC set to true in PodSpec can be used as a pivot to the host IPC.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "PodTemplates",
    "display_path": "pod_template.v1.id",
    "path": "pod_template.v1.resources.id.data.spec.template.spec",
    "conditions": [
        "and",
        [
            "pod_template.v1.resources.id.data.spec.template.spec",
            "withKey",
            "host_ipc"
        ],
        [
            "pod_template.v1.resources.id.data.spec.template.spec.host_ipc",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_ipc"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/podtemplate-host-network-true.json
================================================
{
    "description": "PodTemplates Using Host Networking",
    "rationale": "A compromised pod with hostNetwork set to true in PodSpec can be used as a pivot to the host network.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "PodTemplates",
    "display_path": "pod_template.v1.id",
    "path": "pod_template.v1.resources.id.data.spec.template.spec",
    "conditions": [
        "and",
        [
            "pod_template.v1.resources.id.data.spec.template.spec",
            "withKey",
            "host_network"
        ],
        [
            "pod_template.v1.resources.id.data.spec.template.spec.host_network",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_network"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/podtemplate-host-pid-true.json
================================================
{
    "description": "PodTemplates Using Host PID",
    "rationale": "A compromised pod with hostPID set to true in PodSpec can be used as a pivot to the host PID.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "PodTemplates",
    "display_path": "pod_template.v1.id",
    "path": "pod_template.v1.resources.id.data.spec.template.spec",
    "conditions": [
        "and",
        [
            "pod_template.v1.resources.id.data.spec.template.spec",
            "withKey",
            "host_pid"
        ],
        [
            "pod_template.v1.resources.id.data.spec.template.spec.host_pid",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_pid"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/podtemplate-privileged-container-running.json
================================================
{
    "description": "Privileged Container/InitContainer/EphemeralContainer Running",
    "rationale": "Access to privileged container may result in privilege escalation. Administrators are encouraged to remove the privileged status of a pod if unncessary.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"
    ],
    "dashboard_name": "PodTemplates",
    "display_path": "pod_template.v1.id",
    "path": "pod_template.v1.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "and",
        [
            "pod_template.v1.resources.id.data.spec.template.spec.containers.id.securityContext",
            "notNull",
            ""
        ],
        [
            "pod_template.v1.resources.id.data.spec.template.spec.containers.id.securityContext.privileged",
            "true",
            ""
        ]
    ],
    "id_suffix": "privileged"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/podtemplate-resources-without-defined-cpu-limit.json
================================================
{
    "description": "Resources without Defined CPU Limit",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "PodTemplates",
    "display_path": "pod_template.v1.id",
    "path": "pod_template.v1.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "pod_template.v1.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "pod_template.v1.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "cpu"
        ],
        [
            "pod_template.v1.resources.id.data.spec.template.spec.containers.id.resources.limits.cpu",
            "null",
            ""
        ]
    ],
    "id_suffix": "cpu"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/podtemplate-resources-without-defined-limits.json
================================================
{
    "description": "Resources without Defined Limits",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "Pods",
    "display_path": "pod_template.v1.id",
    "path": "pod_template.v1.resources.id.data.spec.containers.id",
    "conditions": [
        "or",
        [
            "pod_template.v1.resources.id.data.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "pod_template.v1.resources.id.data.spec.containers.id.resources.limits",
            "withoutKey",
            "cpu"
        ],
        [
            "pod_template.v1.resources.id.data.spec.containers.id.resources.limits",
            "withoutKey",
            "memory"
        ],
        [
            "pod_template.v1.resources.id.data.spec.containers.id.resources.limits.cpu",
            "null",
            ""
        ],
        [
            "pod_template.v1.resources.id.data.spec.containers.id.resources.limits.memory",
            "null",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/podtemplate-resources-without-defined-memory-limit.json
================================================
{
    "description": "Resources without Defined Memory Limit",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "PodTemplates",
    "display_path": "pod_template.v1.id",
    "path": "pod_template.v1.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "pod_template.v1.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "pod_template.v1.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "memory"
        ],
        [
            "pod_template.v1.resources.id.data.spec.template.spec.containers.id.resources.limits.memory",
            "null",
            ""
        ]
    ],
    "id_suffix": "memory"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/rbac-dangerous-grants.json
================================================
{
    "description": "Dangerous Grants in Role-based Access Control (RBAC) Definition",
    "rationale": "Insufficient RBAC restrictions could enable unauthorized privilege escalation. The administrator should review the dangerous grants under RBAC.",
    "references": [
        "https://kubernetes.io/docs/reference/access-authn-authz/rbac/"
    ],
    "dashboard_name": "RBAC grants",
    "path": "rbac.dangerous_grants",
    "conditions": [
        "not",
        [
            "rbac.dangerous_grants_count",
            "equal",
            "0"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/rbac-dodgy-subjects.json
================================================
{
    "description": "Dodgy Subkects in Role-based Access Control (RBAC) Definition",
    "rationale": "Insufficient RBAC restrictions could enable unauthorized privilege escalation. The administrator should review the dodgy subjects under RBAC.",
    "references": [
        "https://kubernetes.io/docs/reference/access-authn-authz/rbac/"
    ],
    "dashboard_name": "RBAC subjects",
    "path": "rbac.dodgy_subjects",
    "conditions": [
        "not",
        [
            "rbac.dodgy_subjects_count",
            "equal",
            "0"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/rbac-permissive-bindings.json
================================================
{
    "description": "Permissive Bindings in Role-based Access Control (RBAC) Definition",
    "rationale": "Insufficient RBAC restrictions could enable unauthorized privilege escalation. The administrator should review the permissive bindings under RBAC.",
    "references": [
        "https://kubernetes.io/docs/reference/access-authn-authz/rbac/"
    ],
    "dashboard_name": "RBAC bindings",
    "path": "rbac.permissive_bindings",
    "conditions": [
        "not",
        [
            "rbac.permissive_bindings_count",
            "equal",
            "0"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/replicaset-apparmor-annotation-missing.json
================================================
{
    "description": "AppArmor Annotation Missing",
    "rationale": "The container.apparmor.security.beta.kubernetes.io annotation is missing. A compromised container with AppArmor disabled makes privilege escalation easier.",
    "references": [
        "https://kubernetes.io/docs/tutorials/security/apparmor/"
    ],
    "dashboard_name": "ReplicaSets",
    "display_path": "replica_set.v1-apps.id",
    "path": "replica_set.v1-apps.resources.id",
    "conditions": [
        "or",
        [
            "replica_set.v1-apps.resources.id.metadata",
            "withoutKey",
            "annotations"
        ],
        [
            "replica_set.v1-apps.resources.id.metadata.annotations",
            "withoutKey",
            "container.apparmor.security.beta.kubernetes.io"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/replicaset-automounted-service-account-token.json
================================================
{
    "description": "Automounted Service Account Token",
    "rationale": "Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
    ],
    "dashboard_name": "ReplicaSets",
    "display_path": "replica_set.v1-apps.id",
    "path": "replica_set.v1-apps.resources.id",
    "conditions": [
        "or",
        [
            "replica_set.v1-apps.resources.id.data.spec",
            "withoutKey",
            "automountServiceAccountToken"
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.automountServiceAccountToken",
            "null",
            ""
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.automountServiceAccountToken",
            "true",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/replicaset-container-ability-to-modify-root-filesystem.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Ability to Modify Root Filesystem",
    "rationale": "Root filesystems should be read-only where possible.",
    "remediation": "spec.template.spec.(c|initC|ephemeralC)ontainers[].securityContext.readOnlyRootFilesystem should be explicitly set to true for the affected containers.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "ReplicaSets",
    "display_path": "replica_set.v1-apps.id",
    "path": "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.readOnlyRootFilesystem",
            "null",
            ""
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.readOnlyRootFilesystem",
            "false",
            ""
        ]
    ],
    "id_suffix": "readOnlyRootFilesystem"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/replicaset-container-allowing-privilege-escalation.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Allowing Privilege Escalation",
    "rationale": "A container should disallow privilege escalation where possible. allowPrivilegeEscalation should be explicitly set to false.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "ReplicaSets",
    "display_path": "replica_set.v1-apps.id",
    "path": "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "null",
            ""
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "true",
            ""
        ]
    ],
    "id_suffix": "allowPrivilegeEscalation"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/replicaset-container-running-as-root-group.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Running As Root Group",
    "rationale": "Where possible, runAsGroup should be set to a value greater than 0.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "ReplicaSets",
    "display_path": "replica_set.v1-apps.id",
    "path": "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "and",
            [
                "replica_set.v1-apps.resources.id.data.spec.template.spec.securityContext",
                "notNull",
                ""
            ],
            [
                "replica_set.v1-apps.resources.id.data.spec.template.spec.securityContext.runAsGroup",
                "equal",
                "0"
            ]
        ],
        [
            "and",
            [
                "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
                "notNull",
                ""
            ],
            [
                "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.runAsGroup",
                "equal",
                "0"
            ]
        ]
    ],
    "id_suffix": "runAsGroup"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/replicaset-container-running-as-root-user.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Running As Root User",
    "rationale": "Where possible, runAsUser should be set to a value greater than 0.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "ReplicaSets",
    "display_path": "replica_set.v1-apps.id",
    "path": "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "and",
            [
                "replica_set.v1-apps.resources.id.data.spec.template.spec.securityContext",
                "notNull",
                ""
            ],
            [
                "replica_set.v1-apps.resources.id.data.spec.template.spec.securityContext.runAsUser",
                "equal",
                "0"
            ]
        ],
        [
            "and",
            [
                "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
                "notNull",
                ""
            ],
            [
                "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.runAsUser",
                "equal",
                "0"
            ]
        ]
    ],
    "id_suffix": "runAsUser"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/replicaset-container-with-overly-permissive-capabilities.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer with Permissive Capabilities",
    "rationale": "A container should drop all and add the necessary capabilities by default.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "ReplicaSets",
    "display_path": "replica_set.v1-apps.id",
    "path": "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "withoutKey",
            "capabilities"
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities",
            "null",
            ""
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities.drop",
            "null",
            ""
        ]
    ],
    "id_suffix": "capabilities.drop"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/replicaset-container-with-possible-root-privileges.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer with Possible Root Privileges",
    "rationale": "Where possible, runAsNonRoot should be set to true to prevent the container from running as root.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "ReplicaSets",
    "display_path": "replica_set.v1-apps.id",
    "path": "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "and",
        [
            "or",
            [
                "replica_set.v1-apps.resources.id.data.spec.template.spec.securityContext.runAsNonRoot",
                "null",
                ""
            ],
            [
                "replica_set.v1-apps.resources.id.data.spec.template.spec.securityContext.runAsNonRoot",
                "false",
                ""
            ]
        ],
        [
            "or",
            [
                "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.runAsNonRoot",
                "null",
                ""
            ],
            [
                "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.runAsNonRoot",
                "false",
                ""
            ]
        ]
    ],
    "id_suffix": "runAsNonRoot"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/replicaset-host-ipc-true.json
================================================
{
    "description": "ReplicaSets Using Host IPC",
    "rationale": "A compromised pod with hostIPC set to true in PodSpec can be used as a pivot to the host IPC.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "ReplicaSets",
    "display_path": "replica_set.v1-apps.id",
    "path": "replica_set.v1-apps.resources.id.data.spec.template.spec",
    "conditions": [
        "and",
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec",
            "withKey",
            "host_ipc"
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.host_ipc",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_ipc"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/replicaset-host-network-true.json
================================================
{
    "description": "ReplicaSets Using Host Networking",
    "rationale": "A compromised pod with hostNetwork set to true in PodSpec can be used as a pivot to the host network.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "ReplicaSets",
    "display_path": "replica_set.v1-apps.id",
    "path": "replica_set.v1-apps.resources.id.data.spec.template.spec",
    "conditions": [
        "and",
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec",
            "withKey",
            "host_network"
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.host_network",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_network"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/replicaset-host-pid-true.json
================================================
{
    "description": "ReplicaSets Using Host PID",
    "rationale": "A compromised pod with hostPID set to true in PodSpec can be used as a pivot to the host PID.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "ReplicaSets",
    "display_path": "replica_set.v1-apps.id",
    "path": "replica_set.v1-apps.resources.id.data.spec.template.spec",
    "conditions": [
        "and",
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec",
            "withKey",
            "host_pid"
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.host_pid",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_pid"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/replicaset-kubernetes-container-manifest-hardening.json
================================================
{
    "description": "Kubernetes Container/InitContainer/EphemeralContainer Manifest Hardening",
    "rationale": "Several security options in the affected resources could be enabled to harden assocated containers.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://www.cisecurity.org/benchmark/docker/"
    ],
    "dashboard_name": "ReplicaSets",
    "display_path": "replica_set.v1-apps.id",
    "path": "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "withoutKey",
            "allowPrivilegeEscalation"
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "withoutKey",
            "readOnlyRootFilesystem"
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "withoutKey",
            "capabilities"
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "null",
            ""
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.readOnlyRootFilesystem",
            "null",
            ""
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities",
            "null",
            ""
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities.drop",
            "null",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/replicaset-privileged-container-running.json
================================================
{
    "description": "Privileged Container/InitContainer/EphemeralContainer Running",
    "rationale": "Access to privileged container may result in privilege escalation. Administrators are encouraged to remove the privileged status of a pod if unncessary.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"
    ],
    "dashboard_name": "ReplicaSets",
    "display_path": "replica_set.v1-apps.id",
    "path": "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "and",
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "notNull",
            ""
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.privileged",
            "true",
            ""
        ]
    ],
    "id_suffix": "privileged"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/replicaset-resources-without-defined-cpu-limit.json
================================================
{
    "description": "Resources without Defined CPU Limit",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "ReplicaSets",
    "display_path": "replica_set.v1-apps.id",
    "path": "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "cpu"
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits.cpu",
            "null",
            ""
        ]
    ],
    "id_suffix": "cpu"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/replicaset-resources-without-defined-limits.json
================================================
{
    "description": "Resources without Defined Limits",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "ReplicaSets",
    "display_path": "replica_set.v1-apps.id",
    "path": "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources",
    "conditions": [
        "or",
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources",
            "withoutKey",
            "limits"
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "memory"
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "cpu"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/replicaset-resources-without-defined-memory-limit.json
================================================
{
    "description": "Resources without Defined Memory Limit",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "ReplicaSets",
    "display_path": "replica_set.v1-apps.id",
    "path": "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "memory"
        ],
        [
            "replica_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits.memory",
            "null",
            ""
        ]
    ],
    "id_suffix": "memory"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/service-helm-tiller-in-use.json
================================================
{
    "description": "Helm/Tiller in Use",
    "rationale": "Helm 2 and Tiller have been deprecated since 2020.",
    "references": [
        "https://helm.sh/blog/helm-v2-deprecation-timeline/",
        "https://github.com/markround/tiller#status"
    ],
    "dashboard_name": "Services",
    "display_path": "service.v1.id",
    "path": "service.v1.resources.id",
    "conditions": [
        "or",
        [
            "service.v1.resources.id.data.name",
            "containString",
            "tiller"
        ],
        [
            "service.v1.resources.id.data.name",
            "containString",
            "tiller-deploy"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/serviceaccount-automounted-service-account-token.json
================================================
{
    "description": "Automounted Service Account Token",
    "rationale": "Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
    ],
    "dashboard_name": "Service Accounts",
    "display_path": "service_account.v1.id",
    "path": "service_account.v1.resources.id",
    "conditions": [
        "or",
        [
            "service_account.v1.resources.id.data",
            "withoutKey",
            "automountServiceAccountToken"
        ],
        [
            "service_account.v1.resources.id.data.automountServiceAccountToken",
            "null",
            ""
        ],
        [
            "service_account.v1.resources.id.data.automountServiceAccountToken",
            "true",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/statefulset-apparmor-annotation-missing.json
================================================
{
    "description": "AppArmor Annotation Missing",
    "rationale": "The container.apparmor.security.beta.kubernetes.io annotation is missing. A compromised container with AppArmor disabled makes privilege escalation easier.",
    "references": [
        "https://kubernetes.io/docs/tutorials/security/apparmor/"
    ],
    "dashboard_name": "StatefulSets",
    "display_path": "stateful_set.v1-apps.id",
    "path": "stateful_set.v1-apps.resources.id",
    "conditions": [
        "or",
        [
            "stateful_set.v1-apps.resources.id.metadata",
            "withoutKey",
            "annotations"
        ],
        [
            "stateful_set.v1-apps.resources.id.metadata.annotations",
            "withoutKey",
            "container.apparmor.security.beta.kubernetes.io"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/statefulset-automounted-service-account-token.json
================================================
{
    "description": "Automounted Service Account Token",
    "rationale": "Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
    ],
    "dashboard_name": "StatefulSets",
    "display_path": "stateful_set.v1-apps.id",
    "path": "stateful_set.v1-apps.resources.id",
    "conditions": [
        "or",
        [
            "stateful_set.v1-apps.resources.id.data.spec",
            "withoutKey",
            "automountServiceAccountToken"
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.automountServiceAccountToken",
            "null",
            ""
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.automountServiceAccountToken",
            "true",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/statefulset-container-ability-to-modify-root-filesystem.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Ability to Modify Root Filesystem",
    "rationale": "Root filesystems should be read-only where possible.",
    "remediation": "spec.template.spec.(c|initC|ephemeralC)ontainers[].securityContext.readOnlyRootFilesystem should be explicitly set to true for the affected containers.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "StatefulSets",
    "display_path": "stateful_set.v1-apps.id",
    "path": "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.readOnlyRootFilesystem",
            "null",
            ""
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.readOnlyRootFilesystem",
            "false",
            ""
        ]
    ],
    "id_suffix": "readOnlyRootFilesystem"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/statefulset-container-allowing-privilege-escalation.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Allowing Privilege Escalation",
    "rationale": "A container should disallow privilege escalation where possible. allowPrivilegeEscalation should be explicitly set to false.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "StatefulSets",
    "display_path": "stateful_set.v1-apps.id",
    "path": "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "null",
            ""
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "true",
            ""
        ]
    ],
    "id_suffix": "allowPrivilegeEscalation"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/statefulset-container-running-as-root-group.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Running As Root Group",
    "rationale": "Where possible, runAsGroup should be set to a value greater than 0.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "StatefulSets",
    "display_path": "stateful_set.v1-apps.id",
    "path": "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "and",
            [
                "stateful_set.v1-apps.resources.id.data.spec.template.spec.securityContext",
                "notNull",
                ""
            ],
            [
                "stateful_set.v1-apps.resources.id.data.spec.template.spec.securityContext.runAsGroup",
                "equal",
                "0"
            ]
        ],
        [
            "and",
            [
                "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
                "notNull",
                ""
            ],
            [
                "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.runAsGroup",
                "equal",
                "0"
            ]
        ]
    ],
    "id_suffix": "runAsGroup"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/statefulset-container-running-as-root-user.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer Running As Root User",
    "rationale": "Where possible, runAsUser should be set to a value greater than 0.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "StatefulSets",
    "display_path": "stateful_set.v1-apps.id",
    "path": "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "and",
            [
                "stateful_set.v1-apps.resources.id.data.spec.template.spec.securityContext",
                "notNull",
                ""
            ],
            [
                "stateful_set.v1-apps.resources.id.data.spec.template.spec.securityContext.runAsUser",
                "equal",
                "0"
            ]
        ],
        [
            "and",
            [
                "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
                "notNull",
                ""
            ],
            [
                "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.runAsUser",
                "equal",
                "0"
            ]
        ]
    ],
    "id_suffix": "runAsUser"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/statefulset-container-with-overly-permissive-capabilities.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer with Permissive Capabilities",
    "rationale": "A container should drop all and add the necessary capabilities by default.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "StatefulSets",
    "display_path": "stateful_set.v1-apps.id",
    "path": "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "withoutKey",
            "capabilities"
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities",
            "null",
            ""
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities.drop",
            "null",
            ""
        ]
    ],
    "id_suffix": "capabilities.drop"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/statefulset-container-with-possible-root-privileges.json
================================================
{
    "description": "Container/InitContainer/EphemeralContainer with Possible Root Privileges",
    "rationale": "Where possible, runAsNonRoot should be set to true to prevent the container from running as root.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "StatefulSets",
    "display_path": "stateful_set.v1-apps.id",
    "path": "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "and",
        [
            "or",
            [
                "stateful_set.v1-apps.resources.id.data.spec.template.spec.securityContext.runAsNonRoot",
                "null",
                ""
            ],
            [
                "stateful_set.v1-apps.resources.id.data.spec.template.spec.securityContext.runAsNonRoot",
                "false",
                ""
            ]
        ],
        [
            "or",
            [
                "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.runAsNonRoot",
                "null",
                ""
            ],
            [
                "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.runAsNonRoot",
                "false",
                ""
            ]
        ]
    ],
    "id_suffix": "runAsNonRoot"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/statefulset-host-ipc-true.json
================================================
{
    "description": "StatefulSets Using Host IPC",
    "rationale": "A compromised pod with hostIPC set to true in PodSpec can be used as a pivot to the host IPC.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "StatefulSets",
    "display_path": "stateful_set.v1-apps.id",
    "path": "stateful_set.v1-apps.resources.id.data.spec.template.spec",
    "conditions": [
        "and",
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec",
            "withKey",
            "host_ipc"
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.host_ipc",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_ipc"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/statefulset-host-network-true.json
================================================
{
    "description": "StatefulSets Using Host Networking",
    "rationale": "A compromised pod with hostNetwork set to true in PodSpec can be used as a pivot to the host network.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "StatefulSets",
    "display_path": "stateful_set.v1-apps.id",
    "path": "stateful_set.v1-apps.resources.id.data.spec.template.spec",
    "conditions": [
        "and",
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec",
            "withKey",
            "host_network"
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.host_network",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_network"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/statefulset-host-pid-true.json
================================================
{
    "description": "StatefulSets Using Host PID",
    "rationale": "A compromised pod with hostPID set to true in PodSpec can be used as a pivot to the host PID.",
    "references": [
        "https://kubernetes.io/docs/concepts/policy/pod-security-policy/"
    ],
    "dashboard_name": "StatefulSets",
    "display_path": "stateful_set.v1-apps.id",
    "path": "stateful_set.v1-apps.resources.id.data.spec.template.spec",
    "conditions": [
        "and",
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec",
            "withKey",
            "host_pid"
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.host_pid",
            "true",
            ""
        ]
    ],
    "id_suffix": "host_pid"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/statefulset-kubernetes-container-manifest-hardening.json
================================================
{
    "description": "Kubernetes Container/InitContainer/EphemeralContainer Manifest Hardening",
    "rationale": "Several security options in the affected resources could be enabled to harden assocated containers.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
        "https://www.cisecurity.org/benchmark/docker/"
    ],
    "dashboard_name": "StatefulSets",
    "display_path": "stateful_set.v1-apps.id",
    "path": "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
            "withoutKey",
            "securityContext"
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "null",
            ""
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "withoutKey",
            "allowPrivilegeEscalation"
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "withoutKey",
            "readOnlyRootFilesystem"
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "withoutKey",
            "capabilities"
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.allowPrivilegeEscalation",
            "null",
            ""
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.readOnlyRootFilesystem",
            "null",
            ""
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities",
            "null",
            ""
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.capabilities.drop",
            "null",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/statefulset-privileged-container-running.json
================================================
{
    "description": "Privileged Container/InitContainer/EphemeralContainer Running",
    "rationale": "Access to privileged container may result in privilege escalation. Administrators are encouraged to remove the privileged status of a pod if unncessary.",
    "references": [
        "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"
    ],
    "dashboard_name": "StatefulSets",
    "display_path": "stateful_set.v1-apps.id",
    "path": "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "and",
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext",
            "notNull",
            ""
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.securityContext.privileged",
            "true",
            ""
        ]
    ],
    "id_suffix": "privileged"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/statefulset-resources-without-defined-cpu-limit.json
================================================
{
    "description": "Resources without Defined CPU Limit",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "StatefulSets",
    "display_path": "stateful_set.v1-apps.id",
    "path": "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "cpu"
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits.cpu",
            "null",
            ""
        ]
    ],
    "id_suffix": "cpu"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/statefulset-resources-without-defined-limits.json
================================================
{
    "description": "Resources without Defined Limits",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "StatefulSets",
    "display_path": "stateful_set.v1-apps.id",
    "path": "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources",
    "conditions": [
        "or",
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources",
            "withoutKey",
            "limits"
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "memory"
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "cpu"
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/findings/statefulset-resources-without-defined-memory-limit.json
================================================
{
    "description": "Resources without Defined Memory Limit",
    "rationale": "Unset resource limits could result in service denial through resource exhaustion.",
    "references": [
        "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
    ],
    "dashboard_name": "StatefulSets",
    "display_path": "stateful_set.v1-apps.id",
    "path": "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id",
    "conditions": [
        "or",
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "null",
            ""
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits",
            "withoutKey",
            "memory"
        ],
        [
            "stateful_set.v1-apps.resources.id.data.spec.template.spec.containers.id.resources.limits.memory",
            "null",
            ""
        ]
    ],
    "id_suffix": "memory"
}

================================================
FILE: ScoutSuite/providers/kubernetes/rules/rulesets/aks.json
================================================
{
    "about": "This ruleset consists of numerous rules that are considered standard by NCC Group. The rules enabled range from violations of well-known security best practices to gaps resulting from less-known security implications of provider-specific mechanisms. Additional rules exist, some of them requiring extra-parameters to be configured, and some of them being applicable to a limited number of users.",
    "rules": {
        "configmap-unnecessary-secrets.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "logging-monitoring-diagnostic-setting-does-not-exist.json": [
            {
                "enabled": false,
                "level": "warning"
            }
        ],
        "logging-monitoring-log-alert-not-exist-create-policy-assignment.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "logging-monitoring-log-alert-not-exist-nsg.json": [
            {
                "args": [
                    "Create/Update Network Security Group",
                    "5.2.2",
                    "create_update_NSG_exist"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "Delete Network Security Group",
                    "5.2.3",
                    "delete_NSG_exist"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "Create/Update Network Security Group Rule",
                    "5.2.4",
                    "create_update_NSG_rule_exist"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "Delete Network Security Group Rule",
                    "5.2.5",
                    "delete_NSG_rule_exist"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "Create/Update/Delete SQL Server Firewall Rule",
                    "5.2.8",
                    "create_delete_firewall_rule_exist"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "logging-monitoring-log-alert-not-exist-security-solution.json": [
            {
                "args": [
                    "Create/Update Security Solution",
                    "5.2.6",
                    "create_update_security_solution_exist"
                ],
                "enabled": true,
                "level": "warning"
            },
            {
                "args": [
                    "Delete Security Solution",
                    "5.2.7",
                    "delete_security_solution_exist"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "logging-monitoring-logging-key-vault-disabled.json": [
            {
                "enabled": false,
                "level": "warning"
            }
        ],
        "logging-monitoring-profile-does-not-capture-all-activities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "networkpolicy-unrestricted-cluster-network-access.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "networkpolicy-unrestricted-cluster-network-egress.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "networkpolicy-unrestricted-cluster-network-ingress.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-helm-tiller-in-use.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "rbac-dangerous-grants.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "rbac-dodgy-subjects.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "rbac-permissive-bindings.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "service-helm-tiller-in-use.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "serviceaccount-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ]
    }
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/rulesets/default.json
================================================
{
    "about": "This ruleset consists of numerous rules that are considered standard by NCC Group. The rules enabled range from violations of well-known security best practices to gaps resulting from less-known security implications of provider-specific mechanisms. Additional rules exist, some of them requiring extra-parameters to be configured, and some of them being applicable to a limited number of users.",
    "rules": {
        "configmap-unnecessary-secrets.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "networkpolicy-unrestricted-cluster-network-access.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "networkpolicy-unrestricted-cluster-network-egress.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "networkpolicy-unrestricted-cluster-network-ingress.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-helm-tiller-in-use.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "rbac-dangerous-grants.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "rbac-dodgy-subjects.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "rbac-permissive-bindings.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "service-helm-tiller-in-use.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "serviceaccount-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ]
    }
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/rulesets/eks.json
================================================
{
    "about": "This ruleset consists of numerous rules that are considered standard by NCC Group. The rules enabled range from violations of well-known security best practices to gaps resulting from less-known security implications of provider-specific mechanisms. Additional rules exist, some of them requiring extra-parameters to be configured, and some of them being applicable to a limited number of users.",
    "rules": {
        "configmap-unnecessary-secrets.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "eks-insufficient-control-plane-logging.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "eks-kms-encryption-disabled.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "eks-publically-accessible-apiserver.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "networkpolicy-unrestricted-cluster-network-access.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "networkpolicy-unrestricted-cluster-network-egress.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "networkpolicy-unrestricted-cluster-network-ingress.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-helm-tiller-in-use.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "rbac-dangerous-grants.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "rbac-dodgy-subjects.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "rbac-permissive-bindings.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "service-helm-tiller-in-use.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "serviceaccount-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ]
    }
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/rulesets/filters.json
================================================
{
    "about": "Default set of filters for Scout",
    "rules": {}
}


================================================
FILE: ScoutSuite/providers/kubernetes/rules/rulesets/gke.json
================================================
{
    "about": "This ruleset consists of numerous rules that are considered standard by NCC Group. The rules enabled range from violations of well-known security best practices to gaps resulting from less-known security implications of provider-specific mechanisms. Additional rules exist, some of them requiring extra-parameters to be configured, and some of them being applicable to a limited number of users.",
    "rules": {
        "configmap-unnecessary-secrets.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "cron-job-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "cron-job-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "daemonset-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "daemonset-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "deployment-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "deployment-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "job-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "job-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-basic-authentication-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-certificate-authentication-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-alias-ip-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-application-layer-encryption-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-binary-authorization-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-has-no-labels.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-logging-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-master-authorized-networks-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-metadata-server-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-monitoring-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-network-policy-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-pod-security-policy-config-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-private-endpoint-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-private-google-access-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-release-channel.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-shielded-nodes-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-cluster-workload-identity-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-dashboard-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-default-service-account-used.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-legacy-abac-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-legacy-metadata-endpoints-enabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-node-auto-repair-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-node-auto-upgrade-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-node-container-optimized-os-not-used.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-node-integrity-monitoring-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-node-secure-boot-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-private-nodes-disabled.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kubernetesengine-scopes-not-limited.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "networkpolicy-unrestricted-cluster-network-access.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "networkpolicy-unrestricted-cluster-network-egress.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "networkpolicy-unrestricted-cluster-network-ingress.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-helm-tiller-in-use.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "pod-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "pod-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "podtemplate-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "podtemplate-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "rbac-dangerous-grants.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "rbac-dodgy-subjects.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "rbac-permissive-bindings.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "replicaset-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "replicaset-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "service-helm-tiller-in-use.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "serviceaccount-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-apparmor-annotation-missing.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-automounted-service-account-token.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-container-ability-to-modify-root-filesystem.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-container-allowing-privilege-escalation.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-container-running-as-root-group.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-container-running-as-root-user.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-container-with-overly-permissive-capabilities.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-container-with-possible-root-privileges.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-host-ipc-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-host-network-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-host-pid-true.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-privileged-container-running.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "statefulset-resources-without-defined-cpu-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-resources-without-defined-limits.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "statefulset-resources-without-defined-memory-limit.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ]
    }
}


================================================
FILE: ScoutSuite/providers/kubernetes/services.py
================================================
from ScoutSuite.providers.azure.facade.base import AzureFacade
from ScoutSuite.providers.base.services import BaseServicesConfig
from ScoutSuite.providers.gcp.facade.base import GCPFacade
from ScoutSuite.providers.kubernetes.authentication_strategy import ClusterProvider, KubernetesCredentials
from ScoutSuite.providers.kubernetes.facade import KubernetesFacade
from ScoutSuite.providers.kubernetes.resources.aks import AKS
from ScoutSuite.providers.kubernetes.resources.base import KubernetesResources
from ScoutSuite.providers.kubernetes.resources.eks import EKS
from ScoutSuite.providers.kubernetes.resources.gke import GKE
from ScoutSuite.providers.kubernetes.resources.workload import Workload
from ScoutSuite.providers.kubernetes.resources.fake_network_policy import FakeNetworkPolicy
from ScoutSuite.providers.kubernetes.resources.rbac import RBAC
from ScoutSuite.providers.kubernetes.resources.version import KubernetesVersions
from ScoutSuite.providers.kubernetes.utils import format_resource_kind

class KubernetesServicesConfig(BaseServicesConfig):
    """Object that holds the necessary Kubernetes configuration for all services in scope."""

    def __init__(self, credentials: KubernetesCredentials):
        super().__init__(credentials)

        if credentials.fetch_local: return

        facade = KubernetesFacade(credentials)

        facade.version.get_versions() # this is here to make sure the cluster is up and running
        self.version = KubernetesVersions(facade)

        core_resources = facade.core.get_resources()
        for name in core_resources:
            _resource = core_resources[name]
            setattr(self, format_resource_kind(name), KubernetesResources(_resource))

        extra_resources = facade.extra.get_resources()
        for name in extra_resources:
            _resource = extra_resources[name]
            setattr(self, format_resource_kind(name), KubernetesResources(_resource))

        self.rbac = RBAC(facade)
        self.workload = Workload(facade)

        if not hasattr(self, 'network_policy'):
            self.network_policy = FakeNetworkPolicy(facade)

        if credentials.cluster_provider == ClusterProvider.AKS.value:
            self.loggingmonitoring = AKS(AzureFacade(credentials.azure))
        elif credentials.cluster_provider == ClusterProvider.EKS.value:
            self.eks = EKS(facade)
        elif credentials.cluster_provider == ClusterProvider.GKE.value:
            self.kubernetesengine = GKE(GCPFacade(credentials.gcp.default_project_id))

    def _is_provider(self, provider_name):
        return provider_name == 'kubernetes'

================================================
FILE: ScoutSuite/providers/kubernetes/utils.py
================================================
from re import sub


def format_resource_kind(kind: str):
    return (kind[0] + sub('([A-Z])', '_\\1', kind[1:])).lower()

def format_api_version(api_version: str):
    parts = api_version.split('/')
    if len(parts) < 2:
        return api_version
    formatted_version = f'''{parts[1]}-{parts[0]}'''.replace('.', '-')
    return formatted_version

def format_resource_name(name: str):
    if not name: return ''
    return sub('[^a-zA-Z0-9]', '-', name)

def format_resource_id(name: str, namespace: str = ''):
    formatted_id = format_resource_name(name)
    if namespace:
        formatted_ns = format_resource_name(namespace)
        formatted_id = f'--{formatted_ns}--{formatted_id}'
    return formatted_id

================================================
FILE: ScoutSuite/providers/oci/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/oci/authentication_strategy.py
================================================
import logging

from oci.config import from_file
from oci.identity import IdentityClient

from ScoutSuite.providers.base.authentication_strategy import AuthenticationStrategy, AuthenticationException


class OracleCredentials:

    def __init__(self, config):
        self.config = config

    def get_scope(self):
        if 'compartment-id' in self.config:
            return self.config['compartment-id']
        else:
            return self.config['tenancy']


class OracleAuthenticationStrategy(AuthenticationStrategy):
    """
    Implements authentication for the AWS provider
    """

    def authenticate(self, profile=None, **kwargs):

        try:

            # Set logging level to error for libraries as otherwise generates a lot of warnings
            logging.getLogger('oci').setLevel(logging.ERROR)

            config = from_file(profile_name=profile)

            # Get the current user
            identity = IdentityClient(config)
            identity.get_user(config["user"]).data

            return OracleCredentials(config)

        except Exception as e:
            raise AuthenticationException(e)


================================================
FILE: ScoutSuite/providers/oci/facade/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/oci/facade/base.py
================================================
from ScoutSuite.providers.oci.facade.identity import IdentityFacade
from ScoutSuite.providers.oci.facade.kms import KMSFacade
from ScoutSuite.providers.oci.facade.objectstorage import ObjectStorageFacade
from ScoutSuite.providers.oci.authentication_strategy import OracleCredentials


class OracleFacade:
    def __init__(self, credentials: OracleCredentials):
        self._credentials = credentials
        self._instantiate_facades()

    def _instantiate_facades(self):
        self.identity = IdentityFacade(self._credentials)
        self.kms = KMSFacade(self._credentials)
        self.objectstorage = ObjectStorageFacade(self._credentials)


================================================
FILE: ScoutSuite/providers/oci/facade/identity.py
================================================
from oci.identity import IdentityClient
from oci.pagination import list_call_get_all_results

from ScoutSuite.providers.oci.authentication_strategy import OracleCredentials
from ScoutSuite.core.console import print_exception

from ScoutSuite.providers.utils import run_concurrently


class IdentityFacade:
    def __init__(self, credentials: OracleCredentials):
        self._credentials = credentials
        self._client = IdentityClient(self._credentials.config)

    async def get_users(self):
        try:
            response = await run_concurrently(
                lambda: list_call_get_all_results(self._client.list_users, self._credentials.get_scope()))
            return response.data
        except Exception as e:
            print_exception(f'Failed to retrieve users: {e}')
            return []

    async def get_user_api_keys(self, user_id):
        try:
            response = await run_concurrently(
                lambda: list_call_get_all_results(self._client.list_api_keys, user_id))
            return response.data
        except Exception as e:
            print_exception(f'Failed to retrieve user api keys: {e}')
            return []

    async def get_groups(self):
        try:
            response = await run_concurrently(
                lambda: list_call_get_all_results(self._client.list_groups, self._credentials.get_scope()))
            return response.data
        except Exception as e:
            print_exception(f'Failed to retrieve groups: {e}')
            return []

    async def get_group_users(self, group_id):
        try:
            response = await run_concurrently(
                lambda: list_call_get_all_results(self._client.list_user_group_memberships,
                                                  self._credentials.get_scope(),
                                                  group_id=group_id))
            return response.data
        except Exception as e:
            print_exception(f'Failed to retrieve group users: {e}')
            return []

    async def get_policies(self):
        try:
            response = await run_concurrently(
                lambda: list_call_get_all_results(self._client.list_policies, self._credentials.get_scope()))
            return response.data
        except Exception as e:
            print_exception(f'Failed to retrieve policies: {e}')
            return None

    async def get_authentication_policy(self):
        try:
            response = await run_concurrently(
                lambda: self._client.get_authentication_policy(self._credentials.config['tenancy']))
            return response.data
        except Exception as e:
            print_exception(f'Failed to retrieve authentication policy: {e}')
            return []


================================================
FILE: ScoutSuite/providers/oci/facade/kms.py
================================================
from oci.key_management import KmsManagementClient, KmsVaultClient
from oci.pagination import list_call_get_all_results

from ScoutSuite.core.console import print_exception
from ScoutSuite.providers.oci.authentication_strategy import OracleCredentials
from ScoutSuite.providers.utils import run_concurrently


class KMSFacade:
    def __init__(self, credentials: OracleCredentials):
        self._credentials = credentials
        self._vault_client = KmsVaultClient(self._credentials.config)

    async def get_vaults(self):
        try:
            response = await run_concurrently(
                lambda: list_call_get_all_results(self._vault_client.list_vaults, self._credentials.get_scope()))
            return response.data
        except Exception as e:
            print_exception(f'Failed to get KMS vaults: {e}')
            return []

    async def get_keys(self, keyvault):
        try:
            key_client = KmsManagementClient(self._credentials.config, keyvault['management_endpoint'])
            response = await run_concurrently(
                lambda: list_call_get_all_results(key_client.list_keys, self._credentials.get_scope()))
            return response.data
        except Exception as e:
            print_exception(f'Failed to get KMS vaults: {e}')
            return []


================================================
FILE: ScoutSuite/providers/oci/facade/objectstorage.py
================================================
from oci.object_storage import ObjectStorageClient
from ScoutSuite.providers.oci.authentication_strategy import OracleCredentials
from oci.pagination import list_call_get_all_results

from ScoutSuite.providers.utils import run_concurrently
from ScoutSuite.core.console import print_exception


class ObjectStorageFacade:
    def __init__(self, credentials: OracleCredentials):
        self._credentials = credentials
        self._client = ObjectStorageClient(self._credentials.config)

    async def get_namespace(self):
        try:
            response = await run_concurrently(
                lambda: list_call_get_all_results(self._client.get_namespace))
            # for some reason it returns a list of chars instead of a string
            return ''.join(response.data)
        except Exception as e:
            print_exception(f'Failed to get Object Storage namespace: {e}')
            return None

    async def get_bucket_details(self, namespace, bucket_name):
        try:
            response = await run_concurrently(
                lambda: self._client.get_bucket(namespace, bucket_name)
            )
            return response.data
        except Exception as e:
            print_exception(f'Failed to get Object Storage bucket details: {e}')
            return None

    async def get_buckets(self, namespace):
        try:
            response = await run_concurrently(
                lambda: list_call_get_all_results(self._client.list_buckets, namespace, self._credentials.get_scope()))
            return response.data
        except Exception as e:
            print_exception(f'Failed to get Object Storage buckets: {e}')
            return []

    async def get_bucket_objects(self, namespace, bucket_name):
        try:
            response = await run_concurrently(
                lambda: list_call_get_all_results(self._client.list_objects, namespace, bucket_name))
            return response.data
        except Exception as e:
            print_exception(f'Failed to get Object Storage bucket objects: {e}')
            return []


================================================
FILE: ScoutSuite/providers/oci/metadata.json
================================================
{
  "security": {
    "identity": {
      "resources": {
        "users": {
          "cols": 2,
          "path": "services.identity.users"
        },
        "groups": {
          "cols": 2,
          "path": "services.identity.groups"
        },
        "policies": {
          "cols": 2,
          "path": "services.identity.policies"
        }
      },
      "summaries": {
        "password_policy": {
          "cols": 1,
          "path": "services.identity.password_policy"
        }
      }
    },
    "kms": {
      "resources": {
        "keyvaults": {
          "cols": 2,
          "path": "services.kms.keyvaults"
        }
      }
    }
  },
  "storage": {
    "objectstorage": {
      "resources": {
        "buckets": {
          "cols": 2,
          "path": "services.objectstorage.buckets"
        }
      }
    }
  }
}


================================================
FILE: ScoutSuite/providers/oci/provider.py
================================================
import os

from ScoutSuite.providers.oci.services import OracleServicesConfig
from ScoutSuite.providers.base.provider import BaseProvider


class OracleProvider(BaseProvider):
    """
    Implements provider for Azure
    """

    def __init__(self,
                 report_dir=None, timestamp=None, services=None, skipped_services=None, **kwargs):

        services = [] if services is None else services
        skipped_services = [] if skipped_services is None else skipped_services

        self.metadata_path = '%s/metadata.json' % os.path.split(os.path.abspath(__file__))[0]

        self.provider_code = 'oci'
        self.provider_name = 'Oracle Cloud Infrastructure'
        self.environment = 'default'

        self.services_config = OracleServicesConfig

        self.credentials = kwargs['credentials']
        self.account_id = self.credentials.get_scope()

        super().__init__(report_dir, timestamp, services, skipped_services)

    def get_report_name(self):
        """
        Returns the name of the report using the provider's configuration
        """
        if self.account_id:
            return f'oracle-{self.account_id}'
        else:
            return 'oracle'

    def preprocessing(self, ip_ranges=None, ip_ranges_name_key=None):

        super().preprocessing()



================================================
FILE: ScoutSuite/providers/oci/resources/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/oci/resources/base.py
================================================
"""This module provides implementations for Resources and CompositeResources for OCI."""

import abc

from ScoutSuite.providers.base.resources.base import Resources, CompositeResources


class OracleResources(Resources, metaclass=abc.ABCMeta):
    """This is the base class for Aliyun resources."""

    pass


class OracleCompositeResources(OracleResources, CompositeResources, metaclass=abc.ABCMeta):
    """This class represents a collection of composite Resources (resources that include nested resources referred as
    their children). Classes extending OracleCompositeResources have to define a '_children' attribute which consists of
    a list of tuples describing the children. The tuples are expected to respect the following format:
    (, ). 'child_name' is used to indicate the name under which the child resources will be
    stored in the parent object.
    """

    pass


================================================
FILE: ScoutSuite/providers/oci/resources/identity/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/oci/resources/identity/api_keys.py
================================================
from ScoutSuite.providers.oci.facade.base import OracleFacade
from ScoutSuite.providers.oci.resources.base import OracleResources
from ScoutSuite.providers.utils import get_non_provider_id


class ApiKeys(OracleResources):
    def __init__(self, facade: OracleFacade, user):
        super().__init__(facade)
        self.user = user

    async def fetch_all(self):
        for raw_user_api_key in await self.facade.identity.get_user_api_keys(user_id=self.user['identifier']):
            id, api_key = await self._parse_api_key(raw_user_api_key)
            self[id] = api_key

    async def _parse_api_key(self, raw_api_key):
        api_key = {}
        api_key['id'] = get_non_provider_id(raw_api_key.key_id)
        api_key['identifier'] = raw_api_key.key_id
        api_key['fingerprint'] = raw_api_key.fingerprint
        api_key['state'] = raw_api_key.lifecycle_state
        return api_key['id'], api_key


================================================
FILE: ScoutSuite/providers/oci/resources/identity/authentication_policy.py
================================================
from ScoutSuite.providers.oci.resources.base import OracleResources
from ScoutSuite.providers.oci.facade.base import OracleFacade


class PasswordPolicy(OracleResources):
    def __init__(self, facade: OracleFacade):
        super().__init__(facade)

    async def fetch_all(self):
        raw_authentication_policy = await self.facade.identity.get_authentication_policy()
        if raw_authentication_policy:
            password_policy = self._parse_authentication_policy(raw_authentication_policy)
        else:
            password_policy = {}
        self.update(password_policy)

    def _parse_authentication_policy(self, raw_authentication_policy):
        password_policy_dict = {}
        password_policy_dict['is_username_containment_allowed'] = \
            raw_authentication_policy.password_policy.is_username_containment_allowed
        password_policy_dict['is_uppercase_characters_required'] = \
            raw_authentication_policy.password_policy.is_uppercase_characters_required
        password_policy_dict['is_lowercase_characters_required'] = \
            raw_authentication_policy.password_policy.is_lowercase_characters_required
        password_policy_dict['is_special_characters_required'] = \
            raw_authentication_policy.password_policy.is_special_characters_required
        password_policy_dict['minimum_password_length'] = \
            raw_authentication_policy.password_policy.minimum_password_length
        password_policy_dict['is_numeric_characters_required'] = \
            raw_authentication_policy.password_policy.is_numeric_characters_required
        return password_policy_dict




================================================
FILE: ScoutSuite/providers/oci/resources/identity/base.py
================================================
from ScoutSuite.providers.oci.resources.base import OracleCompositeResources
from ScoutSuite.providers.oci.resources.identity.users import Users
from ScoutSuite.providers.oci.resources.identity.groups import Groups
from ScoutSuite.providers.oci.resources.identity.policies import Policies
from ScoutSuite.providers.oci.resources.identity.authentication_policy import PasswordPolicy
from ScoutSuite.providers.oci.facade.base import OracleFacade


class Identity(OracleCompositeResources):
    _children = [
        (Users, 'users'),
        (Groups, 'groups'),
        (Policies, 'policies'),
        (PasswordPolicy, 'password_policy')
    ]

    def __init__(self, facade: OracleFacade):
        super().__init__(facade)
        self.service = 'identity'

    async def fetch_all(self, **kwargs):
        await self._fetch_children(resource_parent=self)

        # We do not want the report to count the password policies as resources,
        # they aren't really resources.
        self['password_policy_count'] = 0

    async def finalize(self):
        self._match_users_and_groups()
        self._set_user_names_to_group_members()
        return

    def _match_users_and_groups(self):
        """
        Parses the users and groups to match
        :return: None
        """
        for user in self['users']:
            self['users'][user]['groups'] = []
            for group in self['groups']:
                if any(u['user_identifier'] == self['users'][user]['identifier'] for u in self['groups'][group]['users']):
                    self['users'][user]['groups'].append(self['groups'][group])

    def _set_user_names_to_group_members(self):
        """
        Parses the users and groups to match user names
        :return: None
        """
        for group in self['groups']:
            for user in self['groups'][group]['users']:
                user['user_name'] = self['users'][user['user_id']]['name']






================================================
FILE: ScoutSuite/providers/oci/resources/identity/groups.py
================================================
from ScoutSuite.providers.oci.resources.base import OracleResources
from ScoutSuite.providers.oci.facade.base import OracleFacade
from ScoutSuite.providers.utils import get_non_provider_id


class Groups(OracleResources):
    def __init__(self, facade: OracleFacade):
        super().__init__(facade)

    async def fetch_all(self):
        for raw_group in await self.facade.identity.get_groups():
            id, group = await self._parse_group(raw_group)
            self[id] = group

    async def _parse_group(self, raw_group):
        group_dict = {}
        group_dict['identifier'] = raw_group.id
        group_dict['id'] = get_non_provider_id(raw_group.id)
        group_dict['name'] = raw_group.name
        group_dict['lifecycle_state'] = raw_group.lifecycle_state
        group_dict['inactive_status'] = raw_group.inactive_status
        group_dict['description'] = raw_group.description
        group_dict['compartment_id'] = raw_group.compartment_id
        group_dict['time_created'] = raw_group.time_created
        group_dict['defined_tags'] = list(raw_group.defined_tags)
        group_dict['freeform_tags'] = list(raw_group.freeform_tags)

        members = await self.facade.identity.get_group_users(group_dict['identifier'])
        group_dict['users'] = []
        for member in members:
            member_dict = {}
            member_dict['user_identifier'] = member.user_id
            member_dict['user_id'] = get_non_provider_id(member.user_id)
            member_dict['membership_id'] = member.id
            member_dict['group_id'] = member.group_id
            member_dict['lifecycle_state'] = member.lifecycle_state
            member_dict['inactive_status'] = member.inactive_status
            member_dict['compartment_id'] = member.compartment_id
            member_dict['time_created'] = member.time_created
            group_dict['users'].append(member_dict)

        return group_dict['id'], group_dict





================================================
FILE: ScoutSuite/providers/oci/resources/identity/policies.py
================================================
from ScoutSuite.providers.oci.facade.base import OracleFacade
from ScoutSuite.providers.oci.resources.base import OracleResources
from ScoutSuite.providers.utils import get_non_provider_id


class Policies(OracleResources):
    def __init__(self, facade: OracleFacade):
        super().__init__(facade)

    async def fetch_all(self):
        for raw_policy in await self.facade.identity.get_policies():
            id, policy = await self._parse_policy(raw_policy)
            self[id] = policy

    async def _parse_policy(self, raw_policy):
        policy = {}
        policy['id'] = get_non_provider_id(raw_policy.id)
        policy['identifier'] = raw_policy.id
        policy['name'] = raw_policy.name
        policy['description'] = raw_policy.description
        policy['statements'] = [s.lower() for s in raw_policy.statements]
        policy['state'] = raw_policy.lifecycle_state
        return policy['id'], policy


