"Because manually checking security groups is like playing whack-a-mole with hackers which is shit"
What started as a simple Python script to audit AWS security groups turned into a masterclass in humility. Here's my journey of typos, missing directories, and pytest nightmares.
After spending countless hours manually reviewing security groups across multiple AWS accounts, I decided to automate the process. The goal was simple: build a CLI tool that could:
# Initial (flawed) setup boto3==1.34.0 click==8.1.3 pandas==2.0.3 requiremnets.txt # Oops!
First Mistake: Yes, I misspelled "requirements.txt" in my own requirements file. Pro tip: Copy-paste is your friend.
Testing is crucial for security tools. You don't want false negatives when scanning for vulnerabilities. My first attempt at writing tests was... educational.
def test_fetch_security_groups(ec2_client): # Fixture? What fixture? E fixture 'ec2_client' not found
Lesson Learned: Fixtures need to be defined in conftest.py or imported explicitly. My "quick copy-paste" from StackOverflow failed spectacularly.
When building security tools, false negatives can be catastrophic. A tool that misses vulnerabilities gives a false sense of security. That's why thorough testing with mocked AWS responses is essential.
After fixing the test issues, I ran the tool on a real AWS account. It crashed immediately with a cryptic error:
OSError: Cannot save file into a non-existent directory: 'reports' # Fix: import os os.makedirs("reports", exist_ok=True)
Facepalm Moment: Assumed directories would magically appear. Added 3 lines to prevent this for everyone else.
After numerous iterations and embarrassing bugs, the final implementation emerged much more robust:
def audit_security_groups(): # Validate AWS config first! if not aws_credentials_valid(): raise ValueError("AWS credentials not configured") # Auto-create directories Path("reports").mkdir(exist_ok=True) # Core auditing logic vulnerable = find_insecure_groups() # Generate report save_as_csv(vulnerable)
Key Improvements:
The tool now successfully scans security groups across all regions, identifies vulnerabilities, and generates comprehensive reports. It's been used to audit over 500 security groups across 12 AWS accounts.
My first "working" version missed 30% of security groups because I forgot to paginate AWS results.
That missing reports/ directory cost me 2 hours. Now I always check os.makedirs().
Every error message is a puzzle, not a failure. Even that cursed requirements.txt typo taught me about dependency management.
"The most valuable lessons come from the most embarrassing mistakes."
The AWS Security Auditor is now available on GitHub. It's battle-tested (by my mistakes) and ready to help you identify security vulnerabilities in your AWS environment.