-
Notifications
You must be signed in to change notification settings - Fork 134
/
Copy pathvpcutils.js
157 lines (149 loc) · 6.53 KB
/
vpcutils.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
// Import the required AWS SDK modules
const { EC2Client, DescribeNetworkInterfacesCommand } = require('@aws-sdk/client-ec2');
var jmespath = require('jmespath');
var find = require('lodash').find;
// Create an instance of the EC2 client
const ec2Client = new EC2Client({ region: process.env.AWS_REGION });
/*
VPC Log Format
version The VPC Flow Logs version.
account-id The AWS account ID for the flow log.
interface-id The ID of the network interface for which the traffic is recorded.
srcaddr The source IPv4 or IPv6 address.
dstaddr The destination IPv4 or IPv6 address.
srcport The source port of the traffic.
dstport The destination port of the traffic.
protocol The IANA protocol number of the traffic. For more information, see Assigned Internet Protocol Numbers.
packets The number of packets transferred during the capture window.
bytes The number of bytes transferred during the capture window.
start The time, in Unix seconds, of the start of the capture window.
end The time, in Unix seconds, of the end of the capture window.
action The action associated with the traffic:
ACCEPT: The recorded traffic was permitted by the security groups or network ACLs.
REJECT: The recorded traffic was not permitted by the security groups or network ACLs.
log-status The logging status of the flow log:
OK: Data is logging normally to the chosen destinations.
NODATA: There was no network traffic to or from the network interface during the capture window.
SKIPDATA: Some flow log records were skipped during the capture window. This may be because of an internal capacity constraint, or an internal error.
*/
function discardInternalTraffic(vpcCIDRPrefix, records) {
if (!vpcCIDRPrefix) {
return records;
}
var filteredRecords = [];
records.forEach(function (log) {
var vpcMessage = log.message.split(" ");
var srcaddr = vpcMessage[3];
var dstaddr = vpcMessage[4];
var vpcCIDRPrefixes = vpcCIDRPrefix.split(",").map((x) => x.trim()).filter((x) => x);
var isSrcIPinternal = vpcCIDRPrefixes.reduce((r, v) => r || srcaddr.startsWith(v), false);
var isDstIPinternal = vpcCIDRPrefixes.reduce((r, v) => r || dstaddr.startsWith(v), false);
if (!(isSrcIPinternal && isDstIPinternal)) {
filteredRecords.push(log);
}
});
return filteredRecords;
}
/**
* Describes the Network Interfaces associated with this account.
*
* @return `Promise` for async processing
*/
async function listNetworkInterfaces(allIPaddresses) {
const params = {
Filters: [
{
Name: 'private-ip-address',
Values: allIPaddresses,
},
],
};
const command = new DescribeNetworkInterfacesCommand(params);
try {
const response = await ec2Client.send(command);
return response;
} catch (err) {
console.log('Error in listNetworkInterfaces', err);
throw err;
}
}
/**
* Builds a listing of Elastic Network Interfaces (ENI) associated with this account and
* returns an Object representing that ENI, specifically its unique identifier, associated
* security groups, and primary private IP address.
*
* Per AWS documentation, we only capture the primary, private IPv4 address of the ENI:
*
* - If your network interface has multiple IPv4 addresses and traffic is sent to a secondary private IPv4
* address, the flow log displays the primary private IPv4 address in the destination IP address field.
* - In the case of both `srcaddr` and `dstaddr` in VPC Flow Logs: the IPv4 address of the network interface
* is always its private IPv4 address.
*
* @see http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html
*
* Returns structure like:
* [
* { interfaceId: 'eni-c1a7da8c',
* securityGroupIds: [ 'sg-b2b454d4' ],
* ipAddress: '10.0.1.24' },
* { interfaceId: 'eni-03cbb94e',
* securityGroupIds: [ 'sg-a3b252c5' ]
* ipAddress: '10.0.2.33'}
* ...
* ]
*/
function buildEniToSecurityGroupMapping(allIPaddresses) {
//console.log(allIPaddresses.length + " ip addresses found in logs");
return listNetworkInterfaces(allIPaddresses).then(function (interfaces) {
console.log(interfaces["NetworkInterfaces"].length + " Interfaces Fetched");
return jmespath.search(interfaces,
`NetworkInterfaces[].{
interfaceId: NetworkInterfaceId,
securityGroupIds: Groups[].GroupId,
ipAddress: PrivateIpAddresses[?Primary].PrivateIpAddress,
subnetId: SubnetId,
vpcId: VpcId
}`);
});
}
//filter on interfaceID
function includeSecurityGroupIds(records) {
var allIPaddresses = [];
records.forEach(function(log) {
var vpcMessage = log.message.split(" ");
allIPaddresses.push(vpcMessage[3]);
allIPaddresses.push(vpcMessage[4]);
});
allIPaddresses = Array.from(new Set(allIPaddresses));
return buildEniToSecurityGroupMapping(allIPaddresses).then(function (mapping) {
records.forEach(function (log) {
var vpcMessage = log.message.split(" ");
var eniData = find(mapping, {'interfaceId': vpcMessage[2]});
if (eniData && eniData.ipAddress.length > 0) {
log['security-group-ids'] = eniData.securityGroupIds;
if (vpcMessage[4] === eniData.ipAddress[0]) {
// destination matches eni's privateIP
var srcEniData = find(mapping, {'ipAddress': vpcMessage[3]});
log['direction'] = (srcEniData && (srcEniData.subnetId == eniData.subnetId) ? "internal" : "inbound");
} else {
// sources matches eni's privateIP
var destEniData = find(mapping, {'ipAddress': vpcMessage[4]});
log['direction'] = (destEniData && (destEniData.subnetId == eniData.subnetId) ? "internal" : "outbound");
}
log['subnet-id'] = eniData.subnetId;
log['vpc-id'] = eniData.vpcId;
log['aws-region'] = process.env.AWS_REGION;
} else {
console.log(`No ENI data found for interface ${vpcMessage[2]}`);
}
});
return records;
}).catch(function (err) {
console.log("Error in includeSecurityGroupIds", err);
return records;
});
}
module.exports = {
discardInternalTraffic: discardInternalTraffic,
includeSecurityGroupIds: includeSecurityGroupIds
};