================================================
FILE: ScoutSuite/providers/oci/resources/identity/users.py
================================================
from ScoutSuite.providers.oci.resources.base import OracleCompositeResources
from ScoutSuite.providers.utils import get_non_provider_id

from .api_keys import ApiKeys


class Users(OracleCompositeResources):
    _children = [
        (ApiKeys, 'api_keys')
    ]

    async def fetch_all(self):
        for raw_user in await self.facade.identity.get_users():
            id, user = await self._parse_user(raw_user)
            self[id] = user

        await self._fetch_children_of_all_resources(
            resources=self,
            scopes={user_id: {'user': user}
                    for user_id, user in self.items()}
        )

    async def _parse_user(self, raw_user):
        user = {}
        user['identifier'] = raw_user.id
        user['id'] = get_non_provider_id(raw_user.id)
        user['name'] = raw_user.name
        user['identifier'] = raw_user.id
        user['mfa_activated'] = raw_user.is_mfa_activated
        return user['id'], user


================================================
FILE: ScoutSuite/providers/oci/resources/kms/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/oci/resources/kms/base.py
================================================
from ScoutSuite.providers.oci.facade.base import OracleFacade
from ScoutSuite.providers.oci.resources.base import OracleCompositeResources
from ScoutSuite.providers.oci.resources.kms.keyvaults import KeyVaults


class KMS(OracleCompositeResources):
    _children = [
        (KeyVaults, 'keyvaults')
    ]

    def __init__(self, facade: OracleFacade):
        super().__init__(facade)
        self.service = 'kms'

    async def fetch_all(self, **kwargs):
        await self._fetch_children(resource_parent=self)


================================================
FILE: ScoutSuite/providers/oci/resources/kms/keys.py
================================================
from ScoutSuite.providers.oci.resources.base import OracleResources
from ScoutSuite.providers.oci.facade.base import OracleFacade
from ScoutSuite.providers.utils import get_non_provider_id


class Keys(OracleResources):
    def __init__(self, facade: OracleFacade, keyvault):
        super().__init__(facade)
        self.key_vault = keyvault

    async def fetch_all(self):

        for raw_key in await self.facade.kms.get_keys(self.key_vault):
            id, key = await self._parse_key(raw_key)
            self[id] = key

    async def _parse_key(self, raw_key):
        key_dict = {}
        key_dict['id'] = get_non_provider_id(raw_key.id)
        key_dict['identifier'] = raw_key.id
        key_dict['name'] = raw_key.display_name
        key_dict['vault_id'] = raw_key.vault_id
        key_dict['lifecycle_state'] = raw_key.lifecycle_state
        key_dict['compartment_id'] = raw_key.compartment_id
        key_dict['time_created'] = raw_key.time_created
        key_dict['defined_tags'] = list(raw_key.defined_tags)
        key_dict['freeform_tags'] = list(raw_key.freeform_tags)
        return key_dict['id'], key_dict


================================================
FILE: ScoutSuite/providers/oci/resources/kms/keyvaults.py
================================================
from ScoutSuite.providers.oci.facade.base import OracleFacade
from ScoutSuite.providers.oci.resources.base import OracleCompositeResources
from ScoutSuite.providers.oci.resources.kms.keys import Keys
from ScoutSuite.providers.utils import get_non_provider_id


class KeyVaults(OracleCompositeResources):

    _children = [
        (Keys, 'keys')
    ]

    def __init__(self, facade: OracleFacade):
        super().__init__(facade)

    async def fetch_all(self):
        raw_keyvaults = await self.facade.kms.get_vaults()
        for raw_keyvault in raw_keyvaults:
            id, keyvault = self._parse_keyvault(raw_keyvault)
            self[id] = keyvault

        await self._fetch_children_of_all_resources(
            resources=self,
            scopes={keyvault_id: {'keyvault': keyvault}
                    for keyvault_id, keyvault in self.items()}
        )


    def _parse_keyvault(self, raw_keyvault):
        keyvault_dict = {}
        keyvault_dict['id'] = get_non_provider_id(raw_keyvault.id)
        keyvault_dict['identifier'] = raw_keyvault.id
        keyvault_dict['name'] = raw_keyvault.display_name
        keyvault_dict['compartment_id'] = raw_keyvault.compartment_id
        keyvault_dict['lifecycle_state'] = raw_keyvault.lifecycle_state
        keyvault_dict['crypto_endpoint'] = raw_keyvault.crypto_endpoint
        keyvault_dict['time_created'] = raw_keyvault.time_created
        keyvault_dict['vault_type'] = raw_keyvault.vault_type
        keyvault_dict['management_endpoint'] = raw_keyvault.management_endpoint
        keyvault_dict['defined_tags'] = list(raw_keyvault.defined_tags)
        keyvault_dict['freeform_tags'] = list(raw_keyvault.freeform_tags)
        return keyvault_dict['id'], keyvault_dict


================================================
FILE: ScoutSuite/providers/oci/resources/objectstorage/__init__.py
================================================


================================================
FILE: ScoutSuite/providers/oci/resources/objectstorage/base.py
================================================
from ScoutSuite.providers.oci.facade.base import OracleFacade
from ScoutSuite.providers.oci.resources.base import OracleCompositeResources
from ScoutSuite.providers.oci.resources.objectstorage.buckets import Buckets


class ObjectStorage(OracleCompositeResources):
    _children = [
        (Buckets, 'buckets')
    ]

    def __init__(self, facade: OracleFacade):
        super().__init__(facade)
        self.service = 'objectstorage'

    async def fetch_all(self, **kwargs):
        await self._fetch_children(resource_parent=self)


================================================
FILE: ScoutSuite/providers/oci/resources/objectstorage/buckets.py
================================================
from ScoutSuite.providers.oci.resources.base import OracleResources
from ScoutSuite.providers.oci.facade.base import OracleFacade


class Buckets(OracleResources):
    def __init__(self, facade: OracleFacade):
        super().__init__(facade)

    async def fetch_all(self):

        namespace = await self.facade.objectstorage.get_namespace()

        for raw_bucket in await self.facade.objectstorage.get_buckets(namespace):
            id, bucket = await self._parse_bucket(raw_bucket)
            self[id] = bucket

    async def _parse_bucket(self, raw_bucket):
        bucket_dict = {}

        bucket_dict['id'] = bucket_dict['name'] = raw_bucket.name
        bucket_dict['compartment_id'] = raw_bucket.compartment_id
        bucket_dict['namespace'] = raw_bucket.namespace
        bucket_dict['created_by'] = raw_bucket.created_by
        bucket_dict['etag'] = raw_bucket.etag
        bucket_dict['freeform_tags'] = list(raw_bucket.freeform_tags) if raw_bucket.freeform_tags else []
        bucket_dict['defined_tags'] = list(raw_bucket.defined_tags) if raw_bucket.defined_tags else []

        raw_bucket_details = await self.facade.objectstorage.get_bucket_details(raw_bucket.namespace,
                                                                                raw_bucket.name)

        bucket_dict['kms_key_id'] = raw_bucket_details.kms_key_id if raw_bucket_details else None
        bucket_dict['approximate_count'] = raw_bucket_details.approximate_count if raw_bucket_details else None
        bucket_dict['time_created'] = raw_bucket_details.time_created if raw_bucket_details else None
        bucket_dict['public_access_type'] = raw_bucket_details.public_access_type if raw_bucket_details else None
        bucket_dict['approximate_size'] = raw_bucket_details.approximate_size if raw_bucket_details else None
        bucket_dict['storage_tier'] = raw_bucket_details.storage_tier if raw_bucket_details else None
        bucket_dict['metadata'] = list(raw_bucket_details.metadata) if raw_bucket_details else None
        bucket_dict['object_lifecycle_policy_etag'] = raw_bucket_details.object_lifecycle_policy_etag if \
            raw_bucket_details else None

        # objects = await self.facade.objectstorage.get_bucket_objects(bucket_dict['namespace'],
        #                                                              bucket_dict['name'])

        return bucket_dict['id'], bucket_dict



================================================
FILE: ScoutSuite/providers/oci/rules/filters/.keep
================================================


================================================
FILE: ScoutSuite/providers/oci/rules/findings/identity-password-policy-minimum-length.json
================================================
{
    "description": "Minimum Password Length Too Short",
    "dashboard_name": "Password policy",
    "path": "identity.password_policy.minimum_password_length",
    "conditions": [
        "or",
        [
            "this",
            "lessThan",
            "_ARG_0_"
        ]
    ],
    "arg_names": [
        "Minimum password length"
    ]
}

================================================
FILE: ScoutSuite/providers/oci/rules/findings/identity-password-policy-no-lowercase-required.json
================================================
{
    "description": "Password Policy Lacks Lowercase Requirement",
    "dashboard_name": "Password policy",
    "path": "identity.password_policy.is_lowercase_characters_required",
    "conditions": [
        "or",
        [
            "this",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/oci/rules/findings/identity-password-policy-no-number-required.json
================================================
{
    "description": "Password Policy Lacks Number Requirement",
    "dashboard_name": "Password policy",
    "path": "identity.password_policy.is_numeric_characters_required",
    "conditions": [
        "or",
        [
            "this",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/oci/rules/findings/identity-password-policy-no-symbol-required.json
================================================
{
    "description": "Password Policy Lacks Symbol Requirement",
    "dashboard_name": "Password policy",
    "path": "identity.password_policy.is_special_characters_required",
    "conditions": [
        "or",
        [
            "this",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/oci/rules/findings/identity-password-policy-no-uppercase-required.json
================================================
{
    "description": "Password Policy Lacks Uppercase Requirement",
    "dashboard_name": "Password policy",
    "path": "identity.password_policy.is_uppercase_characters_required",
    "conditions": [
        "or",
        [
            "this",
            "false",
            ""
        ]
    ]
}

================================================
FILE: ScoutSuite/providers/oci/rules/findings/identity-policy-affects-user.json
================================================
{
    "description": "Policy Affects User",
    "rationale": "Policies should apply to services and groups, not directly to users.",
    "dashboard_name": "Policies",
    "display_path": "identity.policies.id",
    "path": "identity.policies.id",
    "conditions": [
        "and",
        [
            "identity.policies.id.statements",
            "containString",
            "any-user"
        ]
    ],
    "id_suffix": "statements"
}

================================================
FILE: ScoutSuite/providers/oci/rules/findings/identity-user-with-multiple-api-keys.json
================================================
{
    "description": "User with Multiple API Keys",
    "rationale": "It is recommended for users to only have one access key.",
    "dashboard_name": "Users",
    "path": "identity.users.id",
    "conditions": [
        "and",
        [
            "identity.users.id.api_keys",
            "lengthMoreThan",
            "1"
        ]
    ],
    "id_suffix": "multiple_api_keys"
}

================================================
FILE: ScoutSuite/providers/oci/rules/findings/kms-no-key-rotation.json
================================================
{
    "description": "KMS Keys Are Not Being Rotated",
    "rationale": "Keys should be routinely rotated to prevent usage of compromised keys.",
    "dashboard_name": "Keys",
    "display_path": "kms.keyvaults.id",
    "path": "kms.keyvaults.id.keys.id",
    "conditions": [
        "and",
        [
            "kms.keyvaults.id.keys.id.lifecycle_state",
            "equal",
            "ENABLED"
        ],
        [
            "kms.keyvaults.id.keys.id.time_created",
            "olderThan",
            [
                "_ARG_0_",
                "days"
            ]
        ]
    ],
    "id_suffix": "time_created"
}

================================================
FILE: ScoutSuite/providers/oci/rules/findings/objectstorage-bucket-lacking-kms-encryption.json
================================================
{
    "description": "Buckets Lacking KMS Encryption",
    "rationale": "Buckets should be configured with KMS keys to ensure fine-grained control over data at rest.",
    "dashboard_name": "Buckets",
    "path": "objectstorage.buckets.id",
    "conditions": [
        "and",
        [
            "objectstorage.buckets.id.kms_key_id",
            "null",
            ""
        ]
    ],
    "id_suffix": "kms_key_id"
}

================================================
FILE: ScoutSuite/providers/oci/rules/findings/objectstorage-public-bucket.json
================================================
{
    "description": "Public Buckets",
    "rationale": "Buckets should be private unless intended.",
    "dashboard_name": "Buckets",
    "path": "objectstorage.buckets.id",
    "conditions": [
        "and",
        [
            "objectstorage.buckets.id.public_access_type",
            "notEqual",
            "NoPublicAccess"
        ]
    ],
    "id_suffix": "public_access_type"
}

================================================
FILE: ScoutSuite/providers/oci/rules/rulesets/default.json
================================================
{
    "about": "Default ruleset for Oracle Cloud Infrastructure.",
    "rules": {
        "identity-password-policy-minimum-length.json": [
            {
                "args": [
                    "8"
                ],
                "enabled": true,
                "level": "danger"
            }
        ],
        "identity-password-policy-no-lowercase-required.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "identity-password-policy-no-number-required.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "identity-password-policy-no-symbol-required.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "identity-password-policy-no-uppercase-required.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ],
        "identity-policy-affects-user.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "identity-user-with-multiple-api-keys.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "kms-no-key-rotation.json": [
            {
                "args": [
                    "90"
                ],
                "enabled": true,
                "level": "warning"
            }
        ],
        "objectstorage-bucket-lacking-kms-encryption.json": [
            {
                "enabled": true,
                "level": "warning"
            }
        ],
        "objectstorage-public-bucket.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ]
    }
}


================================================
FILE: ScoutSuite/providers/oci/rules/rulesets/filters.json
================================================
{
    "about": "Default set of filters for Scout",
    "rules": {}
}


================================================
FILE: ScoutSuite/providers/oci/services.py
================================================
from ScoutSuite.providers.oci.authentication_strategy import OracleCredentials
from ScoutSuite.providers.oci.facade.base import OracleFacade
from ScoutSuite.providers.oci.resources.identity.base import Identity
from ScoutSuite.providers.oci.resources.kms.base import KMS
from ScoutSuite.providers.oci.resources.objectstorage.base import ObjectStorage
from ScoutSuite.providers.base.services import BaseServicesConfig


class OracleServicesConfig(BaseServicesConfig):
    def __init__(self, credentials: OracleCredentials = None, **kwargs):
        super().__init__(credentials)

        facade = OracleFacade(credentials)

        self.identity = Identity(facade)
        self.objectstorage = ObjectStorage(facade)
        self.kms = KMS(facade)

    def _is_provider(self, provider_name):
        return provider_name == 'oci'


================================================
FILE: ScoutSuite/providers/oci/utils.py
================================================
from oci.identity import IdentityClient

from ScoutSuite.core.console import print_exception


def oracle_connect_service(service, credentials, region_name=None):
    try:
        if service == 'identity':
            return IdentityClient(credentials.config)
        else:
            print_exception('Service %s not supported' % service)
            return None

    except Exception as e:
        print_exception(e)
        return None


================================================
FILE: ScoutSuite/providers/utils.py
================================================
import asyncio
import inspect
import re
from hashlib import sha1

from ScoutSuite.core.console import print_info, print_warning
from ScoutSuite.providers.aws.utils import is_throttled as aws_is_throttled
from ScoutSuite.providers.gcp.utils import is_throttled as gcp_is_throttled


def get_non_provider_id(name):
    """
    Not all resources have an ID and some services allow the use of "." in names, which breaks Scout's
    recursion scheme if name is used as an ID. Use SHA1(name) instead.

    :param name:                    Name of the resource to
    :return:                        SHA1(name)
    """
    name_hash = sha1()
    name_hash.update(name.encode('utf-8'))
    return f'scoutid-{name_hash.hexdigest()}'


async def run_concurrently(function, backoff_seconds=15):
    try:
        async with asyncio.get_event_loop().throttler:
            return await run_function_concurrently(function)
    except Exception as e:
        raise
        """
        Commented out so this does not trigger errors from is_throttled, which is not fully implemented
        # Determine whether the exception is due to API throttling
        if is_throttled(e):
            source_file = inspect.getsourcefile(function)
            source_file_line = inspect.getsourcelines(function)[1]
            print_warning(f'Hitting API rate limiting ({"/".join(source_file.split("/")[-2:])} L{source_file_line}), will retry in {backoff_seconds}s')
            await asyncio.sleep(backoff_seconds)
            return await run_concurrently(function, backoff_seconds + 15)
        else:
            raise
        """


def run_function_concurrently(function):
    """
    Schedules the execution of function `function` in the default thread pool (referred as 'executor') that has been
    associated with the global event loop.

    :param function: function to be executed concurrently, in a dedicated thread.
    :return: an asyncio.Future to be awaited.
    """

    return asyncio.get_event_loop().run_in_executor(executor=None, func=function)


async def get_and_set_concurrently(get_and_set_funcs: [], entities: [], **kwargs):
    """
    Given a list of get_and_set_* functions (ex: get_and_set_description, get_and_set_attributes,
    get_and_set_policy, etc.) and a list of entities (ex: stacks, keys, load balancers, vpcs, etc.),
    get_and_set_concurrently will call each of these functions concurrently on each entity.

    :param get_and_set_funcs: list of functions that takes a region and an entity (they must have the following
    signature: region: str, entity: {}) and then fetch and set some kind of attributes to this entity.
    :param entities: list of a same kind of entities
    :param kwargs: used to pass cloud provider specific parameters (ex: region or vpc for AWS, etc.) to the given
    functions.

    :return:
    """

    if len(entities) == 0:
        return

    tasks = {
        asyncio.ensure_future(
            get_and_set_func(entity, **kwargs)
        ) for entity in entities for get_and_set_func in get_and_set_funcs
    }
    await asyncio.wait(tasks)


async def map_concurrently(coroutine, entities, **kwargs):
    """
    Given a list of entities, executes coroutine `coroutine` concurrently on each entity and returns a list of the
    obtained results ([await coroutine(entity_x), await coroutine(entity_a), ..., await coroutine(entity_z)]).

    :param coroutine: coroutine to be executed concurrently. Takes an entity as parameter and returns a new entity.
    If the given coroutine does some exception handling, it should ensure to propagate the handled exceptions so
    `map_concurrently` can handle them as well (in particular ignoring them) to avoid `None` values in the list
    returned.
    :param entities: a list of the same type of entity (ex: cluster ids)

    :return: a list of new entities (ex: clusters)
    """

    if len(entities) == 0:
        return []

    results = []

    tasks = {
        asyncio.ensure_future(
            coroutine(entity, **kwargs)
        ) for entity in entities
    }

    for task in asyncio.as_completed(tasks):
        try:
            result = await task
        except Exception:
            pass
        else:
            results.append(result)

    return results


def is_throttled(exception):
    """
    Function that tries to determine if an exception was caused by throttling
    TODO - this implementation is incomplete
    """

    if hasattr(exception, 'message') and \
            ('Google Cloud' in exception.message or
             '404' in exception.message or
             'projects/' in exception.message):
        return False
    else:
        return aws_is_throttled(exception) or gcp_is_throttled(exception)


secret_patterns = {
    "AWS key":
        re.compile("(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"),
    "Adobe Client ID (Oauth Web)":
        re.compile("(adobe[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-f0-9]{32})['\"]"),
    "Adobe Client Secret":
        re.compile("(?i)(p8e-)[a-z0-9]{32}"),
    "Alibaba AccessKey ID":
        re.compile("(?i)(LTAI)[a-z0-9]{20}"),
    "Alibaba Secret Key":
        re.compile("(alibaba[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9]{30})['\"]"),
    "Asana Client ID":
        re.compile("(asana[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9]{16})['\"]"),
    "Asana Client Secret":
        re.compile("(asana[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9]{32})['\"]"),
    "Atlassian API token":
        re.compile("(atlassian[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9]{24})['\"]"),
    "Beamer API token":
        re.compile("(beamer[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"](b_[a-z0-9=_\-]{44})['\"]"),
    "Bitbucket client ID":
        re.compile("(bitbucket[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9]{32})['\"]"),
    "Bitbucket client secret":
        re.compile("(bitbucket[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9_\-]{64})['\"]"),
    "Clojars API token":
        re.compile("(?i)(CLOJARS_)[a-z0-9]{60}"),
    "Contentful delivery API token":
        re.compile("(contentful[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9\-=_]{43})['\"]"),
    "Databricks API token":
        re.compile("dapi[a-h0-9]{32}"),
    "Discord API key":
        re.compile("(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-h0-9]{64})['\"]"),
    "Discord client ID":
        re.compile("(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9]{18})['\"]"),
    "Discord client secret":
        re.compile("(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_\-]{32})['\"]"),
    "Doppler API token":
        re.compile("(?i)['\"](dp\.pt\.)[a-z0-9]{43}['\"]"),
    "Dropbox API secret/key":
        re.compile("(dropbox[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9]{15})['\"]"),
    "Dropbox long lived API token":
        re.compile(
            "(dropbox[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"][a-z0-9]{11}(AAAAAAAAAA)[a-z0-9\-_=]{43}['\"]"),
    "Dropbox short lived API token":
        re.compile(
            "(dropbox[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"](sl\.[a-z0-9\-=_]{135})['\"]"),
    "Duffel API token":
        re.compile("(?i)['\"]duffel_(test|live)_[a-z0-9_-]{43}['\"]"),
    "Dynatrace API token":
        re.compile("(?i)['\"]dt0c01\.[a-z0-9]{24}\.[a-z0-9]{64}['\"]"),
    "EasyPost API token":
        re.compile("(?i)['\"]EZAK[a-z0-9]{54}['\"]"),
    "EasyPost test API token":
        re.compile("(?i)['\"]EZTK[a-z0-9]{54}['\"]"),
    "Fastly API token":
        re.compile("(fastly[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9\-=_]{32})['\"]"),
    "Finicity API token":
        re.compile("(finicity[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-f0-9]{32})['\"]"),
    "Finicity client secret":
        re.compile("(finicity[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9]{20})['\"]"),
    "Flutterwave encrypted key":
        re.compile("FLWSECK_TEST[a-h0-9]{12}"),
    "Flutterwave public key":
        re.compile("(?i)FLWPUBK_TEST-[a-h0-9]{32}-X"),
    "Flutterwave secret key":
        re.compile("(?i)FLWSECK_TEST-[a-h0-9]{32}-X"),
    "Frame.io API token":
        re.compile("(?i)fio-u-[a-z0-9\-_=]{64}"),
    "Generic API Key":
        re.compile(
            "((key|api[^Version]|token|secret|password)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]"),
    "Generic Password":
        re.compile("password"),
    "Generic Secret":
        re.compile("secret"),
    "GitHub App Token":
        re.compile("(ghu|ghs)_[0-9a-zA-Z]{36}"),
    "GitHub OAuth Access Token":
        re.compile("gho_[0-9a-zA-Z]{36}"),
    "GitHub Personal Access Token":
        re.compile("ghp_[0-9a-zA-Z]{36}"),
    "GitHub Refresh Token":
        re.compile("ghr_[0-9a-zA-Z]{76}"),
    "GitLab Personal Access Token":
        re.compile("glpat-[0-9a-zA-Z\-\_]{20}"),
    "GoCardless API token":
        re.compile("(?i)['\"]live_[a-z0-9\-_=]{40}['\"]"),
    "Google (GCP) Service-account":
        re.compile("\"type\": \"service_account\""),
    "Grafana API token":
        re.compile("(?i)['\"]eyJrIjoi[a-z0-9\-_=]{72,92}['\"]"),
    "HashiCorp Terraform user/org API token":
        re.compile("(?i)['\"][a-z0-9]{14}\.atlasv1\.[a-z0-9\-_=]{60,70}['\"]"),
    "Heroku API Key":
        re.compile(
            "(heroku[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})['\"]"),
    "Intercom API token":
        re.compile("(intercom[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_]{60})['\"]"),
    "Intercom client secret/ID":
        re.compile(
            "(intercom[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12})['\"]"),
    "Ionic API token":
        re.compile("(ionic[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"](ion_[a-z0-9]{42})['\"]"),
    "Linear API token":
        re.compile("(?i)lin_api_[a-z0-9]{40}"),
    "Linear client secret/ID":
        re.compile("(linear[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-f0-9]{32})['\"]"),
    "LinkedIn Client ID":
        re.compile("(linkedin[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9]{14})['\"]"),
    "LinkedIn Client secret":
        re.compile("(linkedin[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z]{16})['\"]"),
    "Lob API Key":
        re.compile("(lob[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]((live|test)_[a-f0-9]{35})['\"]"),
    "Lob Publishable API Key":
        re.compile(
            "(lob[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]((test|live)_pub_[a-f0-9]{31})['\"]"),
    "Mailchimp API key":
        re.compile("(mailchimp[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-f0-9]{32}-us20)['\"]"),
    "Mailgun private API token":
        re.compile("(mailgun[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"](key-[a-f0-9]{32})['\"]"),
    "Mailgun public validation key":
        re.compile("(mailgun[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"](pubkey-[a-f0-9]{32})['\"]"),
    "Mailgun webhook signing key":
        re.compile(
            "(mailgun[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8})['\"]"),
    "MessageBird API token":
        re.compile("(messagebird[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9]{25})['\"]"),
    "New Relic ingest browser API token":
        re.compile("['\"](NRJS-[a-f0-9]{19})['\"]"),
    "New Relic user API ID":
        re.compile("(newrelic[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([A-Z0-9]{64})['\"]"),
    "New Relic user API Key":
        re.compile("['\"](NRAK-[A-Z0-9]{27})['\"]"),
    "PGP private key":
        re.compile("-----BEGIN PGP PRIVATE KEY BLOCK-----"),
    "PKCS8 private key":
        re.compile("-----BEGIN PRIVATE KEY-----"),
    "PlanetScale API token":
        re.compile("(?i)pscale_tkn_[a-z0-9\-_\.]{43}"),
    "PlanetScale password":
        re.compile("(?i)pscale_pw_[a-z0-9\-_\.]{43}"),
    "Postman API token":
        re.compile("(?i)PMAK-[a-f0-9]{24}\-[a-f0-9]{34}"),
    "Pulumi API token":
        re.compile("pul-[a-f0-9]{40}"),
    "PyPI upload token":
        re.compile("pypi-AgEIcHlwaS5vcmc[A-Za-z0-9\-_]{50,1000}"),
    "RSA private key":
        re.compile("-----BEGIN RSA PRIVATE KEY-----"),
    "Rubygem API token":
        re.compile("rubygems_[a-f0-9]{48}"),
    "SSH (DSA) private key":
        re.compile("-----BEGIN DSA PRIVATE KEY-----"),
    "SSH (EC) private key":
        re.compile("-----BEGIN EC PRIVATE KEY-----"),
    "SSH private key":
        re.compile("-----BEGIN OPENSSH PRIVATE KEY-----"),
    "SendGrid API token":
        re.compile("(?i)SG\.[a-z0-9_\-\.]{66}"),
    "Sendinblue API token":
        re.compile("(?i)xkeysib-[a-f0-9]{64}\-[a-z0-9]{16}"),
    "Shippo API token":
        re.compile("shippo_(live|test)_[a-f0-9]{40}"),
    "Shopify access token":
        re.compile("shpat_[a-fA-F0-9]{32}"),
    "Shopify custom app access token":
        re.compile("shpca_[a-fA-F0-9]{32}"),
    "Shopify private app access token":
        re.compile("shppa_[a-fA-F0-9]{32}"),
    "Shopify shared secret":
        re.compile("shpss_[a-fA-F0-9]{32}"),
    "Slack token":
        re.compile("xox[baprs]-([0-9a-zA-Z]{10,48})?"),
    "Stripe":
        re.compile("(sk|pk)_(test|live)_[0-9a-z]{10,32}"),
    "Twitch API token":
        re.compile("(twitch[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9]{30})['\"]"),
    "Twitter token":
        re.compile("(twitter[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-f0-9]{35,44})['\"]"),
    "Typeform API token":
        re.compile("(typeform[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}(tfp_[a-z0-9\-_\.=]{59})"),
    "npm access token":
        re.compile("(?i)['\"](npm_[a-z0-9]{36})['\"]")
}


def is_secret(string):
    """
    Given a string, tries to identify if it includes a secret.
    :param string: String to evaluate
    :return: None if no secret identified, otherwise the type of secret
    """
    for secret_type, secret_regex in secret_patterns.items():
        if secret_regex.search(string):
            return f"{secret_type}: {string}"
    return None


