Dagobah is an open source tool written in python to automate the internal threat intelligence generation, inventory collection and compliance check from different AWS resources. Dagobah collects information and save the state into an elasticsearch index.
Dagobah runs into the a LAMBDA and looks at all the AWS REGIONS, actually collect differents configurations from:
./ |- dagobah.py (main control for manual/automated exec) |- modules/ |- collector.py (query collection objects) |- iam_aws.py (iam stuff for aws multi account-role) |- setup.py (elk setup) |- analizer.py (analyzer for add external info to the collector)
Ideally a Cloudwatch event is triggered the lambda every XXX with the account, role, and inventory type (all) to collect. The lambda gets the cloudwatch and iterates the accounts/role/inventory to start querying the AWS EC2 API with boto3 (not extra charges for use) and for different resources, an additional analyzer is triggered to get context information like: