tag:blogger.com,1999:blog-6393645887928795662024-03-27T02:37:58.018-04:00security+notes about it-security and system administrationIhor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.comBlogger76125tag:blogger.com,1999:blog-639364588792879566.post-86856075329468127712021-06-17T22:10:00.002-04:002021-06-17T22:10:58.619-04:00Things that the attacker won't care about. Thoughts on cloud security.<p> <span style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;">Things that the attacker won't care about:</span></p><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;">- whether you have a dedicated infosec team</div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;">- their certification level</div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;">- your budget for security </div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;">- your roadmap and project plan for addressing security issues </div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;">- you compliance status and audit reports</div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;">- vendors and products you are using</div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;"><br /></div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;">Start with very basic, use opensource if needed, build upon this layer by layer. </div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;">Always ask yourself: how I’m protected <b>now</b>? , what could be improved <b>now</b>? What if I’m attacked <b>now</b>? </div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;"><br /></div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;">Many say that security is not a state but a process. True, but just a process itself is not a security as well.</div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;"><br /></div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;">These things are not new and obvious. But in the Cloud, they become even more important:</div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;"><br /></div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;">- your infrastructure is always connected and always reachable from anywhere on the planet</div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;"><br /></div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;">- it takes only one compromised credential, few minutes and several API calls to nuke everything in your account. </div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;">What are your incident response SLA times?</div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;"><br /></div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;">- Cloud gives you scalability, but it gives the same scalability to the attacker. Spin 10000 instances to crunch some numbers and attack you? for sure!</div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;"><br /></div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;">- infrastructure as code empowers you, but so true for the attacker - he can reuse templates and patterns for attack infrastructure</div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;"><br /></div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;">- data exfiltration speed now is not limited to your ISP bandwidth, but pretty much extremely fast, unlimited and will end up in your cloud bill.</div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;"><br /></div><div style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;">But, at the same time, the cloud offers endless opportunities to build security on the impossible for on-prem levels, with endless cloud services, templates and unlimited capacity. Build smart, stay secure. </div><div><br /></div>Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com0tag:blogger.com,1999:blog-639364588792879566.post-68235196274696629402021-05-04T20:50:00.003-04:002021-05-04T20:50:29.217-04:00Using AWS Config, Lambda and Splunk to build detective controls for AWS.<p>The key AWS document that helps clients to succeed in Cloud Adoption - AWS Cloud Adoption Framework, in the <a href="https://aws.amazon.com/professional-services/CAF/#Security_Perspective" target="_blank">Security Perspective section</a> defines Detective Controls as following:</p><ul style="box-sizing: border-box; color: #333333; font-family: AmazonEmber, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; list-style-image: initial; list-style-position: initial; margin: 0px 0px 0px 2px; padding: 0px 0px 0px 20px;"><li style="box-sizing: border-box; margin-bottom: 10px;"><span style="box-sizing: border-box; font-family: AmazonEmberBold, "Helvetica Neue Bold", "Helvetica Neue", Helvetica, Arial, sans-serif;">Detective Control</span> provides guidance to help identify potential security incidents within your AWS environment.