================================================
FILE: ScoutSuite/utils.py
================================================
from __future__ import print_function
from ScoutSuite import __version__

formatted_provider_name = {
    'aliyun': 'Aliyun',
    'aws': 'AWS',
    'azure': 'Azure',
    'gcp': 'GCP',
    'oci': 'OCI',
    'kubernetes': 'Kubernetes'
}

formatted_service_name = {
    # AWS
    'acm': 'ACM',
    'cloudformation': 'CloudFormation',
    'cloudtrail': 'CloudTrail',
    'cloudwatch': 'CloudWatch',
    'cloudfront': 'CloudFront',
    'credentials': 'Credentials',
    'codebuild': 'CodeBuild',
    'cognito': 'Cognito',
    'config': 'Config',
    'directconnect': 'Direct Connect',
    'dynamodb': 'DynamoDB',
    'ecr': 'ECR',
    'ecs': 'ECS',
    'elbv2': 'ELBv2',
    'eks': 'EKS',
    'elasticache': 'ElastiCache',
    'guardduty': 'GuardDuty',
    'lambda': 'Lambda',
    'awslambda': 'Lambda',
    'redshift': 'RedShift',
    'route53': 'Route53',
    'secretsmanager': 'Secrets Manager',
    'docdb': 'DocumentDB',
    'ssm': 'Systems Manager',
    # Azure
    'aad': 'Azure Active Directory',
    'storageaccounts': 'Storage Accounts',
    'sqldatabase': 'SQL Database',
    'securitycenter': 'Security Center',
    'keyvault': 'Key Vault',
    'appgateway': 'Application Gateway',
    'rediscache': 'Redis Cache',
    'network': 'Network',
    'appservice': 'App Services',
    'loadbalancer': 'Load Balancer',
    'virtualmachines': 'Virtual Machines',
    'postgresqldatabase': 'PostgresSQL Database',
    'mysqldatabase': 'MySQL Database',
    'loggingmonitoring': 'Logging Monitoring',
    # GCP
    'cloudstorage': 'Cloud Storage',
    'cloudmemorystore': 'Cloud Memorystore',
    'memorystore': 'Cloud Memorystore',
    'cloudsql': 'Cloud SQL',
    'dns': 'DNS',
    'stackdriverlogging': 'Stackdriver Logging',
    'stackdrivermonitoring': 'Stackdriver Monitoring',
    'computeengine': 'Compute Engine',
    'kubernetesengine': 'Kubernetes Engine',
    'functions': 'Cloud Functions',
    'bigquery': 'BigQuery',
    # Aliyun
    'actiontrail': 'ActionTrail',
    # OCI
    'identity': 'Identity',
    'objectstorage': 'Object Storage',
}


def manage_dictionary(dictionary, key, init, callback=None):
    """
    :param dictionary:
    :param key:
    :param init:
    :param callback:
    :return:
    """
    if not isinstance(dictionary, dict):
        raise TypeError()

    if str(key) in dictionary:
        return dictionary

    dictionary[str(key)] = init
    manage_dictionary(dictionary, key, init)
    if callback:
        callback(dictionary[key])
    return dictionary


def format_provider_code(provider_code):
    """
    :param provider_code:
    :return:
    """
    return formatted_provider_name[provider_code] if provider_code in formatted_provider_name else provider_code.upper()


def format_service_name(service):
    """
    :param service:
    :return:
    """
    return formatted_service_name[service] if service in formatted_service_name else service.upper()


def get_user_agent():
    return 'Scout Suite/{} (https://github.com/nccgroup/ScoutSuite)'.format(__version__)


================================================
FILE: dev-requirements.txt
================================================
-r requirements.txt
flake8
codecov
coveralls
autopep8
pytest>=5.*
pytest-cov
mypy


================================================
FILE: docker/.dockerignore
================================================
README.md


================================================
FILE: docker/Dockerfile-aws
================================================
FROM nccgroup/scoutsuite-base:5.13.0-01

LABEL maintainer="Jason Ross "

ARG BUILD_DATE
ARG NAME
ARG DESCRIPTION
ARG VCS_REF
ARG VCS_URL
ARG VENDOR
ARG VERSION
ARG IMAGE_NAME

ENV DEBIAN_FRONTEND=${DEBIAN_FRONTEND}
ENV TERM=${TERM}

# Build-time metadata as defined at http://label-schema.org
LABEL \
    org.label-schema.schema-version="1.0" \
    org.label-schema.build-date="${BUILD_DATE}" \
    org.label-schema.name="${NAME}" \
    org.label-schema.description="${DESCRIPTION}" \
    org.label-schema.vcs-ref="${VCS_REF}" \
    org.label-schema.vcs-url="${VCS_URL}" \
    org.label-schema.vendor="${VENDOR}" \
    org.label-schema.version="${VERSION}" \
    org.label.image-name="${IMAGE_NAME}"

# Copy helper scripts to container
ADD bin /root/bin

# Install AWS CLI
RUN ["/bin/bash", "-c", "/root/bin/container-install-aws2.sh"]

# Remove scripts
RUN ["rm", "-rf", "/root/bin"]

# Command
CMD ["/bin/bash"]


================================================
FILE: docker/Dockerfile-azure
================================================
FROM nccgroup/scoutsuite-base:5.13.0-01

LABEL maintainer="Jason Ross "

ARG BUILD_DATE
ARG NAME
ARG DESCRIPTION
ARG VCS_REF
ARG VCS_URL
ARG VENDOR
ARG VERSION
ARG IMAGE_NAME

ENV DEBIAN_FRONTEND=${DEBIAN_FRONTEND}
ENV TERM=${TERM}

# Build-time metadata as defined at http://label-schema.org
LABEL \
    org.label-schema.schema-version="1.0" \
    org.label-schema.build-date="${BUILD_DATE}" \
    org.label-schema.name="${NAME}" \
    org.label-schema.description="${DESCRIPTION}" \
    org.label-schema.vcs-ref="${VCS_REF}" \
    org.label-schema.vcs-url="${VCS_URL}" \
    org.label-schema.vendor="${VENDOR}" \
    org.label-schema.version="${VERSION}" \
    org.label.image-name="${IMAGE_NAME}"

# Copy helper scripts to container
ADD bin /root/bin

# Install Azure CLI
RUN ["/bin/bash", "-c", "/root/bin/container-install-azure.sh"]

# Remove scripts
RUN ["rm", "-rf", "/root/bin"]

# Command
CMD ["/bin/bash"]


================================================
FILE: docker/Dockerfile-base
================================================
FROM python:3.12

LABEL maintainer="Jason Ross "

ARG BUILD_DATE
ARG NAME
ARG DESCRIPTION
ARG VCS_REF
ARG VCS_URL
ARG VENDOR
ARG VERSION
ARG IMAGE_NAME

ENV DEBIAN_FRONTEND=${DEBIAN_FRONTEND}
ENV TERM=${TERM}

# Build-time metadata as defined at http://label-schema.org
LABEL \
    org.label-schema.schema-version="1.0" \
    org.label-schema.build-date="${BUILD_DATE}" \
    org.label-schema.name="${NAME}" \
    org.label-schema.description="${DESCRIPTION}" \
    org.label-schema.vcs-ref="${VCS_REF}" \
    org.label-schema.vcs-url="${VCS_URL}" \
    org.label-schema.vendor="${VENDOR}" \
    org.label-schema.version="${VERSION}" \
    org.label.image-name="${IMAGE_NAME}"

# Copy helper scripts to container
ADD bin /root/bin

# Install required software
RUN ["/bin/bash", "-c", "/root/bin/container-install-prereqs.sh"]

# Install ScoutSuite
RUN ["/bin/bash", "-c", "/root/bin/container-install-scoutsuite.sh"]

# Set a nice message
RUN ["/bin/bash", "-c", "/root/bin/container-set-init.sh"]

# Remove scripts
RUN ["rm", "-rf", "/root/bin"]

# Command
CMD ["/bin/bash"]


================================================
FILE: docker/Dockerfile-gcp
================================================
FROM nccgroup/scoutsuite-base:5.13.0-01

LABEL maintainer="Jason Ross "

ARG BUILD_DATE
ARG NAME
ARG DESCRIPTION
ARG VCS_REF
ARG VCS_URL
ARG VENDOR
ARG VERSION
ARG IMAGE_NAME

ENV DEBIAN_FRONTEND=${DEBIAN_FRONTEND}
ENV TERM=${TERM}

# Build-time metadata as defined at http://label-schema.org
LABEL \
    org.label-schema.schema-version="1.0" \
    org.label-schema.build-date="${BUILD_DATE}" \
    org.label-schema.name="${NAME}" \
    org.label-schema.description="${DESCRIPTION}" \
    org.label-schema.vcs-ref="${VCS_REF}" \
    org.label-schema.vcs-url="${VCS_URL}" \
    org.label-schema.vendor="${VENDOR}" \
    org.label-schema.version="${VERSION}" \
    org.label.image-name="${IMAGE_NAME}"

# Copy helper scripts to container
ADD bin /root/bin

# Install gCloud SDK
RUN ["/bin/bash", "-c", "/root/bin/container-install-gcp.sh"]

# Remove scripts
RUN ["rm", "-rf", "/root/bin"]

# Command
CMD ["/bin/bash"]


================================================
FILE: docker/README.md
================================================
# Docker Image

See the [wiki entry](https://github.com/nccgroup/ScoutSuite/wiki/Docker-Image).

================================================
FILE: docker/bin/container-install-aws2.sh
================================================
#!/bin/bash
export DEBIAN_FRONTEND=noninteractive

# =====================================
# install the AWS CLI Tools
# =====================================

WORKDIR=/root
TMPDIR=/tmp
AWSDIR=/root/.aws

echo -e "\n\nAWS2 CLI Installation Starting...\n\n"

# =====================================
# install AWS CLI v2
# =====================================
cd ${TMPDIR}
curl "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip" -o "awscliv2.zip"
unzip awscliv2.zip
./aws/install --update

# =====================================
# clean up install artifacts
# =====================================
rm ${TMPDIR}/awscliv2.zip
rm -rf ${TMPDIR}/aws

# =====================================
# Setup AWS configuration templates
# =====================================

# if the aws config directory already exists
# then we do nothing and leave it alone
if [ ! -d ${AWSDIR} ]; then
mkdir ${AWSDIR}

# create the config template
cat <<'EOF' >${AWSDIR}/config
[default]
region = us-east-1
output = json
EOF

# create the credentials template
cat <<'EOF' >${AWSDIR}/credentials
[default]
aws_access_key_id = 
aws_secret_access_key = 
EOF

fi


echo -e "\n\nAWS2 CLI Installation Complete!\n\n"


================================================
FILE: docker/bin/container-install-azure.sh
================================================
#!/bin/bash
export DEBIAN_FRONTEND=noninteractive

# =====================================
# install the Azure CLI Tools
# =====================================

WORKDIR=/root
TMPDIR=/tmp
cd ${TMPDIR}

echo -e "\n\nAzure CLI Installation Starting...\n\n"

# blackbox pipe a random URL directly to shell
# why? because MSFT
#curl -sL https://aka.ms/InstallAzureCLIDeb | bash

# manual process

# add msft gpg key to apt
curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > /etc/apt/trusted.gpg.d/microsoft.asc.gpg

# set the right repo name
CLI_REPO=$(lsb_release -cs)

# add the msft repo to apt
echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ ${CLI_REPO} main" \
    > /etc/apt/sources.list.d/azure-cli.list

# install the software
apt-get update && apt-get install -y azure-cli

# Repo Azure is not most up to date client, run az upgrade to get latest copy
az upgrade -y

echo -e "\n\nAzure CLI Installation Complete!\n\n"


================================================
FILE: docker/bin/container-install-gcp.sh
================================================
#!/bin/bash
export DEBIAN_FRONTEND=noninteractive

# =====================================
# install gCloud SDK CLI Tools
# =====================================

WORKDIR=/root
TMPDIR=/tmp
cd ${TMPDIR}

echo -e "\n\ngCloud SDK Installation Starting...\n\n"

# add the gcp repo to apt
echo "deb [signed-by=/etc/apt/trusted.gpg.d/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" > /etc/apt/sources.list.d/google-cloud-sdk.list

# add the gcp pubkey to apt
curl https://packages.cloud.google.com./apt/doc/apt-key.gpg > /etc/apt/trusted.gpg.d/cloud.google.gpg

# install the sdk + kubectl + some extra python-related bits
apt-get update && apt-get install -y google-cloud-sdk google-cloud-sdk-app-engine-python google-cloud-sdk-app-engine-python-extras kubectl

# let folks know the install is done
echo -e "\n\ngCloud SDK Installation Complete!\n\n"


================================================
FILE: docker/bin/container-install-prereqs.sh
================================================
#!/bin/bash
export DEBIAN_FRONTEND=noninteractive

# =====================================
# install software packages needed for
# all the other components to run
# =====================================

WORKDIR=/root
TMPDIR=/tmp
cd ${TMPDIR}

echo -e "\n\nSoftware Pre-reqs Installation Starting...\n\n"

# =====================================
# set up the pre-reqs
# =====================================
apt-get update > /dev/null 2>&1
apt-get install -qy \
  apt-transport-https \
  apt-utils \
  ca-certificates \
  cmake \
  curl \
  dialog \
  gnupg \
  groff \
  jq \
  less \
  lsb-release \
  nano \
  # python3 \
  # python3-pip \
  tzdata \
  unzip \
  vim \
  # virtualenv \
  # virtualenvwrapper \
  wget

echo -e "\n\nSoftware Pre-reqs Installation Complete!\n\n"


================================================
FILE: docker/bin/container-install-scoutsuite.sh
================================================
#!/bin/bash

# =====================================
# install ScoutSuite into a virtual env
# =====================================

WORKDIR=/root
TMPDIR=/tmp

# =====================================
# install ScoutSuite
# =====================================
cd ${WORKDIR}
virtualenv -p python3 scoutsuite
source ${WORKDIR}/scoutsuite/bin/activate
pip install scoutsuite

echo -e "\n\nScoutsuite Installation Complete!\n\n"


================================================
FILE: docker/bin/container-set-init.sh
================================================
#!/bin/bash
cat <<'EOF' >> /root/.bashrc
export TERM=linux
cd ${HOME}
source ${HOME}/scoutsuite/bin/activate
echo -e "Welcome to Scoutsuite!\nYou are already in the Scoutsuite virtual environment, so just type \`scout\` to run it!\n    (for example: \`scout -h\` to see the help documentation).\n\nHave fun!\n\n"
EOF


================================================
FILE: docker/build.sh
================================================
#!/bin/bash

# vars are stored in .env and config/base.env files
# note that the FROM used in the Dockerfile files
# needs to be updated to match the version in the env
# files in order for anything other than the base image
# to build correctly.
# TODO: fix this so that the FROM is set in the Dockerfile
# automatically by the env vars

SEP1="=============================="
SEP2="------------------------------"

echo -e "\n\n${SEP1}"
echo -e "BEGINNING BUILD..."

case $1 in

  "base")
    #####################
    #### BASE IMAGE  ####
    #####################
    echo -e "\n${SEP2}\nbuilding base image...\n"
    source ./config/base.env

    BUILD_CMD="docker build \
    -f Dockerfile-base \
    -t ${IMAGE_NAME} \
    --build-arg BUILD_DATE=${BUILD_DATE} \
    --build-arg NAME=${NAME} \
    --build-arg VCS_REF=${VCS_REF} \
    --build-arg VCS_URL=${VCS_URL} \
    --build-arg VENDOR=${VENDOR} \
    --build-arg VERSION=${VERSION} \
    --build-arg IMAGE_NAME=${IMAGE_NAME} \
    ."

    echo -e "\n\nbuilding image using:\n${BUILD_CMD}"
    exec ${BUILD_CMD}
    echo -e "\nbase image build complete!\n${SEP2}\n"
  ;;

  "aws")
    #####################
    ####  AWS IMAGE  ####
    #####################

    echo -e "\n${SEP2}\nbuilding aws image...\n"
    source ./config/base.env
    source ./config/aws.env

    BUILD_CMD="docker build \
    -f Dockerfile-aws \
    -t ${IMAGE_NAME} \
    --build-arg BUILD_DATE=${BUILD_DATE} \
    --build-arg NAME=${NAME} \
    --build-arg VCS_REF=${VCS_REF} \
    --build-arg VCS_URL=${VCS_URL} \
    --build-arg VENDOR=${VENDOR} \
    --build-arg VERSION=${VERSION} \
    --build-arg IMAGE_NAME=${IMAGE_NAME} \
    ."

    echo -e "\n\nbuilding image using:\n${BUILD_CMD}"
    exec ${BUILD_CMD}
    echo -e "\naws image build complete!\n${SEP2}\n"
  ;;

  "gcp")
    #####################
    ####  GCP IMAGE  ####
    #####################

    echo -e "\n${SEP2}\nbuilding gcp image...\n"
    source ./config/base.env
    source ./config/gcp.env

    BUILD_CMD="docker build \
    -f Dockerfile-gcp \
    -t ${IMAGE_NAME} \
    --build-arg BUILD_DATE=${BUILD_DATE} \
    --build-arg NAME=${NAME} \
    --build-arg VCS_REF=${VCS_REF} \
    --build-arg VCS_URL=${VCS_URL} \
    --build-arg VENDOR=${VENDOR} \
    --build-arg VERSION=${VERSION} \
    --build-arg IMAGE_NAME=${IMAGE_NAME} \
    ."

    echo -e "\n\nbuilding image using:\n${BUILD_CMD}"
    exec ${BUILD_CMD}
    echo -e "\ngcp image build complete!\n${SEP2}\n"
  ;;

  "azure")
    #####################
    #### AZURE IMAGE ####
    #####################
    echo -e "\n${SEP2}\nbuilding azure image...\n"
    source ./config/base.env
    source ./config/azure.env

    BUILD_CMD="docker build \
    -f Dockerfile-azure \
    -t ${IMAGE_NAME} \
    --build-arg BUILD_DATE=${BUILD_DATE} \
    --build-arg NAME=${NAME} \
    --build-arg VCS_REF=${VCS_REF} \
    --build-arg VCS_URL=${VCS_URL} \
    --build-arg VENDOR=${VENDOR} \
    --build-arg VERSION=${VERSION} \
    --build-arg IMAGE_NAME=${IMAGE_NAME} \
    ."

    echo -e "\n\nbuilding image using:\n${BUILD_CMD}"
    exec ${BUILD_CMD}
  ;;

  "combined")
    #####################
    ## COMBINED IMAGE  ##
    #####################
    echo -e "\n${SEP2}\nbuilding combined image...\n"
    source ./config/base.env
    source ./config/combined.env

    BUILD_CMD="docker build \
    -f Dockerfile \
    -t ${IMAGE_NAME} \
    --build-arg BUILD_DATE=${BUILD_DATE} \
    --build-arg NAME=${NAME} \
    --build-arg VCS_REF=${VCS_REF} \
    --build-arg VCS_URL=${VCS_URL} \
    --build-arg VENDOR=${VENDOR} \
    --build-arg VERSION=${VERSION} \
    --build-arg IMAGE_NAME=${IMAGE_NAME} \
    ."

    echo -e "\n\nbuilding image using:\n${BUILD_CMD}"
    exec ${BUILD_CMD}
    echo -e "\nbase image build complete!\n${SEP2}\n"
  ;;

  "all")
    $0 base
    $0 aws
    $0 gcp
    $0 azure
  ;;

  *)
    echo -e "\nBUILD TARGET NOT FOUND!"
    echo -e "\nUSAGE:\n  $0 [base | aws | gcp | azure | all ]"
    echo -e "${SEP1}"
    exit 1
    # echo -e "Using default: all\n"
    # $0 all
  ;;

esac

echo -e "\n${SEP1}\nBUILD COMPLETE!...\n"

================================================
FILE: docker/config/aws.env
================================================
CLOUD='aws'
IMAGE_NAME="${VENDOR}/${NAME}-${CLOUD}:${VERSION}"

# These are passed in as env vars to the container at runtime
DEBIAN_FRONTEND=noninteractive
TERM=linux

================================================
FILE: docker/config/azure.env
================================================
CLOUD='azure'
IMAGE_NAME="${VENDOR}/${NAME}-${CLOUD}:${VERSION}"

# These are passed in as env vars to the container at runtime
DEBIAN_FRONTEND=noninteractive
TERM=linux

================================================
FILE: docker/config/base.env
================================================
VCS_REF=$(git rev-parse --short HEAD)
VCS_URL='https://github.com/nccgroup/ScoutSuite'
VERSION='5.13.0-01'
BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
VENDOR='nccgroup'
NAME='scoutsuite'
CLOUD='base'
DESCRIPTION='A ready-to-go NCC Group ScoutSuite container based on Ubuntu.'
IMAGE_NAME="${VENDOR}/${NAME}-${CLOUD}:${VERSION}"

# These are passed in as env vars to the container at runtime
DEBIAN_FRONTEND=noninteractive
TERM=linux


================================================
FILE: docker/config/combined.env
================================================
IMAGE_NAME="${VENDOR}/${NAME}:${VERSION}"

# These are passed in as env vars to the container at runtime
DEBIAN_FRONTEND=noninteractive
TERM=linux

================================================
FILE: docker/config/gcp.env
================================================
CLOUD='gcp'
IMAGE_NAME="${VENDOR}/${NAME}-${CLOUD}:${VERSION}"

# These are passed in as env vars to the container at runtime
DEBIAN_FRONTEND=noninteractive
TERM=linux

================================================
FILE: docker/config/ibm.env
================================================
CLOUD='ibm'
IMAGE_NAME="${VENDOR}/${NAME}-${CLOUD}:${VERSION}"

# These are passed in as env vars to the container at runtime
IBMCLOUD_COLOR=true
DEBIAN_FRONTEND=noninteractive
TERM=linux

================================================
FILE: docker/tag.sh
================================================
#!/bin/bash
source .env
#echo ${VERSION}
docker tag nccgroup/scoutsuite-aws:${VERSION} rossja/scoutsuite-aws:${VERSION}
docker tag nccgroup/scoutsuite-azure:${VERSION} rossja/scoutsuite-azure:${VERSION}
docker tag nccgroup/scoutsuite-gcp:${VERSION} rossja/scoutsuite-gcp:${VERSION}
docker tag nccgroup/scoutsuite-base:${VERSION} rossja/scoutsuite-base:${VERSION}

docker tag rossja/scoutsuite-aws:${VERSION} rossja/scoutsuite-aws:latest
docker tag rossja/scoutsuite-azure:${VERSION} rossja/scoutsuite-azure:latest
docker tag rossja/scoutsuite-gcp:${VERSION} rossja/scoutsuite-gcp:latest
docker tag rossja/scoutsuite-base:${VERSION} rossja/scoutsuite-base:latest

docker push rossja/scoutsuite-aws:${VERSION}
docker push rossja/scoutsuite-azure:${VERSION}
docker push rossja/scoutsuite-gcp:${VERSION}
docker push rossja/scoutsuite-base:${VERSION}

docker push rossja/scoutsuite-aws:latest
docker push rossja/scoutsuite-azure:latest
docker push rossja/scoutsuite-gcp:latest
docker push rossja/scoutsuite-base:latest


================================================
FILE: pytest.ini
================================================
[pytest]
addopts = --strict-markers
markers =
    credential: tests that require external credentials
    cloudwatch: working against real CloudWatch environments
    profiles: run tests that use specific profiles


================================================
FILE: requirements.txt
================================================
# Core
python-dateutil<2.8.1,>=2.1
netaddr>=0.8.0
sqlitedict>=1.6.0
cherrypy>=18.1.0
cherrypy-cors>=1.6
coloredlogs<=10.0
asyncio-throttle==0.1.1

# AWS Provider
botocore>=1.20.21
boto3>=1.9.210
policyuniverse>=1.3.2.0

# GCP Provider
grpcio>=1.18.0
## Cloud Libraries
google-cloud-container>=2.1.0
google-cloud-core>=0.29.1
google-cloud-iam>=0.1.0
google-cloud-logging>=2.2.0
google-cloud-monitoring==1.1.0
google-cloud-resource-manager>=0.28.3
google-cloud-storage>=1.13.2
google-cloud-kms==1.3.0
## API Client Libraries
google-api-python-client>=2.47.0
oauth2client>=4.1.3
## Necessary since API Client Libraries are not thread-safe
httplib2shim>=0.0.3

#for authentication
azure-identity==1.5.0

## for resources

azure-mgmt-resource==15.0.0
azure-mgmt-storage==17.0.0
azure-mgmt-monitor==2.0.0
azure-mgmt-sql==1.0.0
azure-mgmt-security==1.0.0
azure-mgmt-keyvault==8.0.0
azure-mgmt-network==17.1.0
azure-mgmt-redis==12.0.0
azure-mgmt-web==1.0.0
azure-mgmt-compute==18.2.0
azure-mgmt-authorization==3.0.0
azure-mgmt-rdbms==8.0.0

msgraph-core==0.2.2

# Aliyun / Alibaba Cloud Provider
aliyun-python-sdk-core>=2.13.4
aliyun-python-sdk-ram>=3.0.1
aliyun-python-sdk-ocs>=0.0.4
aliyun-python-sdk-sts>=3.0.1
aliyun-python-sdk-actiontrail>=2.0.0
aliyun-python-sdk-vpc>=3.0.5
aliyun-python-sdk-ecs>=4.16.10
aliyun-python-sdk-rds>=2.3.9
aliyun-python-sdk-kms>=2.6.0
oss2>=2.8.0

# Oracle Cloud Infrastructure Provider
oci>=2.2.4

# Kubernetes SDK
kubernetes

# DigitalOcean Cloud Provider
pydo >=0.2.0


================================================
FILE: scout.py
================================================
#!/usr/bin/env python3

import sys

from ScoutSuite.__main__ import run_from_cli

if __name__ == "__main__":
    sys.exit(run_from_cli())


================================================
FILE: setup.py
================================================
#!/usr/bin/env python

# distutils/setuptools install script for Scout Suite
import os
from setuptools import setup, find_packages

# Package info
NAME = 'ScoutSuite'
ROOT = os.path.dirname(__file__)
VERSION = __import__(NAME).__version__

# Requirements
requirements = []
with open(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'requirements.txt')) as f:
    for r in f.readlines():
        requirements.append(r.strip())

# Setup
setup(
    name=NAME,
    version=VERSION,
    description='Scout Suite, a multi-cloud security auditing tool',
    long_description_content_type='text/markdown',
    long_description=open('README.md').read(),
    author='NCC Group',
    url='https://github.com/nccgroup/ScoutSuite',
    entry_points={
        'console_scripts': [
            'scout = ScoutSuite.__main__:run_from_cli',
        ]
    },
    packages=find_packages(),
    package_data={
        'ScoutSuite.data': [
            '*.json'
        ],
        'ScoutSuite.output': [
            '*.html',
            '*.js',
            '*.css',
            '*.zip'
        ],
        'ScoutSuite.providers': [
            '*.json'
        ]
    },
    include_package_data=True,
    install_requires=requirements,
    license='GNU General Public License v2 (GPLv2)',
    classifiers=[
        'Development Status :: 5 - Production/Stable',
        'Intended Audience :: Developers',
        'Intended Audience :: Information Technology',
        'Intended Audience :: System Administrators',
        'Natural Language :: English',
        'License :: OSI Approved :: GNU General Public License v2 (GPLv2)',
        'Programming Language :: Python',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.9',
        'Programming Language :: Python :: 3.10',
        'Programming Language :: Python :: 3.11'
    ]
)


================================================
FILE: tests/data/invalid-file.json
================================================
{this is not a valid JSON file}


================================================
FILE: tests/data/ip-ranges-1.json
================================================
{"createDate": "2015-10-01-19-05-51","prefixes": [{"field_a": "a1","field_b": "b1","ip_prefix": "1.2.3.4"},{"field_a": "a2","field_b": "b2","ip_prefix": "5.6.7.8"}]}


================================================
FILE: tests/data/ip-ranges-3.json
================================================
{
    "source": "tests/data/ip-ranges-2.json",
    "local_file": "True",
    "conditions": [ "and",
        [ "region", "match", [ "us-.*" ] ]
    ]
}


================================================
FILE: tests/data/policy1.json
================================================
{
  "Statement": [
    {
      "Action": [
        "cloudwatch:Describe*",
        "iam:GetUser",
        "iam:List*",
        "s3:GetBucket*",
        "s3:GetObjectAcl",
        "s3:ListAllMyBuckets",
        "sqs:ListQueues"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    },
    {
      "Action": [
        "iam:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    },
    {
      "Action": "*",
      "Effect": "Allow",
      "Resource": "*"
    }

  ],
  "Version": "2012-10-17"
}


================================================
FILE: tests/data/protocols.json
================================================
{
    "protocols": {
        "-2": "TEST"
    }
}

================================================
FILE: tests/data/resources/dummy_resources.json
================================================
{
    "0": {
        "some_dummy_resources": {
            "resource_a": {
                "some_id": 1,
                "region": "some_region",
                "some_other_scope": "0"
            },
            "resource_b": {
                "some_id": 2,
                "region": "some_region",
                "some_other_scope": "0"
            }
        },
        "some_dummy_resources_count": 2,
        "other_dummy_resources": {
            "resource_a": {
                "some_id": 1,
                "region": "some_region",
                "some_other_scope": "0"
            },
            "resource_b": {
                "some_id": 2,
                "region": "some_region",
                "some_other_scope": "0"
            }
        },
        "other_dummy_resources_count": 2
    },
    "1": {
        "some_dummy_resources": {
            "resource_a": {
                "some_id": 1,
                "region": "some_region",
                "some_other_scope": "1"
            },
            "resource_b": {
                "some_id": 2,
                "region": "some_region",
                "some_other_scope": "1"
            }
        },
        "some_dummy_resources_count": 2,
        "other_dummy_resources": {
            "resource_a": {
                "some_id": 1,
                "region": "some_region",
                "some_other_scope": "1"
            },
            "resource_b": {
                "some_id": 2,
                "region": "some_region",
                "some_other_scope": "1"
            }
        },
        "other_dummy_resources_count": 2
    }
}

================================================
FILE: tests/data/rule-configs/ec2.json
================================================
{
    "account_id": "123456789012",
    "services": {
        "ec2": {
            "instances_count": 69,
            "regions": {
                "ap-northeast-2": {
                    "instances_count": 0,
                    "region": "ap-northeast-2",
                    "regional_settings": {
                        "0": {
                            "ebs_default_encryption_key_id": "alias/aws/ebs",
                            "ebs_encryption_default": false
                        }
                    },
                    "security_groups_count": 1,
                    "snapshots": {},
                    "snapshots_count": 0,
                    "volumes": {},
                    "volumes_count": 0,
                    "vpc_resource_types": [
                        "instances",
                        "security_groups"
                    ],
                    "vpcs": {
                        "vpc-ap111111": {
                            "instances": {},
                            "name": null,
                            "security_groups": {
                                "sg-ap111111": {
                                    "description": "default VPC security group",
                                    "id": "sg-ap111111",
                                    "name": "default",
                                    "owner_id": "123456789012",
                                    "is_default_configuration": true,
                                    "rules": {
                                        "egress": {
                                            "count": 0,
                                            "protocols": {}
                                        },
                                        "ingress": {
                                            "count": 1,
                                            "protocols": {
                                                "ALL": {
                                                    "ports": {
                                                        "N/A": {
                                                            "security_groups": [
                                                                {
                                                                    "GroupId": "sg-ap111111",
                                                                    "GroupName": "default",
                                                                    "UserId": "123456789012"
                                                                }
                                                            ]
                                                        }
                                                    }
                                                }
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                },
                "ap-south-1": {
                    "instances_count": 0,
                    "region": "ap-south-1",
                    "regional_settings": {
                        "0": {
                            "ebs_default_encryption_key_id": "alias/aws/ebs",
                            "ebs_encryption_default": false
                        }
                    },
                    "security_groups_count": 1,
                    "snapshots": {},
                    "snapshots_count": 0,
                    "volumes": {},
                    "volumes_count": 0,
                    "vpc_resource_types": [
                        "instances",
                        "security_groups"
                    ],
                    "vpcs": {
                        "vpc-ap222222": {
                            "instances": {},
                            "name": null,
                            "security_groups": {
                                "sg-ap222222": {
                                    "description": "default VPC security group",
                                    "id": "sg-ap222222",
                                    "name": "default",
                                    "owner_id": "123456789012",
                                    "is_default_configuration": true,
                                    "rules": {
                                        "egress": {
                                            "count": 0,
                                            "protocols": {}
                                        },
                                        "ingress": {
                                            "count": 0,
                                            "protocols": {}
                                        }
                                    },
                                    "used_by": {
                                        "ec2": {
                                            "resource_type": {
                                                "instances": {
                                                    "running": [
                                                        "i-ap222222222222222"
                                                    ]
                                                }
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                },
                "eu-central-1": {
                    "instances_count": 0,
                    "region": "eu-central-1",
                    "regional_settings": {
                        "0": {
                            "ebs_default_encryption_key_id": "alias/aws/ebs",
                            "ebs_encryption_default": false
                        }
                    },
                    "security_groups_count": 1,
                    "snapshots": {},
                    "snapshots_count": 0,
                    "volumes": {},
                    "volumes_count": 0,
                    "vpc_resource_types": [
                        "instances",
                        "security_groups"
                    ],
                    "vpcs": {
                        "vp-eu111111": {
                            "instances": {},
                            "name": null,
                            "security_groups": {
                                "sg-eu111111": {
                                    "description": "default VPC security group",
                                    "id": "sg-eu111111",
                                    "name": "default",
                                    "owner_id": "123456789012",
                                    "is_default_configuration": true,
                                    "rules": {
                                        "egress": {
                                            "count": 0,
                                            "protocols": {}
                                        },
                                        "ingress": {
                                            "count": 0,
                                            "protocols": {}
                                        }
                                    }
                                }
                            }
                        }
                    }
                },
                "eu-west-1": {
                    "instances_count": 35,
                    "region": "eu-west-1",
                    "regional_settings": {
                        "0": {
                            "ebs_default_encryption_key_id": "arn:aws:kms:us-east-1:123456789012:key/12345678-90ab-cdef-1234-567890abcdef",
                            "ebs_encryption_default": true
                        }
                    },
                    "security_groups_count": 30,
                    "vpcs": {
                        "vpc-eu111111": {
                            "instances": {},
                            "name": null,
                            "security_groups": {
                                "sg-eu111111": {
                                    "description": "default VPC security group",
                                    "id": "sg-eu111111",
                                    "name": "default",
                                    "owner_id": "123456789012",
                                    "is_default_configuration": true,
                                    "rules": {
                                        "egress": {
                                            "count": 0,
                                            "protocols": {}
                                        },
                                        "ingress": {
                                            "count": 0,
                                            "protocols": {}
                                        }
                                    }
                                }
                            }
                        },
                        "vpc-eu222222": {
                            "name": "Test VPC in eu-west-1",
                            "security_groups": {
                                "sg-eu222222": {
                                    "description": "Allow access to Record Service ports from other region",
                                    "id": "sg-eu222222",
                                    "name": "test-sg-222222",
                                    "owner_id": "123456789012",
                                    "is_default_configuration": true,
                                    "rules": {
                                        "egress": {
                                            "count": 1,
                                            "protocols": {
                                                "ALL": {
                                                    "ports": {
                                                        "N/A": {
                                                            "cidrs": [
                                                                {
                                                                    "CIDR": "0.0.0.0/0",
                                                                    "CIDRName": "All"
                                                                }
                                                            ]
                                                        }
                                                    }
                                                }
                                            }
                                        },
                                        "ingress": {
                                            "count": 1,
                                            "protocols": {
                                                "TCP": {
                                                    "ports": {
                                                        "10-30": {
                                                            "cidrs": [
                                                                {
                                                                    "CIDR": "10.0.0.0/8"
                                                                }
                                                            ]
                                                        },
                                                        "42": {
                                                            "cidrs": [
                                                                {
                                                                    "CIDR": "54.151.0.0/17"
                                                                }
                                                            ]
                                                        },
                                                        "43": {
                                                            "cidrs": [
                                                                {
                                                                    "CIDR": "13.124.0.0/16"
                                                                }
                                                            ]
                                                        }
                                                    }
                                                }
                                            }
                                        }
                                    },
                                    "used_by": {
                                        "ec2": {
                                            "resource_type": {
                                                "instances": {
                                                    "running": [
                                                        "i-eu111111111111111"
                                                    ]
                                                }
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                },
                "sa-east-1": {
                    "instances_count": 0,
                    "region": "sa-east-1",
                    "regional_settings": {
                        "0": {
                            "ebs_default_encryption_key_id": "arn:aws:kms:us-east-1:123456789012:key/12345678-90ab-cdef-1234-567890abcdef",
                            "ebs_encryption_default": true
                        }
                    },
                    "security_groups_count": 1,
                    "snapshots": {},
                    "snapshots_count": 0,
                    "volumes": {},
                    "volumes_count": 0,
                    "vpc_resource_types": [
                        "instances",
                        "security_groups"
                    ],
                    "vpcs": {
                        "vpc-sa111111": {
                            "instances": {},
                            "name": null,
                            "security_groups": {
                                "sg-sa111111": {
                                    "description": "default VPC security group",
                                    "id": "sg-sa111111",
                                    "name": "default",
                                    "owner_id": "123456789012",
                                    "is_default_configuration": true,
                                    "rules": {
                                        "egress": {
                                            "count": 0,
                                            "protocols": {}
                                        },
                                        "ingress": {
                                            "count": 0,
                                            "protocols": {}
                                        }
                                    }
                                },
                                "sg-sa222222": {
                                    "description": "Test SG in SA",
                                    "id": "sg-sa111111",
                                    "name": "testsg",
                                    "owner_id": "123456789012",
                                    "is_default_configuration": true,
                                    "rules": {
                                        "egress": {
                                            "count": 0,
                                            "protocols": {}
                                        },
                                        "ingress": {
                                            "count": 1,
                                            "protocols": {
                                                "ALL": {
                                                    "ports": {
                                                        "N/A": {
                                                            "security_groups": [
                                                                {
                                                                    "GroupId": "sg-sa111111",
                                                                    "GroupName": "testsg",
                                                                    "UserId": "123456789012"
                                                                }
                                                            ]
                                                        }
                                                    }
                                                }
                                            }
                                        }
                                    }
                                },
                                "sg-sa33333333": {
                                    "description": "Test SG in SA",
                                    "id": "sg-sa33333333",
                                    "name": "testsg",
                                    "owner_id": "123456789012",
                                    "is_default_configuration": true,
                                    "rules": {
                                        "egress": {
                                            "count": 0,
                                            "protocols": {}
                                        },
                                        "ingress": {
                                            "count": 1,
                                            "protocols": {
                                                "ALL": {
                                                    "ports": {
                                                        "N/A": {
                                                            "cidrs": [
                                                                {
                                                                    "CIDR": "0.0.0.0/0"
                                                                }
                                                            ]
                                                        }
                                                    }
                                                },
                                                "TCP": {
                                                    "ports": {
                                                        "42": {
                                                            "cidrs": [
                                                                {
                                                                    "CIDR": "0.0.0.0/0"
                                                                }
                                                            ]
                                                        },
                                                        "3306": {
                                                            "cidrs": [
                                                                {
                                                                    "CIDR": "0.0.0.0/0"
                                                                }
                                                            ]
                                                        }
                                                    }
                                                }
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}


================================================
FILE: tests/data/rule-configs/iam-password-policy.json
================================================
{
    "account_id": "123456789012",
    "services": {
        "iam": {
            "password_policy": {
                "ExpirePasswords": false,
                "MinimumPasswordLength": "1",
                "PasswordReusePrevention": false,
                "RequireLowercaseCharacters": false,
                "RequireNumbers": false,
                "RequireSymbols": false,
                "RequireUppercaseCharacters": false
            }
        }
    }
}


================================================
FILE: tests/data/rule-configs/iam-root.json
================================================
{
    "account_id": "123456789012",
    "services": {
        "iam": {
            "credential_reports": {
                "358c37567b1197f146844b0d0a5a901977391659": {
                    "access_key_1_active": "true",
                    "access_key_1_last_rotated": "2018-09-18T14:58:26+00:00",
                    "access_key_1_last_used_date": "2018-10-15T07:33:00+00:00",
                    "access_key_1_last_used_region": "us-west-2",
                    "access_key_1_last_used_service": "s3",
                    "access_key_2_active": "false",
                    "access_key_2_last_rotated": "N/A",
                    "access_key_2_last_used_date": null,
                    "access_key_2_last_used_region": "N/A",
                    "access_key_2_last_used_service": "N/A",
                    "arn": "arn:aws:iam::517757661801:user/api3",
                    "cert_1_active": "false",
                    "cert_1_last_rotated": "N/A",
                    "cert_2_active": "false",
                    "cert_2_last_rotated": "N/A",
                    "id": "api3",
                    "last_used": "2018-10-15T07:33:00+00:00",
                    "mfa_active": "false",
                    "name": "api3",
                    "password_enabled": "false",
                    "password_last_changed": "N/A",
                    "password_last_used": null,
                    "password_next_rotation": "N/A",
                    "user": "api3",
                    "user_creation_time": "2018-09-18T14:58:26+00:00"
                },
                "68dcc047c3da5bbbc3f3e9d54000b7357f0e507e": {
                    "access_key_1_active": "false",
                    "access_key_1_last_rotated": "N/A",
                    "access_key_1_last_used_date": null,
                    "access_key_1_last_used_region": "N/A",
                    "access_key_1_last_used_service": "N/A",
                    "access_key_2_active": "false",
                    "access_key_2_last_rotated": "N/A",
                    "access_key_2_last_used_date": null,
                    "access_key_2_last_used_region": "N/A",
                    "access_key_2_last_used_service": "N/A",
                    "arn": "arn:aws:iam::517757661801:root",
                    "cert_1_active": "false",
                    "cert_1_last_rotated": "N/A",
                    "cert_2_active": "false",
                    "cert_2_last_rotated": "N/A",
                    "id": "",
                    "last_used": "2019-11-26T01:13:39+00:00",
                    "mfa_active": "false",
                    "name": "",
                    "password_enabled": "not_supported",
                    "password_last_changed": "not_supported",
                    "password_last_used": "2019-11-26T01:13:39+00:00",
                    "password_next_rotation": "not_supported",
                    "user": "",
                    "user_creation_time": "2018-04-03T21:50:27+00:00"
                }
            }
        }
    }
}


================================================
FILE: tests/data/rule-results/ec2-default-security-group-in-use.json
================================================
[
    "ec2.regions.ap-south-1.vpcs.vpc-ap222222.security_groups.sg-ap222222.default_in_use"
]


================================================
FILE: tests/data/rule-results/ec2-default-security-group-with-rules.json
================================================
[
    "ec2.regions.ap-northeast-2.vpcs.vpc-ap111111.security_groups.sg-ap111111.rules.ingress.default_with_rules"
]


================================================
FILE: tests/data/rule-results/ec2-ebs-default-encryption-disabled.json
================================================
[
    "ec2.regions.ap-northeast-2.regional_settings.0.NoDefaultEBSEncryption",
    "ec2.regions.ap-south-1.regional_settings.0.NoDefaultEBSEncryption",
    "ec2.regions.eu-central-1.regional_settings.0.NoDefaultEBSEncryption"
]


================================================
FILE: tests/data/rule-results/ec2-security-group-opens-all-ports-to-all.json
================================================
[
    "ec2.regions.sa-east-1.vpcs.vpc-sa111111.security_groups.sg-sa33333333.rules.ingress.protocols.ALL.ports.N/A.cidrs.0.CIDR"
]


================================================
FILE: tests/data/rule-results/ec2-security-group-opens-all-ports-to-self.json
================================================
[
    "ec2.regions.ap-northeast-2.vpcs.vpc-ap111111.security_groups.sg-ap111111.rules.ingress.protocols.ALL.ports.N/A.security_groups.0"
]


================================================
FILE: tests/data/rule-results/ec2-security-group-opens-all-ports.json
================================================
[
    "ec2.regions.ap-northeast-2.vpcs.vpc-ap111111.security_groups.sg-ap111111.rules.ingress.protocols.ALL.ports.N/A", 
    "ec2.regions.sa-east-1.vpcs.vpc-sa111111.security_groups.sg-sa222222.rules.ingress.protocols.ALL.ports.N/A", 
    "ec2.regions.sa-east-1.vpcs.vpc-sa111111.security_groups.sg-sa33333333.rules.ingress.protocols.ALL.ports.N/A"
]


================================================
FILE: tests/data/rule-results/ec2-security-group-opens-known-port-to-all.json
================================================
[
    "ec2.regions.sa-east-1.vpcs.vpc-sa111111.security_groups.sg-sa33333333.rules.ingress.protocols.TCP.ports.3306.cidrs.0.CIDR"
]


================================================
FILE: tests/data/rule-results/ec2-security-group-opens-port-range.json
================================================
[
    "ec2.regions.eu-west-1.vpcs.vpc-eu222222.security_groups.sg-eu222222.rules.ingress.protocols.TCP.ports.10-30"
]


================================================
FILE: tests/data/rule-results/ec2-security-group-opens-port-to-all.json
================================================
[
    "ec2.regions.sa-east-1.vpcs.vpc-sa111111.security_groups.sg-sa33333333.rules.ingress.protocols.TCP.ports.42.cidrs.0.CIDR"
]


================================================
FILE: tests/data/rule-results/ec2-security-group-whitelists-aws-ip-from-banned-region.json
================================================
[
    "ec2.regions.eu-west-1.vpcs.vpc-eu222222.security_groups.sg-eu222222.rules.ingress.protocols.TCP.ports.43.cidrs.0.CIDR"
]


================================================
FILE: tests/data/rule-results/ec2-security-group-whitelists-aws.json
================================================
[
    "ec2.regions.eu-west-1.vpcs.vpc-eu222222.security_groups.sg-eu222222.rules.ingress.protocols.TCP.ports.42.cidrs.0.CIDR",
    "ec2.regions.eu-west-1.vpcs.vpc-eu222222.security_groups.sg-eu222222.rules.ingress.protocols.TCP.ports.43.cidrs.0.CIDR"
]


================================================
FILE: tests/data/rule-results/iam-password-policy-expiration-threshold.json
================================================
[
    "iam.password_policy.MaxPasswordAge"
]


================================================
FILE: tests/data/rule-results/iam-password-policy-lowercase-required.json
================================================
[
    "iam.password_policy.RequireLowercaseCharacters"
]


================================================
FILE: tests/data/rule-results/iam-password-policy-minimum-length.json
================================================
[
    "iam.password_policy.MinimumPasswordLength"
]


================================================
FILE: tests/data/rule-results/iam-password-policy-no-expiration.json
================================================
[
    "iam.password_policy.ExpirePasswords"
]

================================================
FILE: tests/data/rule-results/iam-password-policy-no-lowercase-required.json
================================================
[
    "iam.password_policy.RequireLowercaseCharacters"
]


