/aws-monocyte

A Python-bot for detecting AWS resources in non-Europe regions. Especially useful for companies that are bound to European privacy laws.

Primary LanguagePythonApache License 2.0Apache-2.0

AWS Monocyte

Build Status Coverage Status Codacy Badge

Monocyte - Search and Destroy unwanted AWS Resources relentlessly. Monocyte is a bot for searching (and optionally destroying) AWS resources in non-EU regions written in Python using Boto. It is especially useful for companies that are bound to European privacy laws and for that reason don't want to process user data in non-EU regions. Additional Monocyte can handle compliance issues e.g no users with static credentials or policies not following the least priviliges rules.

The name Monocyte is related to a type of white blood cells that are part of a human's innate immune system, the first line of defense being responsible for searching and destroying alien organisms to prevent unwanted infections.

Background

With Ireland and Frankfurt being available as AWS regions nowadays, Amazon (more or less) extinguished EU and especially German legal concerns regarding storage and processing of privacy-related data. However, for European companies it remains difficult to prevent (accidental) usage of services outside the EU, as there is still no standardized way to restrict AWS-account rights on this region-level.

Especially in open, DevOps-inspired company cultures like ours this becomes a major issue. On the one hand we want our teams to work with AWS and manage their own accounts mostly autonomously. On the other hand we are bound to EU and German privacy laws and for that reason want to search and destroy unwanted AWS resources relentlessly. Therefore, we started implementing our own basic AWS immune system layer: Monocyte.

Also read AWS Monocyte - Let’s Build a Cloud Immune System or check out the presentation we did for the AWS UserGroup Meetup in March 2015 at the Immobilien Scout HQ in Berlin.

Prerequisites

Usage

pip install aws-monocyte
monocyte --help

usage:
    monocyte [options]

options:
    --dry-run=bool valid values "True" or "False" [default: True]
    --config-path=PATH path to config yaml files

When --dry-run is explicitly set to "False", Monocyte will delete unwanted resources.

Configuration is done via YAML files. If the --config-path specify is a directory with multiple *.yaml files, they are merged in alphabetical order. The (documentation of yamlreader)[https://github.com/ImmobilienScout24/yamlreader] contains more details.

An example configuration file with documentation can be found on GitHub.

Licensing

Monocyte is licensed under Apache License, Version 2.0.