</li></ul><div><span style="color: #333333; font-family: AmazonEmber, Helvetica Neue, Helvetica, Arial, sans-serif;"><span style="font-size: 14px;">AWS Well Architect Framework adds to that:</span></span></div><div><span style="color: #333333; font-family: AmazonEmber, Helvetica Neue, Helvetica, Arial, sans-serif;"><span style="font-size: 14px;"><br /></span></span></div><div><ul style="box-sizing: border-box; color: #333333; font-family: AmazonEmber, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; list-style-image: initial; list-style-position: initial; margin: 0px 0px 0px 2px; padding: 0px 0px 0px 20px;"><li style="box-sizing: border-box; margin-bottom: 10px;"> You can use detective controls to identify a potential security threat or incident. They are an essential part of governance frameworks and can be used to support a quality process, a legal or compliance obligation, and for threat identification and response efforts. </li><li style="box-sizing: border-box; margin-bottom: 10px;">In AWS, you can implement detective controls by processing logs, events, and monitoring that allows for auditing, automated analysis, and alarming</li></ul><div><span style="color: #333333; font-family: AmazonEmber, Helvetica Neue, Helvetica, Arial, sans-serif;"><span style="font-size: 14px;"><br /></span></span></div></div><div><span style="color: #333333; font-family: AmazonEmber, Helvetica Neue, Helvetica, Arial, sans-serif;"><span style="font-size: 14px;"><br /></span></span></div><div>Below I will describe implementations of the AWS Detective controls using native AWS and 3d party services :</div><div><ul style="text-align: left;"><li>AWS Config and Config Rules (Managed and Custom)</li><li>Lambda </li><li>CloudWatch Events a.k.a EventBridge </li><li>Firehose</li><li>Splunk Cloud</li></ul></div><div><br /></div><div>Our <b>Goal</b> is: <i>Build a set of the automated detective controls for the multi-account distributed AWS environment, along with automatic remediation, compliance dashboards, a single pane of glass for security events, and notifications</i>. </div><div><br /></div><div>Let's start with collecting our <b>requirements</b>:</div><div><ul style="text-align: left;"><li>All components of the solution must be represented as a code </li><li>Serverless Application Model</li><li>Maximum usage of the native AWS services </li><li>3d party components should be pluggable</li><li>fully distributed architecture with no critical central components.</li><li>Event-driven architecture</li><li>Near-real time event processing and ingestion</li><li>Resource whitelisting (via ARN or/and resource tag) support</li></ul><div><br /></div></div><div>Major <b>components</b>:</div><div><ul style="text-align: left;"><li>AWS Config Service</li><li>Managed (by AWS) config rules </li><li>Custom (Lambdas, created by customer) config rules</li><li>EventBridge event rule</li><li>Processing Lambda</li><li>Firehose (delivery2Splunk)</li><li>S3 Buckets</li><li>IAM Roles</li><li>DynamoDB tables</li><li>Splunk with HEC configured</li><li>AWS Security Hub Service </li></ul></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBQsplUpay3-NpIMZL8ltPloWmUVYXjNkOuKWoqI2v8itPtYHxblerfvPfS6WVL9Sx1O2b3jLLzYLMrdg6wpo21X9H4BlVEErGRQG4RKmdBaIx24-xk7XctFro-81WRIc-hX87mLyDMGg/s2684/Blog_Config_Compliance-events-ingestion.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1171" data-original-width="2684" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBQsplUpay3-NpIMZL8ltPloWmUVYXjNkOuKWoqI2v8itPtYHxblerfvPfS6WVL9Sx1O2b3jLLzYLMrdg6wpo21X9H4BlVEErGRQG4RKmdBaIx24-xk7XctFro-81WRIc-hX87mLyDMGg/w640-h280/Blog_Config_Compliance-events-ingestion.png" width="640" /></a></div><div><br /></div><div>Event <b>flow and processing</b>: </div><div><ol style="text-align: left;"><li>AWS Config rule evaluation starts due to: </li><ul><li>AWS resource in the scope of the config rule being created/modified/deleted</li><li>new config rule has been deployed</li><li>schedule-driven rule evaluation started</li><li>on-demand evaluation of the rules has been triggered via Web UI, API or CLI</li></ul><li>Rule evaluation completed and resource compliance status is changed to COMPLIANT | NON_COMPLIANT | NOT_APPLICABLE </li><li>Event <b>ComplianceChangeNotification</b> generated: it generates when the compliance type of a resource that AWS Config evaluates has changed</li><li>EventBridge event rule will invoke processing Lambda.</li><li>Processing Lambda will:</li><ul><li>extract all required fields from the EventBridge event.