================================================
FILE: tests/data/rule-results/iam-password-policy-no-number-required.json
================================================
[
    "iam.password_policy.RequireNumbers"
]


================================================
FILE: tests/data/rule-results/iam-password-policy-no-symbol-required.json
================================================
[
    "iam.password_policy.RequireSymbols"
]


================================================
FILE: tests/data/rule-results/iam-password-policy-no-uppercase-required.json
================================================
[
    "iam.password_policy.RequireUppercaseCharacters"
]


================================================
FILE: tests/data/rule-results/iam-password-policy-reuse-enabled.json
================================================
[
    "iam.password_policy.PasswordReusePrevention"
]


================================================
FILE: tests/data/ruleset-test.json
================================================
{
    "rules": {
        "iam-password-policy-reuse-enabled.json": [
            {
                "enabled": true,
                "level": "danger"
            }
        ]
    },
    "about": "regression test"
}

================================================
FILE: tests/data/statement1.json
================================================
{
  "Action": [
    "cloudwatch:Describe*",
    "iam:GetUser",
    "iam:List*",
    "s3:GetBucket*",
    "s3:GetObjectAcl",
    "s3:ListAllMyBuckets",
    "sqs:ListQueues"
  ],
  "Effect": "Allow",
  "Resource": [
    "*"
  ]
}


================================================
FILE: tests/data/test-ruleset.json
================================================
{
    "rules": {
        "iam-password-policy-no-expiration.json": [
            {
                "enabled": true, 
                "level": "danger"
            }
        ]
    }, 
    "about": "regression test"
}


================================================
FILE: tests/results/read_ip_ranges/ip-ranges-1a.json
================================================
[{"ip_prefix": "1.2.3.4", "field_b": "b1", "field_a": "a1"}, {"ip_prefix": "5.6.7.8", "field_b": "b2", "field_a": "a2"}]


================================================
FILE: tests/results/read_ip_ranges/ip-ranges-1b.json
================================================
["1.2.3.4", "5.6.7.8"]

================================================
FILE: tests/results/read_ip_ranges/ip-ranges-1c.json
================================================
["1.2.3.4"]

================================================
FILE: tests/results/read_ip_ranges/ip-ranges-3.json
================================================
["52.92.252.0/22", "52.92.48.0/22", "13.56.0.0/16", "13.57.0.0/16", "13.58.0.0/15"]


================================================
FILE: tests/results/read_ip_ranges/ip-ranges-a.json
================================================
[{"region": "us-east-1", "ip_prefix": "23.20.0.0/14", "service": "AMAZON"}, {"region": "us-east-1", "ip_prefix": "23.20.0.0/14", "service": "EC2"}]

================================================
FILE: tests/test_aws_provider.py
================================================
import unittest
from unittest import mock

import pytest

from ScoutSuite.providers import get_provider
from ScoutSuite.providers.aws.authentication_strategy import AWSCredentials
from ScoutSuite.providers.base.authentication_strategy import AuthenticationException
from ScoutSuite.providers.base.authentication_strategy_factory import get_authentication_strategy
from ScoutSuite.providers.aws.resources.ec2.instances import EC2Instances

class Object(object):
    pass


# Test methods for AWS Provider
class TestAWSProviderClass(unittest.TestCase):
    @mock.patch("ScoutSuite.providers.aws.authentication_strategy.boto3")
    @mock.patch("ScoutSuite.providers.aws.authentication_strategy.get_caller_identity")
    def test_authenticate(self, mock_get_caller_identity, mock_boto3):

        aws_authentication_strategy = get_authentication_strategy("aws")

        boto3_session = Object()
        boto3_session._session = Object()
        mock_boto3.Session.return_value = boto3_session

        test_cases = [
            # no params
            {
                "profile": None,
                "aws_access_key_id": None,
                "aws_secret_access_key": None,
                "aws_session_token": None,
                "call_dict": {},
            },
            # profile
            {
                "profile": "123",
                "aws_access_key_id": None,
                "aws_secret_access_key": None,
                "aws_session_token": None,
                "call_dict": {"profile_name": "123"},
            },
            # access and secret key
            {
                "profile": None,
                "aws_access_key_id": "456",
                "aws_secret_access_key": "789",
                "aws_session_token": None,
                "call_dict": {
                    "aws_access_key_id": "456",
                    "aws_secret_access_key": "789",
                },
            },
            # access, secret key and token
            {
                "profile": None,
                "aws_access_key_id": "456",
                "aws_secret_access_key": "789",
                "aws_session_token": "101112",
                "call_dict": {
                    "aws_access_key_id": "456",
                    "aws_secret_access_key": "789",
                    "aws_session_token": "101112",
                },
            },
        ]

        for test_case in test_cases:
            result = aws_authentication_strategy.authenticate(
                test_case["profile"],
                test_case["aws_access_key_id"],
                test_case["aws_secret_access_key"],
                test_case["aws_session_token"],
            )
            mock_boto3.Session.assert_called_with(**test_case["call_dict"])
            mock_get_caller_identity.assert_called_with(boto3_session)
            assert isinstance(result, AWSCredentials)
            assert result.session == boto3_session

        # exception test
        mock_boto3.Session.side_effect = Exception("an exception")
        with pytest.raises(AuthenticationException):
            result = aws_authentication_strategy.authenticate(None, None, None, None)

    # mock two separate places from which get_aws_account_id is called
    @mock.patch("ScoutSuite.providers.aws.facade.base.get_aws_account_id")
    @mock.patch("ScoutSuite.providers.aws.facade.base.get_partition_name")
    @mock.patch("ScoutSuite.providers.aws.provider.get_aws_account_id")
    @mock.patch("ScoutSuite.providers.aws.provider.get_partition_name")
    def test_get_report_name(
            self,
            mock_get_partiton_name,
            mock_get_aws_account_id,
            mock_facade_aws_account_id,
            mock_facade_aws_partition_name,
    ):
        # no account_id, no profile
        mock_get_aws_account_id.return_value = None
        mock_get_partiton_name.return_value = None
        aws_provider = get_provider(
            provider="aws", credentials=mock.MagicMock(session="123"),
        )
        assert aws_provider.get_report_name() == "aws"

        # profile and account_id
        mock_get_aws_account_id.return_value = "12345"
        aws_provider = get_provider(
            provider="aws", profile="9999", credentials=mock.MagicMock(session="123"),
        )
        assert aws_provider.get_report_name() == "aws-9999"

        # account_id
        aws_provider = get_provider(
            provider="aws", credentials=mock.MagicMock(session="123"),
        )
        assert aws_provider.get_report_name() == "aws-12345"

    @pytest.mark.skip(reason="pytest does not reproduce actual behavior")
    def test_identify_user_data_secrets(self):

        SAMPLE_USER_DATA = """
# Various AWS Access Key exercisers
AKIASHORT # too short
AKIA0123456789ABCDEF # just right
AKIA0123456789ABCDEF0 # too long
AKIA0123456789abcdef # invalid characters
FAKIA0123456789ABCDE # wrong prefix
in middle AKIAFEDCBA9876543210 of line
line ends with AKIAFFFFFFFFFFFFFFFF

# Various AWS Secret Access Key exercisers
ThisIsTooShort
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
ThisOneIsJustALittleBitLongerThanItShouldBe
middle="0000000000/1111111111/2222222222/3333333" + "of line"
hats off to TRON: HereIsSomethingThatAppearsAtEndOfLineMCP
        """

        """
        As I write this test, the assertions below fail; somehow, the "too long"
        sequences return their initial substrings, which should not even be
        possible. This behavior appears with pytest, but not when repeated
        interactively. This behavior also does not appear with the actual scanner:

        The following is excerpted from actual (pretty-printed) output:
        [...]
        "user_data": "#!/bin/bash\ncat << \"EOF\" > /root/rsb\n# Various AWS Access Key exercisers\nAKIASHORT # too short\nAKIA0123456789ABCDEF # just right\nAKIA0123456789ABCDEF0 # too long\nAKIA0123456789abcdef # invalid characters\nFAKIA0123456789ABCDE # wrong prefix\nin middle AKIAFEDCBA9876543210 of line\nline ends with AKIAFFFFFFFFFFFFFFFF\n\n# Various AWS Secret Access Key exercisers\nThisIsTooShort\n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\nThisOneIsJustALittleBitLongerThanItShouldBe\nmiddle=\"0000000000/1111111111/2222222222/3333333\" + \"of line\"\nhats off to TRON: HereIsSomethingThatAppearsAtEndOfLineMCP\nEOF",
        "user_data_secrets": {
            "AWS Access Key IDs": [
                "AKIA0123456789ABCDEF",
                "AKIAFEDCBA9876543210",
                "AKIAFFFFFFFFFFFFFFFF"
            ],
            "AWS Secret Access Keys": [
                "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",
                "0000000000/1111111111/2222222222/3333333",
                "HereIsSomethingThatAppearsAtEndOfLineMCP"
            ]
        }
        [...]
        """

        results = EC2Instances._identify_user_data_secrets(SAMPLE_USER_DATA)
        assert results["AWS Access Key IDs"] == [
            "AKIA0123456789ABCDEF",
            "AKIAFEDCBA9876543210",
            "AKIAFFFFFFFFFFFFFFFF"
        ]
        assert results["AWS Secret Access Keys"] == [
            "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",
            "0000000000/1111111111/2222222222/3333333",
            "HereIsSomethingThatAppearsAtEndOfLineMCP"
        ]


================================================
FILE: tests/test_azure_provider.py
================================================
import unittest
from unittest import mock

import pytest

from ScoutSuite.providers.azure.authentication_strategy import AzureCredentials
from ScoutSuite.providers.base.authentication_strategy import AuthenticationException
from ScoutSuite.providers.base.authentication_strategy_factory import get_authentication_strategy


# Test methods for Azure Provider
class TestAzureProviderClass(unittest.TestCase):
    @mock.patch("ScoutSuite.providers.azure.authentication_strategy.UsernamePasswordCredential")
    def test_authenticate(self, mock_UsernamePasswordCredential):
        azure_authentication_strategy = get_authentication_strategy("azure")

        result = azure_authentication_strategy.authenticate(
            user_account=True,
            client_id='04b07795-8ddb-461a-bbee-02f9e1bf7b46',
            tenant_id='some-tenant-id',
            username='some-username',
            password='some-password',
            authority='https://login.microsoftonline.com/'
        )

        mock_UsernamePasswordCredential.assert_called_with('04b07795-8ddb-461a-bbee-02f9e1bf7b46', 'some-username',
                                                          'some-password',
                                                           authority='https://login.microsoftonline.com/',
                                                           tenant_id='some-tenant-id')
        assert isinstance(result, AzureCredentials)

        # exception test
        with pytest.raises(AuthenticationException):
            result = azure_authentication_strategy.authenticate(None, None, None, None)

    @mock.patch("ScoutSuite.providers.azure.authentication_strategy.AzureCliCredential")
    def test_authenticate_CLI(self, mock_AzureCliCredential):
        azure_authentication_strategy = get_authentication_strategy("azure")

        result = azure_authentication_strategy.authenticate(
            cli=True,
            client_id='04b07795-8ddb-461a-bbee-02f9e1bf7b46',
            authority='https://login.microsoftonline.com/'
        )

        mock_AzureCliCredential.assert_called_with()
        assert isinstance(result, AzureCredentials)

        # exception test
        with pytest.raises(AuthenticationException):
            result = azure_authentication_strategy.authenticate(None, None, None, None)


================================================
FILE: tests/test_core.py
================================================

import unittest
from ScoutSuite.core.conditions import pass_condition
from ScoutSuite.core.cli_parser import *
from ScoutSuite.core.console import prompt, prompt_overwrite, prompt_value

#
# Test methods for ScoutSuite/core
#
class TestScoutCore(unittest.TestCase):

    ########################################
    # cli_parser.py
    ########################################

    def test_argument_parser(self):
        test_arguments = ScoutSuiteArgumentParser()
        assert (test_arguments.parser._subparsers.title == 'The provider you want to run scout against')
        assert (test_arguments.subparsers._choices_actions[0].help == 'Run Scout against an Amazon Web Services account')
        assert (test_arguments.subparsers._choices_actions[1].help == 'Run Scout against a Google Cloud Platform account')
        assert (test_arguments.subparsers._choices_actions[2].help == 'Run Scout against a Microsoft Azure account')
        assert (test_arguments.subparsers._choices_actions[3].help == 'Run Scout against an Alibaba Cloud account')
        assert (test_arguments.subparsers._choices_actions[4].help == 'Run Scout against an Oracle Cloud Infrastructure account')

    ########################################
    # console.py
    ########################################

    def test_prompt(self):
        assert (prompt('test') == 'test')
        assert (prompt(['test']) == 'test')

    def test_prompt_overwrite(self):
        assert (prompt_overwrite('', True, None))

    def test_prompt_value(self):
        assert (prompt_value(question='', max_laps=1, test_input='test', is_question=True, choices=['test']) is None)
        assert (prompt_value(question='', max_laps=1, test_input='test', is_question=True, choices=['test'], no_confirm=True) == 'test')


================================================
FILE: tests/test_main.py
================================================

import unittest
from unittest.mock import MagicMock, patch

from ScoutSuite.__main__ import run_from_cli
from ScoutSuite.core.cli_parser import ScoutSuiteArgumentParser


class TestMainClass(unittest.TestCase):

    def setUp(self):
        self.constructor = {}
        self.mocked_provider = MagicMock()

        self.mocked_engine = MagicMock()
        self.mocked_report = MagicMock()
        self.mocked_browser = MagicMock()
        self.mocked_ruleset = MagicMock()

        self.mocked_printInfo = MagicMock()

        for import_name, mocked_object in [("print_info", self.mocked_printInfo),
                                           ("get_provider", self.mocked_provider),
                                           ("Ruleset", self.mocked_ruleset),
                                           ("ProcessingEngine", self.mocked_engine),
                                           ("ScoutReport", self.mocked_report),
                                           ("webbrowser", self.mocked_browser)]:
            constructor_obj = patch("ScoutSuite.__main__.%s" % import_name, return_value=mocked_object).start()
            self.constructor[mocked_object] = constructor_obj

        self.mocked_report.save = MagicMock(return_value="dummyfile")

    def tearDown(self):
        patch.stopall()

    async def test_empty(self):
        args = None
        code = None

        with patch("sys.stderr", return_value=MagicMock()):
            with self.assertRaises(SystemExit):
                args = ScoutSuiteArgumentParser().parse_args(args)
                code = await run_from_cli(args)

        assert (code is None)

    async def test_aws_provider(self):
        args = ['aws']
        self.mocked_provider.provider_code = "aws"

        args = ScoutSuiteArgumentParser().parse_args(args)
        code = await run_from_cli(args)

        success_code = 0
        assert (code == success_code)

        report_init_args = self.constructor[self.mocked_report].call_args_list[0][0]
        assert (report_init_args[0] == "aws")  # provider
        assert (report_init_args[1] == "aws")  # report_file_name
        assert (report_init_args[2] == "scoutsuite-report")  # report_dir

    async def test_gcp_provider(self):
        args = ["gcp", "--service-account", "fakecredentials"]
        self.mocked_provider.provider_code = "gcp"

        args = ScoutSuiteArgumentParser().parse_args(args)
        code = await run_from_cli(args)

        success_code = 0
        assert (code == success_code)

        report_init_args = self.constructor[self.mocked_report].call_args_list[0][0]
        assert (report_init_args[0] == "gcp")  # provider
        assert (report_init_args[1] == "gcp")  # report_file_name
        assert (report_init_args[2] == "scoutsuite-report")  # report_dir

    async def test_azure_provider(self):
        args = ["azure", "--cli"]
        self.mocked_provider.provider_code = "azure"

        args = ScoutSuiteArgumentParser().parse_args(args)
        code = await run_from_cli(args)

        success_code = 0
        assert (code == success_code)

        report_init_args = self.constructor[self.mocked_report].call_args_list[0][0]
        assert (report_init_args[0] == "azure")  # provider
        assert (report_init_args[1] == "azure")  # report_file_name
        assert (report_init_args[2] == "scoutsuite-report")  # report_dir

    async def test_unauthenticated(self):
        args = ["aws"]
        self.mocked_provider.provider_code = "aws"
        self.mocked_provider.authenticate = MagicMock(return_value=False)

        args = ScoutSuiteArgumentParser().parse_args(args)
        code = await run_from_cli(args)

        unauthenticated_code = 42
        assert (code == unauthenticated_code)

    async def test_keyboardinterrupted(self):
        args = ["aws"]
        self.mocked_provider.provider_code = "aws"

        def _raise(e):
            raise e

        self.mocked_provider.fetch = MagicMock(side_effect=_raise(KeyboardInterrupt))

        args = ScoutSuiteArgumentParser().parse_args(args)
        code = await run_from_cli(args)

        keyboardinterrupted_code = 130
        assert (code == keyboardinterrupted_code)


================================================
FILE: tests/test_output.py
================================================
import unittest
from ScoutSuite.output.html import *
from ScoutSuite.output.utils import *

#
# Test methods for ScoutSuite/output
#
class TestScoutOutput(unittest.TestCase):

    ########################################
    # html.py
    ########################################

    def test_html_report(self):
        test_html = HTMLReport(report_name='test')
        assert (test_html.report_name == 'test')
        assert ('json' in test_html.get_content_from_folder(templates_type='conditionals'))
        assert ('json' in test_html.get_content_from_file(filename='/json_format.html'))

    def test_get_filename(self):
        assert ('scoutsuite-report/report.html' in get_filename("REPORT"))
        assert ('scoutsuite-report/scoutsuite-results/scoutsuite_results.js' in get_filename("RESULTS"))
        assert ('scoutsuite-results/scoutsuite_results.js' in get_filename("RESULTS", relative_path=True))
        assert ('scoutsuite-report/scoutsuite-results/scoutsuite_exceptions.js' in get_filename("EXCEPTIONS"))
        assert ('scoutsuite-results/scoutsuite_exceptions.js' in get_filename("EXCEPTIONS", relative_path=True))
        assert ('scoutsuite-report/scoutsuite-results/scoutsuite_errors.json' in get_filename("ERRORS"))
        assert ('scoutsuite-results/scoutsuite_errors.json' in get_filename("ERRORS", relative_path=True))


================================================
FILE: tests/test_resources.py
================================================
import unittest
from ScoutSuite.providers.base.resources.base import (
    Resources, CompositeResources)
import asyncio
import json
import os


class DummyResources(Resources):
    def __init__(self, facade, region: str, some_other_scope: str,  **kwargs):
        self.region = region
        self.some_other_scope = some_other_scope

    async def fetch_all(self):
        self['resource_a'] = {
            'some_id': 1, 'region': self.region, 'some_other_scope': self.some_other_scope}
        self['resource_b'] = {
            'some_id': 2, 'region': self.region, 'some_other_scope': self.some_other_scope}


class DummyComposite(CompositeResources):
    _children = [
        (DummyResources, 'some_dummy_resources'),
        (DummyResources, 'other_dummy_resources')
    ]

    def __init__(self):
        self.facade = None

    async def fetch_all(self):
        for key in range(2):
            self[str(key)] = {}

        for key in self:
            await self._fetch_children(self[key], {
                'region': 'some_region',
                'some_other_scope': key
            })


class TestResources(unittest.TestCase):
    test_dir = os.path.dirname(os.path.realpath(__file__))

    def test_composite_resource(self):
        loop = asyncio.new_event_loop()
        composite = DummyComposite()
        loop.run_until_complete(composite.fetch_all())

        with open(os.path.join(self.test_dir, 'data/resources/dummy_resources.json')) as f:
            expected_object = json.load(f)

        expected_json = json.dumps(expected_object)
        actual_json = json.dumps(composite)
        print(actual_json)
        assert (expected_json == actual_json)


================================================
FILE: tests/test_rules_processingengine.py
================================================
import json
import os
import tempfile
import unittest

from ScoutSuite.core.console import set_logger_configuration, print_error
from ScoutSuite.core.processingengine import ProcessingEngine
from ScoutSuite.core.ruleset import Ruleset


class DummyObject(object):
    pass


class TestScoutRulesProcessingEngine(unittest.TestCase):

    def setUp(self):
        set_logger_configuration(is_debug=True)
        self.rule_counters = {'found': 0, 'tested': 0, 'verified': 0}
        self.test_dir = os.path.dirname(os.path.realpath(__file__))

    # TODO
    # Check that one testcase per finding rule exists (should be within default ruleset)

    def test_all_finding_rules(self):
        ruleset_file_name = os.path.join(self.test_dir, 'data/ruleset-test.json')
        # FIXME this is only for AWS
        with open(os.path.join(self.test_dir, '../ScoutSuite/providers/aws/rules/rulesets/default.json'), 'rt') as f:
            ruleset = json.load(f)

        for rule_file_name in ruleset['rules']:
            self.rule_counters['found'] += 1
            rule = ruleset['rules'][rule_file_name][0]
            rule['enabled'] = True
            print(rule_file_name)
            self._test_rule(ruleset_file_name, rule_file_name, rule)

        print('Existing  rules: %d' % self.rule_counters['found'])
        print('Processed rules: %d' % self.rule_counters['tested'])
        print('Verified  rules: %d' % self.rule_counters['verified'])


    def _test_rule(self, ruleset_file_name, rule_file_name, rule):
        test_config_file_name = os.path.join(self.test_dir, 'data/rule-configs/%s' % rule_file_name)
        if not os.path.isfile(test_config_file_name):
            return
        self.rule_counters['tested'] += 1

        ruleset = self._generate_ruleset(rule_file_name, rule)
        pe = ProcessingEngine(ruleset)

        dummy_provider = DummyObject()
        with open(test_config_file_name, 'rt') as f:
            test_config_dict = json.load(f)
            for key in test_config_dict:
                setattr(dummy_provider, key, test_config_dict[key])
        service = rule_file_name.split('-')[0]
        dummy_provider.service_list = [service]
        pe.run(dummy_provider)
        findings = dummy_provider.services[service]['findings']
        findings = findings[list(findings.keys())[0]]['items']

        test_result_file_name = os.path.join(self.test_dir, 'data/rule-results/%s' % rule_file_name)
        if not os.path.isfile(test_result_file_name):
            print_error('Expected findings:: ')
            print_error(json.dumps(findings, indent=4))
            return

        self.rule_counters['verified'] += 1
        with open(test_result_file_name, 'rt') as f:
            items = json.load(f)

        try:
            assert (set(sorted(findings)) == set(sorted(items)))
        except Exception:
            print_error('Expected items:\n %s' % json.dumps(sorted(items)))
            print_error('Reported items:\n %s' % json.dumps(sorted(findings)))
            assert (False)

    def _generate_ruleset(self, rule_file_name, rule):
        test_ruleset = {'rules': {}, 'about': 'regression test'}
        test_ruleset['rules'][rule_file_name] = [rule]

        with tempfile.NamedTemporaryFile('wt', delete=False) as f:
            f.write(json.dumps(test_ruleset, indent=4))

        return Ruleset(cloud_provider='aws', filename=f.name)


================================================
FILE: tests/test_rules_ruleset.py
================================================
import os

from unittest import mock
import unittest
from ScoutSuite.core.console import set_logger_configuration, print_debug
from ScoutSuite.core.rule import Rule
from ScoutSuite.core.ruleset import Ruleset


class TestScoutRulesRuleset(unittest.TestCase):

    def setUp(self):
        set_logger_configuration(is_debug=True)
        self.test_dir = os.path.dirname(os.path.realpath(__file__))

        self.test_ruleset_001 = os.path.join(self.test_dir, 'data/test-ruleset.json')
        self.test_ruleset_002 = os.path.join(self.test_dir, 'data/test-ruleset-absolute-path.json')

    @mock.patch("ScoutSuite.core.ruleset.print_error")
    def test_ruleset_class(self, printError):
        test001 = Ruleset(cloud_provider='aws', filename=self.test_ruleset_001)
        assert (os.path.isdir(test001.rules_data_path))
        assert (os.path.isfile(test001.filename))
        assert (test001.name == "test-ruleset")
        assert (test001.about == "regression test")

        test_file_key = 'iam-password-policy-no-expiration.json'
        assert (test_file_key in test001.rules)
        assert (type(test001.rules[test_file_key]) == list)
        assert (type(test001.rules[test_file_key][0] == Rule))
        assert (hasattr(test001.rules[test_file_key][0], 'path'))
        for rule in test001.rules:
            print_debug(test001.rules[rule][0].to_string())

        assert (test_file_key in test001.rule_definitions)
        assert (test001.rule_definitions[test_file_key].description == "Password Expiration Disabled")
        for rule_def in test001.rule_definitions:
            print_debug(str(test001.rule_definitions[rule_def]))
        assert (printError.call_count == 0)

        test002 = Ruleset(cloud_provider='aws', filename=self.test_ruleset_002)
        for rule in test002.rules:
            print_debug(test002.rules[rule][0].to_string())
        assert (printError.call_count == 1) # is this expected ??
        assert ("test-ruleset-absolute-path.json does not exist." in printError.call_args_list[0][0][0])

        test005 = Ruleset(cloud_provider='aws', filename=self.test_ruleset_001, ruleset_generator=True)

    @mock.patch("ScoutSuite.core.ruleset.print_error")
    def test_ruleset_file_not_exist(self, printError):
        test003 = Ruleset(cloud_provider='aws', filename='tests/data/no-such-file.json')
        assert (test003.rules == [])
        assert (printError.call_count == 1)
        assert ("no-such-file.json does not exist" in printError.call_args_list[0][0][0])

