terraform-aws-resource-exposure

Terraform to demonstrate exposed resources in AWS.

Note: Do not run this in production. Probably don't even run this in dev. Run it in a sandboxed account that you intend on nuking afterwards.

Instructions

If you are using a non-default AWS credentials profile, then set it using these variables (one is used by AWS CLI, one is used by Terraform). In this case, I called my profile vulnerable-aws.

export AWS_DEFAULT_PROFILE=vulnerable-aws
export AWS_PROFILE=vulnerable-aws

• Now set your AWS region

export AWS_DEFAULT_REGION=us-east-1

terraform init
terraform plan
terraform apply -auto-approve

Module Reference

Requirements

Name	Version
terraform	1.0.6
aws	3.63.0

Providers

Name	Version
archive	2.2.0
aws	3.63.0
null	3.1.0
random	3.1.0

Modules

No modules.

Resources

Name	Type
aws_ami_copy.example	resource
aws_ebs_snapshot.example	resource
aws_ebs_volume.example	resource
aws_ecr_repository.example	resource
aws_ecr_repository_policy.example	resource
aws_efs_file_system.example	resource
aws_efs_file_system_policy.example	resource
aws_iam_role.example	resource
aws_iam_role.lambda_exec_role	resource
aws_kms_alias.example	resource
aws_kms_key.example	resource
aws_lambda_function.example	resource
aws_lambda_layer_version.lambda_layer	resource
aws_lambda_layer_version.lambda_layer_2	resource
aws_s3_bucket.example	resource
aws_s3_bucket_object.example	resource
aws_s3_bucket_policy.example	resource
aws_secretsmanager_secret.example	resource
aws_secretsmanager_secret_policy.example	resource
aws_secretsmanager_secret_version.example	resource
aws_ses_domain_identity.example	resource
aws_ses_identity_policy.example	resource
aws_sns_topic.example	resource
aws_sns_topic_policy.example	resource
aws_sqs_queue.example	resource
aws_sqs_queue_policy.example	resource
null_resource.create_kms_grant	resource
null_resource.share_ami_publicly	resource
null_resource.share_ebs_volume_publicly	resource
null_resource.share_lambda_function_publicly	resource
random_string.random	resource
archive_file.layer	data source
aws_ami.example	data source
aws_caller_identity.current	data source
aws_iam_policy_document.ecr	data source
aws_iam_policy_document.efs	data source
aws_iam_policy_document.iam	data source
aws_iam_policy_document.s3	data source
aws_iam_policy_document.ses	data source
aws_iam_policy_document.sns	data source
aws_iam_policy_document.sqs	data source

Inputs

Name	Description	Type	Default	Required
domain_name	n/a	string	"test-resource-exposure.com"	no
kms_grantee_principal	KMS Grants require a valid IAM principal, and I don't want to expose my own AWS Account ID, so let's give New Relic (randomly selected) access to the KMS key.	string	"arn:aws:iam::754728514883:root"	no
name	n/a	string	"test-resource-exposure"	no
region	n/a	string	"us-east-1"	no

Outputs

No outputs.