</li><li>create a <a href="https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/FormateventsforHTTPEventCollector" target="_blank">data structure that suitable for the Splunk ingestion via Splink HEC</a></li><li>add custom Splunk fields that could be defined at index time with AWS account metadata: AWS Account ID, Account Name, AWS organization, environment, customer, etc</li><li>Enrich this data structure with information from the central config rule metadata DynamoDB table: Rule severity, Description, associated compliance framework name and section, etc. </li><li>To fetch information from the DynamodB, processing Lambda will assume a role in the "Security/Log Archive" account that will grant only "Read" access to the required DynamoDB tables.</li><li>Call AWS config service to retrieve additional information about AWS resource, which compliance status has been changed, such as recourse name, ARN, all available Tags, etc</li><li>Enrich existing event data structure with information obtained from the config.</li><li>Fetch resource whitelisting status (whitelisted or not, the reason for whitelisting, whitelisted by whom and when) from the central DynamoDB table of the whitelisted resource using resource particular resource Tag and /or resource ARN.</li><li>Enrich existing event data structure with whitelisting information.</li><li>Send the event, enriched on previous steps, to the <a href="https://docs.aws.amazon.com/firehose/latest/dev/creating-the-stream-to-splunk.html">Kinesis Data Firehose configured with Splunk HEC</a> as destination and central S3 bucket as backup storage.</li><li>Build a new data structure that corresponds to the <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html" target="_blank">AWS Security Finding Format (ASFF)</a></li><li>Adjust event severity based on the whitelisting status</li><li>Fetch additional security context from different AWS services that might affect security event severity and incorporate it into the ASFF data structure.</li><li>Send ASFF event to the Security Hub</li></ul><li>Kinesis Data Firehose delivers the event to the Splunk HTTP Event Collector (HEC) endpoint for the indexing.</li><li>SecurityHub in the administrator(master) account will serve as a single pane of glass for the Global Security team along with Splunk.</li><li>Security Hub in the member account could be useful for the customer(the account owner) to monitor and address security findings in his account. </li></ol></div><b><div><b><br /></b></div><div><b><br /></b></div>Highlights</b> of the solution:<div><ul style="text-align: left;"><li>event-driven via EventBridge</li><li>uses <i>compliance status change</i> as a trigger to process event</li><li>distributed (AWS account and region) processing Lambda</li><li>processing leverages AWS Config Service to extract additional information about the resource itself (ARN, all Tags, resource name, etc)</li><li>verifies the whitelisting status of the resource (by ARN or dedicated Tag) using ReadOnly access to secure centralized DB</li><li>obtains additional details about the config rule, that triggered resource compliance status change, from the centralized DynamoDB table: AWS config rule enable/disable status, severity, event routing information(2Splunk, 2SecurityHub, 2PagerDuty), rule details, etc.</li><li>enriches data event with information obtained from the whitelisting and config rules metadata tables</li><li>automatically adjust event severity based on the whitelisting status</li><li>send the enriched event to Splunk via Firehose</li><li>send the enriched event to the Security Hub using AWS Security Finding Format (ASFF)</li><li>architecture could be extended to accommodate auto-remediation flow</li><li>could serve as an integration point for any 3d party logging/alerting or ticketing tool. </li></ul><div><br /></div></div>Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com0tag:blogger.com,1999:blog-639364588792879566.post-33593214072482515382021-03-26T21:44:00.004-04:002021-03-27T12:25:55.868-04:00Aws basic account-level hardening<p><span face="-apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"" style="background-color: white; color: #24292e; font-size: 16px;"><b>Cloudformation template to enable basic AWS account level security: Cloudtrail, AWS Config, Cloudwatch Alarms on security events, etc.