    @mock.patch("ScoutSuite.core.ruleset.print_exception")
    def test_ruleset_invalid(self, printException):
        test004 = Ruleset(cloud_provider='aws', filename='tests/data/invalid-file.json')
        assert (test004.rules == [])
        assert (printException.call_count == 1)
        assert ("invalid-file.json contains malformed JSON" in printException.call_args_list[0][0][0])

    def test_path_for_cloud_providers(self):
        target = Ruleset(cloud_provider='aws', filename=self.test_ruleset_001)
        assert (os.path.samefile(target.rules_data_path, './ScoutSuite/providers/aws/rules'))

        target = Ruleset(cloud_provider='azure', filename=self.test_ruleset_001)
        assert (os.path.samefile(target.rules_data_path, './ScoutSuite/providers/azure/rules'))

        target = Ruleset(cloud_provider='gcp', filename=self.test_ruleset_001)
        assert (os.path.samefile(target.rules_data_path, './ScoutSuite/providers/gcp/rules'))

    def test_path_for_ruletypes(self):
        rpath = "./ScoutSuite/providers/aws/rules/"

        target = Ruleset(cloud_provider='aws', filename='default.json')
        assert (os.path.samefile(target.filename, rpath + 'rulesets/default.json'))
        target = Ruleset(cloud_provider='aws', filename='default')
        assert (os.path.samefile(target.filename, rpath + 'rulesets/default.json'))

        target = Ruleset(cloud_provider='aws', filename='filters.json')
        assert (os.path.samefile(target.filename, rpath + 'rulesets/filters.json'))

        target = Ruleset(cloud_provider='aws', filename='filters')
        assert (os.path.samefile(target.filename, rpath + 'rulesets/filters.json'))

    @mock.patch("ScoutSuite.core.ruleset.prompt_yes_no")
    def test_file_search(self, prompt_yes_no):
        prompt_yes_no.return_value = False

        target = Ruleset(cloud_provider='aws', filename=None)
        assert (prompt_yes_no.call_count == 0)
        assert (os.path.samefile(target.filename, os.path.join(target.rules_data_path, './rulesets/default.json')))

        target = Ruleset(cloud_provider='aws', environment_name="notexist", filename=None)
        assert (prompt_yes_no.call_count == 0)
        assert (os.path.samefile(target.filename, os.path.join(target.rules_data_path, './rulesets/default.json')))

        prompt_yes_no.reset_mock()
        prompt_yes_no.return_value = True

    def test_find_file(self):
        test101 = Ruleset(cloud_provider='aws').find_file(self.test_ruleset_001)
        test102 = Ruleset(cloud_provider='aws').find_file('default')

    def test_search_ruleset(self):
        test201 = Ruleset(cloud_provider='aws').search_ruleset('test', no_prompt=True)


================================================
FILE: tests/test_scoutsuite.py
================================================
import subprocess
import unittest
from unittest import mock

import pytest
from ScoutSuite.__main__ import run_from_cli
from ScoutSuite.core.console import set_logger_configuration


class TestScoutSuiteClass(unittest.TestCase):

    @classmethod
    def setUpClass(cls):
        set_logger_configuration(is_debug=True)
        cls.has_run_scout_suite = False

    @pytest.mark.xfail("only runs with AWS, cannot be used dynamically")
    @staticmethod
    def call_scout_suite(args):
        args = ['./scout.py'] + args

        args.append('aws')

        if TestScoutSuiteClass.profile_name:
            args.append('--profile')
            args.append(TestScoutSuiteClass.profile_name)
        # TODO: FIXME this only tests AWS

        args.append('--force')
        args.append('--debug')
        args.append('--no-browser')
        if TestScoutSuiteClass.has_run_scout_suite:
            args.append('--local')
        TestScoutSuiteClass.has_run_scout_suite = True

        sys = None
        with mock.patch.object(sys, 'argv', args):
            return run_from_cli()

    def test_scout_suite_help(self):
        """Make sure that ScoutSuite does not crash with --help"""
        command = './scout.py --help'
        process = subprocess.Popen(command, shell=True, stdout=None)
        process.wait()
        assert process.returncode == 0

    @pytest.mark.xfail
    def test_scout_suite_default_run(self):
        """Make sure that ScoutSuite's default run does not crash"""
        rc = self.call_scout_suite([])
        assert (rc == 0)


================================================
FILE: tests/test_utils.py
================================================
# Import AWS utils
from ScoutSuite.providers.aws.utils import (
    get_keys,
    no_camel,
    get_name,
    is_throttled,
    get_aws_account_id,
    get_partition_name,
    snake_keys,
)
from ScoutSuite.utils import *
import collections
import unittest
from unittest import mock
import datetime

#
# Test methods for ScoutSuite/utils.py
#
class TestScoutUtilsClass(unittest.TestCase):
    def test_format_service_name(self):
        assert format_service_name("iAm") == "IAM"
        assert format_service_name("cloudformation") == "CloudFormation"

    def test_get_keys(self):
        test1 = {"a": "b", "c": "d"}
        test2 = {"a": "", "e": "f"}
        get_keys(test1, test2, "a")
        assert test2["a"] == "b"
        assert "c" not in test2
        get_keys(test1, test2, "c")
        assert test2["c"] == "d"

    def test_no_camel(self):
        assert no_camel("TestTest") == "test_test"

    def test_is_throttled(self):
        CustomException = collections.namedtuple("CustomException", "response")
        # test the throttling cases
        for t in ["Throttling", "RequestLimitExceeded", "ThrottlingException"]:
            e = CustomException(response={"Error": {"Code": t}})
            assert is_throttled(e)
        # test the non-throttling exception
        e = CustomException(response={"Error": {"Code": "Not Thro_ttling"}})
        assert not is_throttled(e)
        # test the except block
        e = CustomException(response={"Error": ""})
        assert not is_throttled(e)

    def test_get_name(self):
        src = {
            "Tags": [
                {"Key": "Not Name", "Value": "xyz"},
                {"Key": "Name", "Value": "abc"},
            ],
            "default_attribute": "default_value",
        }
        dst = {}
        default_attribute = "default_attribute"
        assert get_name(src, dst, default_attribute) == "abc"
        assert dst["name"] == "abc"

        src = {
            "Tags": [{"Key": "Not Name", "Value": "xyz"}],
            "default_attribute": "default_value",
        }
        dst = {}
        default_attribute = "default_attribute"
        assert get_name(src, dst, default_attribute) == "default_value"
        assert dst["name"] == "default_value"

    def test_get_identity(self):
        with mock.patch(
            "ScoutSuite.providers.aws.utils.get_caller_identity",
            return_value={"Arn": "a:b:c:d:e:f:"},
        ):
            assert get_aws_account_id("") == "e"

    def test_get_partition_name(self):
        with mock.patch(
            "ScoutSuite.providers.aws.utils.get_caller_identity",
            return_value={"Arn": "a:b:c:d:e:f:"},
        ):
            assert get_partition_name("") == "b"

    def test_snake_case(self):
        src = {
            "AttributeDefinitions": [
                {"AttributeName": "string", "AttributeType": "S"},
            ],
            "TableName": "string",
            "KeySchema": [{"AttributeName": "string", "KeyType": "HASH"},],
            "TableStatus": "CREATING",
            "CreationDateTime": datetime.datetime(2015, 1, 1, 1, 1, 1, 1, None),
            "ProvisionedThroughput": {
                "LastIncreaseDateTime": datetime.datetime(2015, 1, 1, 1, 1, 1, 1, None),
                "LastDecreaseDateTime": datetime.datetime(2015, 1, 1, 1, 1, 1, 1, None),
                "NumberOfDecreasesToday": 123,
                "ReadCapacityUnits": 123,
                "WriteCapacityUnits": 123,
            },
            "TableSizeBytes": 123,
            "AnotherArray": [
                "One",
                "Two",
                "AnotherThing",
            ]
        }
        dest = {
            "attribute_definitions": [
                {"attribute_name": "string", "attribute_type": "S"},
            ],
            "table_name": "string",
            "key_schema": [{"attribute_name": "string", "key_type": "HASH"}],
            "table_status": "CREATING",
            "creation_date_time": datetime.datetime(2015, 1, 1, 1, 1, 1, 1, None),
            "provisioned_throughput": {
                "last_increase_date_time": datetime.datetime(
                    2015, 1, 1, 1, 1, 1, 1, None
                ),
                "last_decrease_date_time": datetime.datetime(
                    2015, 1, 1, 1, 1, 1, 1, None
                ),
                "number_of_decreases_today": 123,
                "read_capacity_units": 123,
                "write_capacity_units": 123,
            },
            "table_size_bytes": 123,
            "another_array": ["One", "Two", "AnotherThing"]
        }
        d = snake_keys(src)
        self.maxDiff = None
        self.assertEquals(d, dest)


================================================
FILE: tests/test_utils_conditions.py
================================================
# -*- coding: utf-8 -*-
import os
import unittest


from ScoutSuite.core.conditions import *

class TestOpinelConditionClass(unittest.TestCase):
    """
    Test opinel.condition
    """

    def test___prepare_age_test(self):
        pass

    def test_pass_condition(self):

        assert pass_condition('a', 'equal', 'a') == True
        assert pass_condition('a', 'equal', 'b') == False
        assert pass_condition(1, 'equal', 1) == True
        assert pass_condition(1, 'equal', 0) == False
        assert pass_condition(('a', 'b'), 'equal', ('a', 'b')) == True
        assert pass_condition(('a', 'b'), 'equal', ('b', 'a')) == False
        assert pass_condition('a', 'notEqual', 'a') == False
        assert pass_condition('a', 'notEqual', 'b') == True
        assert pass_condition(1, 'notEqual', 1) == False
        assert pass_condition(1, 'notEqual', 0) == True
        assert pass_condition(('a', 'b'), 'notEqual', ('a', 'b')) == False
        assert pass_condition(('a', 'b'), 'notEqual', ('b', 'a')) == True

        assert pass_condition(1, 'lessThan', 2) == True
        assert pass_condition(1, 'lessThan', 1) == False
        assert pass_condition(2, 'lessThan', 1) == False
        assert pass_condition(1, 'lessOrEqual', 2) == True
        assert pass_condition(1, 'lessOrEqual', 1) == True
        assert pass_condition(2, 'lessOrEqual', 1) == False
        assert pass_condition(1, 'moreThan', 2) == False
        assert pass_condition(1, 'moreThan', 1) == False
        assert pass_condition(2, 'moreThan', 1) == True
        assert pass_condition(1, 'moreOrEqual', 2) == False
        assert pass_condition(1, 'moreOrEqual', 1) == True
        assert pass_condition(2, 'moreOrEqual', 1) == True

        assert pass_condition({}, 'empty', '') == True
        assert pass_condition({'a': 'b'}, 'empty', '') == False
        assert pass_condition([], 'empty', '') == True
        assert pass_condition([None], 'empty', '') == True
        assert pass_condition(['a'], 'empty', '') == False
        assert pass_condition({}, 'notEmpty', '') == False
        assert pass_condition({'a': 'b'}, 'notEmpty', '') == True
        assert pass_condition([], 'notEmpty', '') == False
        assert pass_condition([None], 'notEmpty', '') == False
        assert pass_condition(['a'], 'notEmpty', '') == True
        assert pass_condition(None, 'null', '') == True
        assert pass_condition('None', 'null', '') == True
        assert pass_condition(None, 'notNull', '') == False
        assert pass_condition('None', 'notNull', '') == False

        assert pass_condition(True, 'true', '') == True
        assert pass_condition('TrUE', 'true', '') == True
        assert pass_condition(False, 'false', '') == True
        assert pass_condition('FaLSe', 'notTrue', '') == True

        test_list1 = []
        test_dict1 = {}
        test_list2 = [
         'a']
        test_dict2 = {'a': 'b'}
        test_list3 = ['a', 'b']
        test_dict3 = {'a': 'b','c': 'd'}
        assert pass_condition(test_list1, 'lengthLessThan', 1) == True
        assert pass_condition(test_list1, 'lengthMoreThan', 1) == False
        assert pass_condition(test_list1, 'lengthEqual', 1) == False
        assert pass_condition(test_list2, 'lengthLessThan', 1) == False
        assert pass_condition(test_list2, 'lengthMoreThan', 1) == False
        assert pass_condition(test_list2, 'lengthEqual', 1) == True
        assert pass_condition(test_list3, 'lengthLessThan', 1) == False
        assert pass_condition(test_list3, 'lengthMoreThan', 1) == True
        assert pass_condition(test_list3, 'lengthEqual', 1) == False
        assert pass_condition(test_dict1, 'lengthLessThan', 1) == True
        assert pass_condition(test_dict1, 'lengthMoreThan', 1) == False
        assert pass_condition(test_dict1, 'lengthEqual', 1) == False
        assert pass_condition(test_dict2, 'lengthLessThan', 1) == False
        assert pass_condition(test_dict2, 'lengthMoreThan', 1) == False
        assert pass_condition(test_dict2, 'lengthEqual', 1) == True
        assert pass_condition(test_dict3, 'lengthLessThan', 1) == False
        assert pass_condition(test_dict3, 'lengthMoreThan', 1) == True
        assert pass_condition(test_dict3, 'lengthEqual', 1) == False

        assert pass_condition(test_dict1, 'withKey', 'a') == False
        assert pass_condition(test_dict2, 'withKey', 'a') == True
        assert pass_condition(test_dict1, 'withoutKey', 'a') == True
        assert pass_condition(test_dict2, 'withoutKey', 'a') == False

        assert pass_condition(test_list1, 'containAtLeastOneOf', test_list1) == False
        assert pass_condition(test_list1, 'containAtLeastOneOf', test_list2) == False
        assert pass_condition(test_list2, 'containAtLeastOneOf', test_list2) == True
        assert pass_condition(test_list2, 'containAtLeastOneOf', ['b']) == False
        assert pass_condition(test_list3, 'containAtLeastOneOf', ['c']) == False
        assert pass_condition(test_list3, 'containAtLeastOneOf', ['c', 'b']) == True
        assert pass_condition('', 'containAtLeastOneOf', test_list1) == False
        assert pass_condition('a', 'containAtLeastOneOf', test_list2) == True
        assert pass_condition(test_list2, 'containAtLeastOneOf', '') == False
        assert pass_condition(test_list2, 'containAtLeastOneOf', 'a') == True
        assert pass_condition(test_list1, 'containAtLeastOneDifferentFrom', test_list1) == False
        assert pass_condition(test_list1, 'containAtLeastOneDifferentFrom', test_list3) == False
        assert pass_condition(test_list2, 'containAtLeastOneDifferentFrom', test_list1) == True
        assert pass_condition(test_list2, 'containAtLeastOneDifferentFrom', test_list2) == False
        assert pass_condition(test_list2, 'containAtLeastOneDifferentFrom', test_list3) == False
        assert pass_condition(['c'], 'containAtLeastOneDifferentFrom', test_list3) == True
        assert pass_condition(test_list3, 'containAtLeastOneDifferentFrom', test_list3) == False
        assert pass_condition(test_list3, 'containAtLeastOneDifferentFrom', test_list2) == True
        assert pass_condition(test_list3, 'containAtLeastOneDifferentFrom', test_list1) == True
        assert pass_condition('', 'containAtLeastOneDifferentFrom', test_list1) == False
        assert pass_condition('a', 'containAtLeastOneDifferentFrom', test_list3) == False
        assert pass_condition('d', 'containAtLeastOneDifferentFrom', test_list3) == True
        assert pass_condition(test_list1, 'containAtLeastOneDifferentFrom', 'a') == False
        assert pass_condition(test_list2, 'containAtLeastOneDifferentFrom', 'd') == True
        assert pass_condition(test_list1, 'containNoneOf', test_list1) == True
        assert pass_condition(test_list2, 'containNoneOf', test_list2) == False
        assert pass_condition(test_list1, 'containNoneOf', 'a') == True
        assert pass_condition('a', 'containNoneOf', test_list1) == True

        assert pass_condition('abcdefg', 'match', '.*cde.*') == True
        assert pass_condition('abcdefg', 'notMatch', '.*cde.*') == False
        assert pass_condition('abcdefg', 'match', '.*345.*') == False
        assert pass_condition('abcdefg', 'notMatch', '.*345.*') == True
        assert pass_condition('abcdefg', 'notMatch', '.*345.*') == True
        assert pass_condition('abcdefg', 'match', ['.*xyx.*', '.*pqr.*']) == False
        assert pass_condition('abcdefg', 'match', ['.*xyx.*', '.*345.*', '.*cde.*']) == True

        assert pass_condition('abcdefg', 'matchInList', '.*cde.*') == True
        assert pass_condition('abcdefg', 'matchInList', '.*edc.*') == False
        assert pass_condition('abcdefg', 'matchInList', ['.*cde.*', '.*edc.*']) == True
        assert pass_condition('abcdefg', 'matchInList', ['.*edc.*', '.*cba.*']) == False
        assert pass_condition(['abcdefg'], 'matchInList', '.*cde.*') == True
        assert pass_condition(['abcdefg'], 'matchInList', '.*edc.*') == False
        assert pass_condition(['abcdefg'], 'matchInList', ['.*cde.*', '.*edc.*']) == True
        assert pass_condition(['abcdefg'], 'matchInList', ['.*edc.*', '.*cba.*']) == False
        assert pass_condition(test_list1, 'matchInList', '.*cde.*') == False
        assert pass_condition('abcdefg', 'matchInList', test_list1) == False
        assert pass_condition(test_list1, 'matchInList', test_list1) == False

        date1 = '2016-04-11 12:20:26.996000+00:00'
        date2 = '2017-04-11 12:20:26.996000+00:00'
        date3 = datetime.datetime.now() - datetime.timedelta(days=1)
        date4 = datetime.datetime.now() - datetime.timedelta(days=100)
        date5 = datetime.datetime.now() - datetime.timedelta(hours=5)
        assert pass_condition(date1, 'priorToDate', date2) == True
        assert pass_condition(date2, 'priorToDate', date1) == False
        assert pass_condition(date3, 'olderThan', [90, 'days']) == False
        assert pass_condition(date4, 'olderThan', [90, 'days']) == True
        assert pass_condition(date5, 'olderThan', [90, 'minutes']) == True
        assert pass_condition(date5, 'olderThan', [360, 'minutes']) == False
        assert pass_condition(date5, 'olderThan', [1, 'hours']) == True
        assert pass_condition(date5, 'olderThan', [6, 'hours']) == False
        try:
            assert pass_condition(date5, 'olderThan', [6, 'unittest']) == False
        except:
            pass

        try:
            assert pass_condition(date5, 'olderThan', '90') == False
        except:
            pass

        assert pass_condition(date3, 'newerThan', [90, 'days']) == True
        assert pass_condition(date4, 'newerThan', [90, 'days']) == False
        assert pass_condition(date4, 'newerThan', ['90', 'days']) == False

        assert pass_condition('192.168.0.1', 'inSubnets', '192.168.0.0/24') == True
        assert pass_condition('192.168.0.1', 'inSubnets', ['192.168.0.0/24']) == True
        assert pass_condition('192.168.1.1', 'inSubnets', ['192.168.0.0/24']) == False
        assert pass_condition('192.168.1.1', 'notInSubnets', ['192.168.0.0/24']) == True

        src_dir = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data')
        src_file = os.path.join(src_dir, 'policy1.json')

        with open(src_file) as f:
            testpolicy = json.load(f)
        assert pass_condition(testpolicy['Statement'][0], 'containAction', 'iam:GetUser') == True
        assert pass_condition(testpolicy['Statement'][0], 'containAction', 'iam:CreateUser') == False
        assert pass_condition(testpolicy['Statement'][1], 'containAction', 'iam:CreateUser') == True
        assert pass_condition(testpolicy['Statement'][2], 'containAction', 'iam:CreateUser') == True
        assert pass_condition(testpolicy['Statement'][0], 'notContainAction', 'iam:CreateUser') == True
        assert pass_condition(testpolicy['Statement'][0], 'notContainAction', 'iam:GetUser') == False
        assert pass_condition(testpolicy['Statement'][0], 'containAtLeastOneAction', '') == False
        assert pass_condition(testpolicy['Statement'][0], 'containAtLeastOneAction', 'iam:GetUser') == True
        assert pass_condition(testpolicy['Statement'][0], 'containAtLeastOneAction', ['iam:CreateUser', 'iam:GetUser']) == True

        src_file = os.path.join(src_dir, 'statement1.json')
        with open(src_file) as f:
            stringstatement = f.read()
        assert pass_condition(stringstatement, 'containAction', 'iam:GetUser') == True
        assert pass_condition(stringstatement, 'containAtLeastOneAction', 'iam:GetUser') == True

        assert pass_condition('123456789012', 'isSameAccount', '123456789012') == True
        assert pass_condition(['123456789013', '123456789012'], 'isSameAccount', '123456789012') == True
        assert pass_condition('arn:aws:iam::123456789012:root', 'isSameAccount', '123456789012') == True
        assert pass_condition('arn:aws:iam::123456789012:user/name', 'isSameAccount', '123456789012') == True
        assert pass_condition('arn:aws:iam::123456789012:role/name', 'isSameAccount', '123456789012') == True
        assert pass_condition('123456789012', 'isSameAccount', '123456789013') == False
        assert pass_condition('arn:aws:iam::123456789012:root', 'isSameAccount', '123456789013') == False
        assert pass_condition('123456789012', 'isCrossAccount', '123456789013') == True
        assert pass_condition(['123456789013', '123456789012'], 'isCrossAccount', '123456789013') == True
        assert pass_condition('arn:aws:iam::123456789012:root', 'isCrossAccount', '123456789013') == True
        assert pass_condition({'AWS': 'arn:aws:iam::123456789012:root'}, 'isCrossAccount', '123456789013')
        assert pass_condition(
            [{'AWS': 'arn:aws:iam::123456789013:root'}, {'AWS': 'arn:aws:iam::123456789012:root'}],
            'isCrossAccount',
            '123456789013'
        )

        assert pass_condition(["a", "b", "arn:aws:iam::111111111111:role/*"], "containAtLeastOneMatching", ".*[*].*")
        assert pass_condition(["*"], "containAtLeastOneMatching", ".*[*].*")
        assert not pass_condition(["a", "b"], "containAtLeastOneMatching", ".*[*].*")
        assert not pass_condition([], "containAtLeastOneMatching", ".*[*].*")

        try:
            pass_condition('foo', 'bar', 'baz')
        except:
            pass

        return


================================================
FILE: tests/test_utils_console.py
================================================
# -*- coding: utf-8 -*-

import unittest
from ScoutSuite.core.console import *

class TestOpinelUtilsConsoleClass(unittest.TestCase):

    def test_configPrintException(self):
        set_logger_configuration(False)
        set_logger_configuration(True)


    def test_printDebug(self):
        print_debug('hello')


    def test_printError(self):
        print_error('hello')


    def test_printException(self):
        set_logger_configuration(True)
        try:
            raise Exception('opinelunittest')
        except Exception as e:
            print_exception(e)
        set_logger_configuration(False)
        try:
            raise Exception('opinelunittest')
        except Exception as e:
            print_exception(e)
        try:
            raise Exception('opinelunittest')
        except Exception as e:
            print_exception(e, True)


    def test_printInfo(msg, newLine=True):
        print_info('hello')


    def test_printGeneric(self):
        print_generic('hello')


    def test_prompt(self):
        assert prompt('a') == 'a'
        assert prompt('') == ''
        test = ['a', 'b']
        assert prompt(test) == 'a'
        assert prompt(test) == 'b'
        assert prompt(test) == ''


    def test_prompt_4_value(self):
        assert prompt_value('prompt_4_value', no_confirm=True, test_input='inputvalue') == 'inputvalue'
        assert prompt_value('prompt_4_value', no_confirm=True, is_question=True, test_input='inputvalue') == 'inputvalue'
        assert prompt_value('prompt_4_value', choices=['a', 'b', 'c'], no_confirm=True, test_input='b') == 'b'
        assert prompt_value('prompt_4_value', choices=['a', 'b', 'c'], display_choices=False, no_confirm=True, test_input='b') == 'b'
        assert prompt_value('prompt_4_value', choices=['a', 'b', 'c'], display_indices=True, no_confirm=True, test_input='1') == 'b'
        assert prompt_value('prompt_4_value', choices=['a', 'b', 'c'], default='b', no_confirm=True, test_input='') == 'b'
        assert prompt_value('prompt_4_value', choices=['a', 'b', 'c'], no_confirm=True, authorize_list=True, test_input='a,b') == 'a,b'
        assert prompt_value('prompt_4_value', choices=['a', 'b', 'c'], required=True, no_confirm=True, test_input=['', 'b']) == 'b'
        assert prompt_value('prompt_4_value', choices=['a', 'b', 'c'], required=True, no_confirm=True, test_input=['invalid', 'b']) == 'b'
        assert prompt_value('prompt_4_value', choices=['a', 'b', 'c'], no_confirm=True, test_input='a,c') == None
        assert prompt_value('prompt_4_value', choices=['a', 'b', 'c'], no_confirm=True, test_input='a,b', authorize_list = True) == 'a,b'
        assert prompt_value('prompt_4_value', choices=['a', 'b', 'c'], no_confirm=True, test_input='a,e', authorize_list = True) == None

    def test_prompt_4_yes_no(self):
        assert prompt_yes_no('hello', 'N') == False
        assert prompt_yes_no('hello', 'no') == False
        assert prompt_yes_no('hello', 'Y') == True
        assert prompt_yes_no('hello', 'yes') == True
        assert prompt_yes_no('hello', ['foo', 'bar', 'no']) == False
        assert prompt_yes_no('hello', 'Ye') == None
        assert prompt_yes_no('hello', 'Non') == None

