Bob Aman

Port Scanning All Public IPs on an AWS Account With Nmap

I’ve been find myself frequently enumerating all public and elastic IPs on various AWS accounts fairly often in order to audit the set of services exposed to the Internet. This is a tedious process through the AWS console UI, and doing it through the AWS CLI interface involves an impossible to remember incantation.

For the curious, that incantation is:

1
2
aws ec2 describe-instances --query "Reservations[*].Instances[*].PublicIpAddress" --output=text > /tmp/publicips.txt
nmap -il /tmp/publicips.txt -sC -sV

I finally decided to stop spending 30 minutes on Google every time I needed to do this and wrote a quick utility I could actually remember how to use.

1
2
pip install aws-nmap
aws-nmap -sC -sV

Any arguments passed to aws-nmap will simply be forwarded to nmap along with any public IPs in use on your AWS account instances. Great! Now stop putting Redis/MongoDB on public IPs bound to 0.0.0.0!