</b></span></p><p style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;">The very first thing you need to do while building your AWS infrastructure is to enable and configure all AWS account-level security features such as CloudTrail, CloudConfig, CloudWatch, IAM, etc. To do this, you can use my Amazon AWS Account level security checklist and how-to or any other source. To avoid manual steps and to be aligned with the SecuityAsCode concept, I suggest using a set of the CloudFormation templates which will provide the following functionality:</p><ul style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px; padding-left: 2em;"><li style="box-sizing: border-box;">configures CloudTrail according to the new best practices (KMS encryption, validation, etc)</li><li style="box-sizing: border-box; margin-top: 0.25em;">configures AWS Config service and creates a basic set of the CloudConfig rules to monitor best practices</li><li style="box-sizing: border-box; margin-top: 0.25em;">implements Section 3 (Monitoring) of the CIS Amazon Web Services Foundations Benchmark.</li></ul><p style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><span style="box-sizing: border-box; font-weight: 600;">Launch template now:</span> <a href="https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/create/review?templateURL=https://s3.amazonaws.com/secureincloud.ca/aws/security.global.yaml&stackName=AWSBasicHardening&param_Bucket4CloudTrail=my-trail-bucket&param_Bucket4Config=my-config-bucket"><img alt="CloudFormation_template" src="http://secureincloud.ca/cloudformation-launch-stack.png" /></a></p><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><p></p><p style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;">Global Security stack template structure:</p><p style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><em style="box-sizing: border-box;">security.global.yaml</em> - parent template for all nested templates to link them together and control dependency between nested stacks.</p><p style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><em style="box-sizing: border-box;">cloudtrail.clobal.yaml</em> - nested template for Global configuration of the CloudTrail</p><p style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><em style="box-sizing: border-box;">awsconfig.global.yaml</em> - nested template for Global AWS Config Service configuration and config rules.</p><p style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><em style="box-sizing: border-box;">cloudwatchalarms.global.yaml</em> - nested template for Global CloudWatch Logs alarms and security metrics creation. Uses FilterMap to create different security-related filters for ClouTrail LogGroup, corresponding metrics, and notifications for suspicious or dangerous events. You can customize a filter on a per-environment basis.</p><p style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;">Input parameters:</p><ul style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px; padding-left: 2em;"><li style="box-sizing: border-box;"><p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 16px;"><em style="box-sizing: border-box;">CFtemplateBucketURL</em>: URL of the CloudFromation templates to use (Normally in the s3 bucket). This parameter will be prepopulated with value: <a href="https://s3.amazonaws.com/secureincloud.ca/aws/" style="background-color: initial; box-sizing: border-box; color: #0366d6; text-decoration-line: none;">https://s3.amazonaws.com/secureincloud.ca/aws/</a></p></li><li style="box-sizing: border-box; margin-top: 0.25em;"><p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 16px;"><em style="box-sizing: border-box;">Bucket4Logs</em> : Name of the new bucket that will be created to collect cloudtrail and config logs</p></li><li style="box-sizing: border-box; margin-top: 0.25em;"><p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 16px;"><em style="box-sizing: border-box;">LogRetentionDays</em> : Amount of days to store the logs in S3 bucket. Default 365 or 1 year</p></li><li style="box-sizing: border-box; margin-top: 0.25em;"><p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 16px;"><em style="box-sizing: border-box;">AWSAccountName</em> : AWS Account nickname(purpose). User-Friendly name(purpose) of your AWS account. Will be used in the names of the CloudWatch Alarms.</p></li><li style="box-sizing: border-box; margin-top: 0.25em;"><p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 16px;"><em style="box-sizing: border-box;">InfosecEmail</em> : Email of the infosec team to send security-related alerts from the CloudWatch Alerts</p></li><li style="box-sizing: border-box; margin-top: 0.25em;"><p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 16px;"><em style="box-sizing: border-box;">DevOpsEmail</em> : Email of the DevOps team to send operations-related alerts from the CloudWatch Alerts</p></li></ul><p style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;">AWS Managed Config Rules deployed by template:</p><ul style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px; padding-left: 2em;"><li style="box-sizing: border-box;">iam-user-no-policies-check Description: Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles</li><li style="box-sizing: border-box; margin-top: 0.25em;">root-account-mfa-enabled Description: Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in.