================================================
FILE: tests/test_utils_fs.py
================================================
# -*- coding: utf-8 -*-

import unittest
from ScoutSuite.core.fs import *
from ScoutSuite.core.console import *

class TestOpinelFsClass(unittest.TestCase):
    """
    Test opinel.fs
    """

    def cmp(self, a, b):
        """
        Implement cmp() for Python3 tests
        """
        return (a > b) - (a < b)

    def test_CustomJSONEncoder(self):
        date = datetime.datetime(2017, 6, 12)
        blob1 = {'foo': 'bar', 'date': date}
        print('%s' % json.dumps(blob1, cls=CustomJSONEncoder))
        blob2 = {'foo': 'bar', 'baz': {'foo': 'bar'}}
        print('%s' % json.dumps(blob2, cls=CustomJSONEncoder))

    def test_load_data(self):
        test = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data/protocols.json')
        load_data(test, local_file=True)
        load_data(test, 'protocols', local_file=True)
        load_data('protocols.json', 'protocols')
        load_data('aws/ip-ranges/aws.json', 'prefixes')
        load_data('tests/data/protocols.json', 'protocols', local_file=True)
        test = load_data('protocols.json', 'protocols')
        assert type(test) == dict
        assert test['1'] == 'ICMP'
        test = load_data('tests/data/protocols.json', 'protocols', True)
        assert type(test) == dict
        assert test['-2'] == 'TEST'


    def test_read_ip_ranges(self):
        read_ip_ranges('aws/ip-ranges/aws.json', local_file=False)
        read_ip_ranges('tests/data/ip-ranges-1.json', local_file=True)
        read_ip_ranges('tests/data/ip-ranges-1.json', local_file=True, ip_only=True)
        successful_read_ip_ranges_runs = True
        test_cases = [
            {
                'filename': 'tests/data/ip-ranges-1.json',
                'local_file': True,
                'conditions': [],'ip_only': False,
                'results': 'tests/results/read_ip_ranges/ip-ranges-1a.json'
            },
            {
                'filename': 'tests/data/ip-ranges-1.json',
                'local_file': True,
                'conditions': [],'ip_only': True,
                'results': 'tests/results/read_ip_ranges/ip-ranges-1b.json'
            },
            {
                'filename': 'tests/data/ip-ranges-1.json',
                'local_file': True,
                'conditions': [
                         [
                          'field_a', 'equal', 'a1']],
                'ip_only': True,
                'results': 'tests/results/read_ip_ranges/ip-ranges-1c.json'
            },
            {
                'filename': 'tests/aws/ip-ranges/aws.json',
                'local_file': False,
                'conditions': [
                    [ 'ip_prefix', 'equal', '23.20.0.0/14' ]
                ],
                'ip_only': False,
                'results': 'tests/results/read_ip_ranges/ip-ranges-a.json'
            },
            {
                "filename": 'tests/data/ip-ranges-3.json',
                "local_file": True,
                'results': None,
                "ip_only": True,
                "results": "tests/results/read_ip_ranges/ip-ranges-3.json"
            },
            {
                "filename": 'data/ip-ranges-3.json',
                "local_file": True,
                'results': None,
                "ip_only": True,
                "results": "results/read_ip_ranges/ip-ranges-3.json"
            }
        ]

        assert successful_read_ip_ranges_runs

    def test_save_blob_as_json(self):
        date = datetime.datetime.now()
        save_blob_as_json('tmp1.json', {'foo': 'bar','date': date}, True)
        save_blob_as_json('tmp1.json', {'foo': 'bar'}, True)
        save_blob_as_json('/root/tmp1.json', {'foo': 'bar'}, True)


================================================
FILE: tools/README.md
================================================
# Tools

This folder holds a number of useful tools for development and advanced usage of Scout Suite.

## [aws_security_hub_export.py](https://github.com/nccgroup/ScoutSuite/blob/master/tools/aws_security_hub_export.py)

Allows exporting results from at report to AWS Security Hub.

CLI Usage:

```shell
$ python tools/aws_security_hub_export.py -h
usage: aws_security_hub_export.py [-h] [-p PROFILE] -f FILE

Tool to upload a JSON report to AWS Security Hub

optional arguments:
  -h, --help            show this help message and exit
  -p PROFILE, --profile PROFILE
                        The named profile to use to authenticate to AWS.
                        Defaults to "default".
  -f FILE, --file FILE  The path of the JSON results file to process, e.g.
                        "scoutsuite-report/scoutsuite-
                        results/scoutsuite_results_aws-.js".

$ python tools/aws_security_hub_export.py --profile  --file scoutsuite-report/scoutsuite-results/scoutsuite_results_aws-.js
2020-04-19 10:09:06 wrkbx2 scout[7121] INFO Authenticated with profile 
2020-04-19 10:09:06 wrkbx2 scout[7121] INFO Batch uploading 14 findings
2020-04-19 10:09:07 wrkbx2 scout[7121] INFO Upload completed, 14 succeeded, 0 failed
```

Programatic Usage:

```python
Python 3.7.3 (default, Dec 20 2019, 18:57:59) 
[GCC 8.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.

>>> from tools.aws_security_hub_export import run
>>> run('', 'scoutsuite-report/scoutsuite-results/scoutsuite_results_aws-.js')
```

## [format_findings.py](https://github.com/nccgroup/ScoutSuite/blob/master/tools/format_findings.py)

Formats all findings to ensure they follow standard format.

Usage:

```shell
$ python tools/format_findings.py -h                                                                                 
usage: format_findings.py [-h] [-f FOLDER]

Tool to help properly format findings.

optional arguments:
  -h, --help            show this help message and exit
  -f FOLDER, --folder FOLDER
                        The path of the folder containing the findings. If not
                        provided will format all folders

$ python tools/format_findings.py   
Formatting findings in /home/xxxxx/Git/ScoutSuite/ScoutSuite/providers/aliyun/rules/findings
Found 8/10 findings with no rationale
Formatting findings in /home/xxxxx/Git/ScoutSuite/ScoutSuite/providers/aws/rules/findings
Found 66/100 findings with no rationale
Formatting findings in /home/xxxxx/Git/ScoutSuite/ScoutSuite/providers/azure/rules/findings
Found 2/40 findings with no rationale
Formatting findings in /home/xxxxx/Git/ScoutSuite/ScoutSuite/providers/gcp/rules/findings
Found 10/30 findings with no rationale
Formatting findings in /home/xxxxx/Git/ScoutSuite/ScoutSuite/providers/oci/rules/findings
Found 5/10 findings with no rationale
```

Refer to https://github.com/nccgroup/ScoutSuite/wiki/HowTo:-Create-a-new-rule for related information.

## [gen-tests.py](https://github.com/nccgroup/ScoutSuite/blob/master/tools/gen-tests.py)

TBD 

## [process_raw_response.py](https://github.com/nccgroup/ScoutSuite/blob/master/tools/process_raw_response.py)

Helps parse an object returned by the cloud provider's APIs and generate a boilerplate partial.

Refer to https://github.com/nccgroup/ScoutSuite/wiki/Tools & https://github.com/nccgroup/ScoutSuite/wiki/HowTo:-Create-a-custom-partial-for-new-resources for usage information.

## [sort-ruleset.py](https://github.com/nccgroup/ScoutSuite/blob/master/tools/sort-ruleset.py)

Sorts and prettyfies a ruleset by file name.

## [update-aws-ips.sh](https://github.com/nccgroup/ScoutSuite/blob/master/tools/update-aws-ips.sh)

Updates the AWS CIDRs file.



================================================
FILE: tools/__init__.py
================================================


================================================
FILE: tools/aws_security_hub_export.py
================================================
#!/usr/bin/env python3

from ScoutSuite.providers.aws.utils import get_caller_identity
from ScoutSuite.core.console import set_logger_configuration, print_info, print_exception
from tools.utils import results_file_to_dict

import datetime
import argparse
import boto3


def upload_findigs_to_securityhub(session, formatted_findings_list):
    try:
        if formatted_findings_list:
            print_info('Batch uploading {} findings'.format(len(formatted_findings_list)))
            securityhub = session.client('securityhub')
            response = securityhub.batch_import_findings(Findings=formatted_findings_list)
            print_info('Upload completed, {} succeeded, {} failed'.format(response.get('SuccessCount'),
                                                                          response.get('FailedCount')))
            return response
    except Exception as e:
        print_exception(f'Unable to upload findings to Security Hub: {e}')


def format_finding_to_securityhub_format(aws_account_id,
                                         region,
                                         creation_date,
                                         finding_key,
                                         finding_value):
    try:

        if finding_value.get('level') == 'danger':
            label = 'HIGH'
        elif finding_value.get('level') == 'warning':
            label = 'MEDIUM'
        else:
            label = 'INFORMATIONAL'

        format_time = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat()

        formatted_finding = {
            'SchemaVersion': '2018-10-08',
            'Id': finding_key,
            'ProductArn':
                'arn:aws:securityhub:' + region + ':' + aws_account_id + ':product/' + aws_account_id + '/default',
            'GeneratorId': f'scoutsuite-{aws_account_id}',
            'AwsAccountId': aws_account_id,
            'Types': ['Software and Configuration Checks/AWS Security Best Practices'],
            'FirstObservedAt': creation_date,
            'CreatedAt': format_time,
            'UpdatedAt': format_time,
            'Severity': {
                'Label': label
            },
            'Title': finding_value.get('description'),
            'Description': finding_value.get('rationale') if finding_value.get('rationale') else 'None',
            'Remediation': {
                'Recommendation': {
                    'Text': finding_value.get('remediation', 'None') if finding_value.get('remediation') else 'None'
                }
            },
            'ProductFields': {'Product Name': 'Scout Suite'},
            'Resources': [  # TODO this lacks affected resources
                {
                    'Type': 'AwsAccount',
                    'Id': 'AWS::::Account:' + creation_date,
                    'Partition': 'aws',
                    'Region': region
                }
            ],
            'Compliance': {
                'Status': 'FAILED'
            },
            'RecordState': 'ACTIVE'
        }
        return formatted_finding
    except Exception as e:
        print_exception(f'Unable to process finding: {e}')


def process_results_file(f,
                         region):
    try:
        formatted_findings_list = []
        results = results_file_to_dict(f)

        aws_account_id = results["account_id"]
        creation_date = datetime.datetime.strptime(results["last_run"]["time"], '%Y-%m-%d %H:%M:%S%z').isoformat()

        for service in results.get('service_list'):
            for finding_key, finding_value in results.get('services', {}).get(service).get('findings').items():
                if finding_value.get('items'):
                    formatted_finding = format_finding_to_securityhub_format(aws_account_id,
                                                                             region,
                                                                             creation_date,
                                                                             finding_key,
                                                                             finding_value)
                    formatted_findings_list.append(formatted_finding)

        return formatted_findings_list
    except Exception as e:
        print_exception(f'Unable to process results file: {e}')


def run(profile, file):
    session = boto3.Session(profile_name=profile)
    # Test querying for current user
    get_caller_identity(session)
    print_info(f'Authenticated with profile {profile}')

    try:
        with open(file) as f:
            formatted_findings_list = process_results_file(f,
                                                           session.region_name)
    except Exception as e:
        print_exception(f'Unable to open file {file}: {e}')

    upload_findigs_to_securityhub(session, formatted_findings_list)


if __name__ == "__main__":

    # Configure the debug level
    set_logger_configuration()

    parser = argparse.ArgumentParser(description='Tool to upload a JSON report to AWS Security Hub')
    parser.add_argument('-p', '--profile',
                        required=False,
                        default="default",
                        help="The named profile to use to authenticate to AWS. Defaults to \"default\".")
    parser.add_argument('-f', '--file',
                        required=True,
                        help="The path of the JSON results file to process, e.g. "
                             "\"scoutsuite-report/scoutsuite-results/scoutsuite_results_aws-.js\".")
    args = parser.parse_args()

    try:
        run(args.profile, args.file)
    except Exception as e:
        print_exception(f'Unable to complete: {e}')


================================================
FILE: tools/format_findings.py
================================================
#!/usr/bin/env python3

import argparse
import json
import os
import sys
from collections import OrderedDict

from utils import get_capitalized_title


def get_folder_files(folder_path):
    files = []
    for (dirpath, dirnames, filenames) in os.walk(folder_path):
        files.extend(filenames)
        break
    return files


def format_folder(folder_path):
    print(f'Formatting findings in {folder_path}')

    files = get_folder_files(folder_path)
    finding_with_no_rationale = 0

    for fn in files:

        loc = f'{folder_path}/{fn}'

        with open(loc, 'r+') as json_file:
            try:
                data = json.load(json_file)
            except Exception as e:
                print(f'exception {e} for \"{fn}\"')
            else:
                try:
                    # change legacy field name - TODO remove once there are none left
                    if 'title' in data:
                        data['description'] = data['title']
                        data.pop('title', None)
                    # remove legacy HTML from rationale - TODO remove once there are none left
                    if 'rationale' in data.keys() and data.get('rationale'):
                        data['rationale'] = data['rationale'].replace('Description:

', '')
                        # check for legacy content - TODO remove once there are none left
                        if 'References' in data['rationale'] or 'CIS' in data['rationale']:
                            print('Potentially legacy rationale for {}: {}'.format(fn, data['rationale']))
                    else:
                        finding_with_no_rationale += 1
                    # capitalize titles
                    data['description'] = get_capitalized_title(data['description'])
                    # back to start
                    json_file.seek(0)
                    # sort keys
                    sort_order = ['description', 'rationale', 'remediation', 'compliance', 'references',
                                  'dashboard_name', 'display_path', 'path', 'conditions',
                                  'key', 'keys', 'arg_names', 'id_suffix', 'class_suffix']
                    try:
                        ordered_data = OrderedDict(sorted(data.items(), key=lambda i: sort_order.index(i[0])))
                    except Exception as e:
                        print(f'{fn}: {e}')
                    # save to file
                    json.dump(ordered_data, json_file, sort_keys=False, indent=4)
                except Exception as e:
                    print(f'Failed to process {fn}: {e}')

    print('Found {}/{} findings with no rationale'.format(finding_with_no_rationale, len(files)))


if __name__ == "__main__":

    parser = argparse.ArgumentParser(description='Tool to help properly format findings.')
    parser.add_argument('-f', '--folder',
                        required=False,
                        help="The path of the folder containing the findings. If not provided will format all folders")
    args = parser.parse_args()

    if args.folder:
        if not os.path.isdir(args.folder):
            print('Error, the path provided is not valid.')
            sys.exit(1)
        else:
            format_folder(args.folder)
    else:
        provider_codes = ['aliyun', 'aws', 'azure', 'gcp', 'oci', 'kubernetes']

        for provider_code in provider_codes:
            current_file_dirname = os.path.dirname(__file__)
            findings_path = os.path.abspath(
                os.path.join(current_file_dirname, f"../ScoutSuite/providers/{provider_code}/rules/findings/"))
            format_folder(findings_path)


================================================
FILE: tools/gen-tests.py
================================================
#!/usr/bin/env python

import os

scout_dir = 'ScoutSuite'
tests_dir = 'testsbase'

for root, dirnames, filenames in os.walk(scout_dir):
    for filename in filenames:
        if filename.startswith('__') or not filename.endswith('.py'):
            continue
        filepath = os.path.join(root, filename)
        tmp = filepath.split('.')[0].split('/')
        print(str(tmp))

        test = '# Import AWS utils\nfrom {} import *\n\n#\n# Test methods for {}\n#\n\nclass Test{}Class:\n\n'.format('.'.join(tmp), filepath, ''.join(t.title() for t in tmp))

        test_filename = 'test-%s.py' % '-'.join(tmp[1:])
        print(f'{filepath} --> {test_filename}')
        test_file = os.path.join(tests_dir, test_filename)
        if not os.path.isfile(test_file):
            with open(test_file, 'w+') as f:
                f.write(test)



================================================
FILE: tools/process_raw_response.py
================================================
#!/usr/bin/env python3

import argparse
import json
import datetime
import re
from ast import literal_eval


first_cap_re = re.compile('(.)([A-Z][a-z]+)')
all_cap_re = re.compile('([a-z0-9])([A-Z])')

html_boilerplate = \
"""






"""


def camel_to_snake(name, upper=False):
    s1 = first_cap_re.sub(r'\1_\2', name)
    if upper:
        return all_cap_re.sub(r'\1_\2', s1).title()
    else:
        return all_cap_re.sub(r'\1_\2', s1).lower()


if __name__ == "__main__":

    parser = argparse.ArgumentParser(description='Tool to help parsing raw responses.')
    parser.add_argument('-p', '--provider', required=True, help="The cloud provider (e.g. \"aws\")")
    parser.add_argument('-s', '--service', required=True, help="The response's service (e.g. \"iam\")")
    parser.add_argument('-n', '--name', required=True, help="The response object's name (e.g. \"user\")")
    parser.add_argument('-a', '--additional-path', required=False, help="Additional path values(e.g. \"vpc\", \"subscriptions\')")
    parser.add_argument('-v', '--value', required=True, help="The raw response")
    args = parser.parse_args()

    if args.provider not in ['aws', 'azure', 'aliyun', 'gcp', 'oci', 'do', 'kubernetes']:
        # TODO support more providers
        print('Provider not implemented')
        exit()

    if args.provider == 'aws':
        object_format = 'raw_{}.get(\'{}\')'
        cleaned_value = args.value.replace(': ', '')
        cleaned_value = args.value.replace('\}', '}')
        cleaned_value = cleaned_value.replace(", tzinfo=tzlocal()", "")
        cleaned_value = cleaned_value.replace(", tzinfo=tzutc()", "")
        object_value_dict = eval(cleaned_value)
    elif args.provider == 'azure':
        object_format = 'raw_{}.{}'
        pattern = re.compile(r'<[\w\'.:_\s]*>')
        cleaned_value = pattern.sub('None', args.value)
        cleaned_value = cleaned_value.replace(' {}', ' \'{}\'')
        object_value_dict = eval(cleaned_value)
    elif args.provider == 'aliyun':
        object_format = 'raw_{}.get(\'{}\')'
        object_value_dict = literal_eval(args.value)
    elif args.provider == 'gcp':
        object_format = 'raw_{}.{}'
        object_value_dict = json.loads(args.value)
    elif args.provider == 'oci':
        object_format = 'raw_{}.{}'
        object_value_dict = json.loads(args.value)
    elif args.provider == 'do':
        object_format = 'raw_{}.{}'
        object_value_dict = json.loads(args.value)
    elif args.provider == 'kubernetes':
        object_format = 'raw_{}.{}'
        object_value_dict = json.loads(args.value)

    parsed_html = ''

    parsed_string = ''
    parsed_string += f'{args.name}_dict = {{}}\n'

    for k in object_value_dict.keys():
        object_format_value = object_format.format(args.name, k)
        parsed_string += '{}_dict[\'{}\'] = {}\n'.format(args.name, camel_to_snake(k), object_format_value)
        parsed_html += '\n        
{}: {{{{value_or_none {}}}}}
'.format(
            camel_to_snake(k, True).replace('_', ' '), args.service,
            '.{}.{{{{{}}}}}'.format(args.additional_path, args.additional_path[:-1]) if args.additional_path else '',
            args.name, camel_to_snake(k), camel_to_snake(k))

    parsed_string += f'return {args.name}_dict[\'id\'], {args.name}_dict'

    print(parsed_string)
    print('\n')
    print(html_boilerplate.format(
        args.service, args.name,
        args.service, f'.{args.additional_path}.id' if args.additional_path else '', args.name,
        parsed_html,
        args.service, f'.{args.additional_path}.id' if args.additional_path else '', args.name,
        args.service, f'\\\\.{args.additional_path}\\\\.id' if args.additional_path else '', args.name,
        args.service, args.name,
        args.service, args.name,
        args.service, f'.{args.additional_path}.id' if args.additional_path else '', args.name,
        args.service, args.name,
        args.service, args.name
    ))


================================================
FILE: tools/sort-ruleset.py
================================================
#!/usr/bin/env python3

import argparse
import json
import os
import sys


def get_folder_files(folder_path):
    files = []
    for (dirpath, dirnames, filenames) in os.walk(folder_path):
        files.extend(filenames)
        break
    return files


def format_folder(folder_path):
    print(f'Formatting rulesets in {folder_path}')

    files = get_folder_files(folder_path)

    for fn in files:

        loc = f'{folder_path}/{fn}'

        with open(loc, 'rt') as f:
            ruleset = json.load(f)

        ruleset = json.dumps(ruleset, indent=4, sort_keys=True)

        with open(loc, 'wt') as f:
            for line in ruleset.split('\n'):
                f.write('%s\n' % line.rstrip())


if __name__ == "__main__":

    parser = argparse.ArgumentParser(description='Tool to help properly format rulesets.')
    parser.add_argument('-f', '--folder',
                        required=False,
                        help="The path of the folder containing the rulesets. If not provided will format all folders")
    args = parser.parse_args()

    if args.folder:
        if not os.path.isdir(args.folder):
            print('Error, the path provided is not valid.')
            sys.exit(1)
        else:
            format_folder(args.folder)
    else:
        provider_codes = ['aliyun', 'aws', 'azure', 'gcp', 'oci', 'kubernetes']

        for provider_code in provider_codes:
            current_file_dirname = os.path.dirname(__file__)
            rulesets_path = os.path.abspath(
                os.path.join(current_file_dirname, f"../ScoutSuite/providers/{provider_code}/rules/rulesets/"))
            format_folder(rulesets_path)


================================================
FILE: tools/update-aws-ips.sh
================================================
#!/bin/sh

DIR="$( dirname "$_" )"
curl https://ip-ranges.amazonaws.com/ip-ranges.json > "$DIR/../ScoutSuite/data/aws/ip-ranges/aws.json"


================================================
FILE: tools/utils.py
================================================
import re  # Import the regular expression library
import json

EXCLUDED_WORDS = [
    "a", "an", "the",  # Articles
    "and", "but", "or", "by", "nor", "yet", "so",  # Conjunctions
    "about", "above", "across", "after", "against", "along", "among", "around", "at", "before",  # Prepositions
    "behind", "between", "beyond", "but", "by", "concerning", "despite", "down", "during",
    "except", "following", "for", "from", "in", "including", "into", "like", "near", "of",
    "off", "on", "out", "over", "plus", "since", "through", "throughout", "to", "towards",
    "under", "until", "up", "upon", "with", "within", "without"
]

SPECIAL_WORDS = [
    "_ARG_0_", "_ARG_1_", "_ARG_2_", "_ARG_3_", "_ARG_4_", "_ARG_5_", "_ARG_6_", "_ARG_7_", "_ARG_8_", "_ARG_9_"
]


def is_mixed_case(word):
    return any(c.islower() for c in word) and any(c.isupper() for c in word)


def get_capitalized_title(initial_title: str) -> str:
    """
    Take a string and return it in a fashion that follows proper title case guidelines

    Source: http://guidohenkel.com/2018/08/title-case-creation-python-csharp/
    """

    out_string = ""
    fragments = re.split(r'(\".*?\")|(\'.*?\')|(“.*?”)|(‘.*?’)',
                         initial_title)  # Extract titles in quotation marks from string

    for fragment in fragments:  # Treat and re-assemble all fragments
        if fragment:  # skip empty matches generated by the OR in regex
            frag_string = ""
            tokens = fragment.split()  # Break string into individual words

            if tokens:

                for word in tokens:  # Check each word

                    if word not in SPECIAL_WORDS:
                        punct = word[-1]  # Check for trailing punctuation mark
                        if punct.isalpha():
                            punct = ""
                        else:
                            word = word[:-1]
                    else:
                        punct = ""

                    if word in SPECIAL_WORDS:
                        frag_string += word + punct + " "  # do nothing
                    elif word.lower() in EXCLUDED_WORDS:
                        frag_string += word.lower() + punct + " "  # make it lowercase
                    elif word.isupper() or is_mixed_case(word):
                        frag_string += word + punct + " "  # do nothing
                    elif word and word[0] == '"' and word[-1] == '"':  # Check for quoted words
                        frag_string += word + punct + " "  # do nothing
                    else:
                        frag_string += word.capitalize() + punct + " "  # capitalize it

                cap = 1
                if not frag_string[0].isalpha():
                    cap = 2

                if frag_string[0] == '"' and frag_string[-2] == '"':  # Check for quoted words
                    out_string += frag_string.strip() + " "
                else:
                    out_string += (frag_string[:cap].upper() + frag_string[cap:]).strip() + " "

    return (out_string[:1].upper() + out_string[1:]).strip()  # Capitalize first letter and strip trailing space

def results_file_to_dict(f):
    """
    Takes a file pointer to a JS/JSON results file and returns a dict

    :param f: file pointer
    :return: dict()
    """

    json_payload = f.readlines()
    json_payload.pop(0)
    json_payload = ''.join(json_payload)
    json_file = json.loads(json_payload)
    return json_file