</li><li style="box-sizing: border-box; margin-top: 0.25em;">s3-bucket-public-read-prohibited Description: Checks that your S3 buckets do not allow public read access. If an S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant.</li><li style="box-sizing: border-box; margin-top: 0.25em;">s3-bucket-public-write-prohibited Description: Checks that your S3 buckets do not allow public write access. If an S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant.</li><li style="box-sizing: border-box; margin-top: 0.25em;">restricted-ssh Description: Checks whether security groups that are in use disallow unrestricted incoming SSH traffic.</li><li style="box-sizing: border-box; margin-top: 0.25em;">iam-password-policy Description: Checks whether the account password policy for IAM users meets the specified requirements.</li></ul><p style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;">AWS CIS Checks covered by the template (implemented via CloudWatch Alert mechanism ):</p><ul style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px; padding-left: 2em;"><li style="box-sizing: border-box;">AWS CIS 3.01 Ensure a log metric filter and alarm exist for unauthorized API calls</li><li style="box-sizing: border-box; margin-top: 0.25em;">AWS CIS 3.02 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA</li><li style="box-sizing: border-box; margin-top: 0.25em;">AWS CIS 3.3 Ensure a log metric filter and alarm exist for usage of Root account</li><li style="box-sizing: border-box; margin-top: 0.25em;">AWS CIS 3.4 Ensure a log metric filter and alarm exist for IAM policy changes</li><li style="box-sizing: border-box; margin-top: 0.25em;">AWS CIS 3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes</li><li style="box-sizing: border-box; margin-top: 0.25em;">AWS CIS 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures</li><li style="box-sizing: border-box; margin-top: 0.25em;">AWS CIS 3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer-created CMKs</li><li style="box-sizing: border-box; margin-top: 0.25em;">AWS CIS 3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes</li><li style="box-sizing: border-box; margin-top: 0.25em;">AWS CIS 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes</li><li style="box-sizing: border-box; margin-top: 0.25em;">AWS CIS 3.10 Ensure a log metric filter and alarm exist for security group changes</li><li style="box-sizing: border-box; margin-top: 0.25em;">AWS CIS 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)</li><li style="box-sizing: border-box; margin-top: 0.25em;">AWS CIS 3.12 Ensure a log metric filter and alarm exist for changes to network gateways</li><li style="box-sizing: border-box; margin-top: 0.25em;">AWS CIS 3.13 Ensure a log metric filter and alarm exist for route table changes</li><li style="box-sizing: border-box; margin-top: 0.25em;">AWS CIS 3.14 Ensure a log metric filter and alarm exist for VPC changes</li></ul><p style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;">Custom checks implemented via CloudWatch Alert mechanism:</p><ul style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px; padding-left: 2em;"><li style="box-sizing: border-box;">Custom: Alarms when a large number of sensitive (Start. Stop, Terminate, Reboot Instance) operations are performed in the short time period</li><li style="box-sizing: border-box; margin-top: 0.25em;">Custom: Alarms when a large number of Instances are being terminated</li><li style="box-sizing: border-box; margin-top: 0.25em;">Custom: Alarms when a volume is a force detached from an Instance</li><li style="box-sizing: border-box; margin-top: 0.25em;">Custom: Alarms when VPC traffic flow is created or deleted</li></ul><p style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><b>Some important notes:</b></p><p style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><i>Many Cloud Security professionals might suggest that using CloudWatchAlarm as security detective control is a bit outdated. AWS has way more robust native mechanisms now like 10th of managed AWS Config Rules, CIS, PCI, and AWS best practices standards (and associated checks) for the Security Hub. </i></p><p style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><i>In addition, you can leverage nice 3d part tools like Splunk or Sumologic to have way more sophisticated detective controls.</i></p><p style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><i>This is true... But each of these mechanisms has significant extra costs associated. AWS Security becomes quite expensive when you leverage AWS Config Rules or Security Hub at scale. Cloudwatch Alarm on the contrary is quite cheap. </i></p><p style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><i>More over CloudWatch Alarm-based security controls rely on the most robust, reliable, and fundamental AWS services and should be used as a 3d layer of your security defense to protect you in case of failure of 3d part or even more complex native AWS security mechanisms.</i> </p><p style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;"><br /></p><p style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px; margin-top: 0px;">Feel free to extend this list with your custom checks as per examples provided in the template and below:</p><pre style="background-color: #f6f8fa; border-radius: 3px; box-sizing: border-box; color: #24292e; font-family: SFMono-Regular, Consolas, "Liberation Mono", Menlo, monospace; font-size: 13.6px; line-height: 1.45; margin-bottom: 0px; margin-top: 0px; overflow-wrap: normal; overflow: auto; padding: 16px;"><code style="background: initial; border-radius: 3px; border: 0px; box-sizing: border-box; display: inline; font-family: SFMono-Regular, Consolas, "Liberation Mono", Menlo, monospace; font-size: 13.6px; line-height: inherit; margin: 0px; overflow-wrap: normal; overflow: visible; padding: 0px; word-break: normal;">```
rds-change:
all: '{$.eventName = CopyDB* || $.eventName = CreateDB* || $.eventName = DeleteDB*}'
srt-instance:
all: '{($.eventName = StopInstances || $.eventName = TerminateInstances || $.eventName
= RebootInstances)}'
large-instance:
all: >-
{ (($.eventName = RunInstances) || ($.eventName = StartInstances)) && (($.requestParameters.instanceType
= *.2xlarge) || ($.requestParameters.instanceType = *.4xlarge) || ($.requestParameters.instanceType
= *.8xlarge) || ($.requestParameters.instanceType = *.10xlarge)) }
change-critical-ebs:
prod: >-
{($.eventName = DetachVolume || $.eventName = AttachVolume || $.eventName
= CreateVolume || $.eventName = DeleteVolume || $.eventName = EnableVolumeIO
|| $.eventName = ImportVolume || $.eventName = ModifyVolumeAttribute) && ($.requestParameters.volumeId
= vol-youvol1ID || $.requestParameters.volumeId = vol-youvol2ID)}
create-delete-secgroup:
all: >-
{$.eventName = CreateSecurityGroup || $.eventName = CreateCacheSecurityGroup
|| $.eventName = CreateClusterSecurityGroup || $.eventName = CreateDBSecurityGroup
|| $.eventName = DeleteSecurityGroup || $.eventName = DeleteCacheSecurityGroup
|| $.eventName = DeleteClusterSecurityGroup || $.eventName = DeleteDBSecurityGroup}
secgroup-instance:
all: '{$.eventName = ModifyInstanceAttribute && $.requestParameters.groupSet.items[0].groupId
= * }'
cloudformation-change:
all: '{$.eventSource = cloudformation.amazonaws.com && ($.eventName != Validate*
&& $.eventName != Describe* && $.eventName != List* && $.eventName != Get*)}'
critical-instance:
prod: >-
{$.requestParameters.instanceId = i-instance1ID || $.requestParameters.instanceId
= i-instance2ID || $.requestParameters.instanceId = i-instance3ID || $.requestParameters.instanceId
= i-instance4ID || $.requestParameters.instanceId = i-instance5ID || $.requestParameters.instanceId
= i-instance6ID|| $.requestParameters.instanceId = i-instance7ID}
eip-change:
all: '{$.eventName = AssociateAddress || $.eventName = DisassociateAddress ||
$.eventName = MoveAddressToVpc || $.eventName = ReleaseAddress }'
net-access
all: >-
{$.sourceIPAddress != 111.222.3* && $.sourceIPAddress != 111.222.4* && $.sourceIPAddress
!= cloud* && $.sourceIPAddress != AWS* && $.sourceIPAddress != 11.22.33.00
&& $.sourceIPAddress != 11.22.33.01 }
```</code></pre>Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com0tag:blogger.com,1999:blog-639364588792879566.post-15789845479429508652021-02-03T20:20:00.015-05:002021-02-19T09:28:30.928-05:00AWS IAM 101/201 and security notes.<h3 style="text-align: left;">Let's start from basic: What's is AWS IAM?</h3><p>AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.</p><p>What does exactly IAM provide:</p><p></p><ul style="text-align: left;"><li>Shared access to your AWS account</li><li>Granular permissions</li><li>Secure access to AWS resources for applications that run on Amazon EC2</li><li>Multi-factor authentication (MFA)</li><li>Identity federation</li><li>Identity information for assurance</li><li>PCI DSS Compliance (debatable, IMHO) </li><li>Integrated with many AWS services</li><li>Eventually Consistent</li><li>Free to use</li></ul><div><b>Do all AWS services work with IAM?</b> </div><p>Not exactly: Here the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html">list</a>:</p><p><b>IAM currently supports the following authorization models:</b></p><p></p><ul style="text-align: left;"><li>Role-based access control (<b>RBAC</b>). RBAC defines permissions based on a person's job function, known outside of AWS as a role. </li><li>Attribute-based access control (<b>ABAC</b>) is an authorization strategy that defines permissions based on attributes. In AWS, these attributes are called tags. Tags can be attached to IAM principals (users or roles) and to AWS resources. </li></ul><p>AWS IAM principals:</p><p>- User</p><p>- Roles</p><p>- Groups </p><span><a name='more'></a></span><p><br /></p><h3 style="text-align: left;">IAM Policies: </h3><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtOS7RqOu5oo8S5NEI5z3q_kOESLwk5cxt0Rbps0lkdRtghIO_H5zeSzYjgQh4MUHmq61RMCSmZMaDNV7iBIxSgI8rGdj47O6xNfhWIA7-x0tXyzf5hLlOGceSVRADeO6GpzmSr8_UEWw/s1756/Screen+Shot+2021-02-02+at+1.19.49+PM.png" style="margin-left: 1em; margin-right: 1em;"><img alt="What is IAM policies?" border="0" data-original-height="958" data-original-width="1756" height="219" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtOS7RqOu5oo8S5NEI5z3q_kOESLwk5cxt0Rbps0lkdRtghIO_H5zeSzYjgQh4MUHmq61RMCSmZMaDNV7iBIxSgI8rGdj47O6xNfhWIA7-x0tXyzf5hLlOGceSVRADeO6GpzmSr8_UEWw/w400-h219/Screen+Shot+2021-02-02+at+1.19.49+PM.png" width="400" /></a></div><br /><p></p><p>Shared responsibilities in case of policies:</p><p></p><ul style="text-align: left;"><li>YOU -> Define policy</li><li>AWS -> Evaluates policy and enforce access</li></ul><div><br /></div><div>Where policy language is used:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEib29cnmuwu8KuDOK_-1GNsJAS-JkwuPY5uX6R75rpz9l1-B6xTlx_wPOQW9GzHECTVfKB5GPIYpGLy5_pSq9m17CCikcZIPCaNJE1W1XEKdxcZxtoUuxIhnhMxjq9rQlvpt2Uj9GZccS4/s1734/Screen+Shot+2021-02-02+at+1.27.42+PM.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Policy types" border="0" data-original-height="942" data-original-width="1734" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEib29cnmuwu8KuDOK_-1GNsJAS-JkwuPY5uX6R75rpz9l1-B6xTlx_wPOQW9GzHECTVfKB5GPIYpGLy5_pSq9m17CCikcZIPCaNJE1W1XEKdxcZxtoUuxIhnhMxjq9rQlvpt2Uj9GZccS4/w400-h217/Screen+Shot+2021-02-02+at+1.27.42+PM.png" width="400" /></a></div><div><br /></div><h4 style="text-align: left;">Policy types: </h4><div><b>Identity-based policies: </b></div><div><ul style="text-align: left;"><li>Managed policies</li><ul><li>AWS managed policy</li><li>Customer managed policy</li></ul><li>Inline policies </li></ul></div><div><b>Resource-based policies:</b></div><div><ul style="text-align: left;"><li>S3, KMS, etc</li><li>IAM: </li><ul><li>The IAM service supports only one type of resource-based policy called a role trust policy, which is attached to an IAM role. An IAM role is both an identity and a resource that supports resource-based policies. For that reason, you must attach both a trust policy and an identity-based policy to an IAM role. Trust policies define which principal entities (accounts, users, roles, and federated users) can assume the role.</li></ul></ul><div><b>IAM permissions boundaries: </b>A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. </div></div><div>Note: usage of the permission boundary must be enforced via IAM policy that will allow users to act only if a particular permission boundary policy is attached.</div><div><br /></div><div><b>Service control policies (SCPs): </b>Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. They attached to the OU or Accounts within AWS Organization and enforce permissions on the account level. These permissions restrictions can not be overridden by any user in the account, including root.</div><div><br /></div><div><b>Access control lists (ACLs) </b>- Note Different policy language format (XML)</div><div><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px;"><div style="text-align: left;">Access control lists (ACLs) are service policies that allow you to control which principals in another account can access a resource. ACLs cannot be used to control access for a principal within the same account.</div></blockquote><p><b>Session policies (STS): </b>A session policy is an inline permissions policy that users pass in the session when they assume the role. You can pass the policy yourself, or you can configure your broker to insert the policy when your identities federate into AWS (if you have an identity broker configured in your environment).</p><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px;"><div style="text-align: left;"> </div></blockquote></div><div><br /></div><h3 style="text-align: left;">How the policy structured? </h3><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic6CR4zob9lSOhInc2qVntgRXcp37vwT9TRLyt193dmTJz3ZDP0mf1Z22tZQq6fgWhAgAGXmOKKjMtCA5TW8345kJDAbJ6b-Vyc1oK_yamCf-YuPGmb4LBVF3-hnQwAeEHwMRCeIWUadk/s1730/Screen+Shot+2021-02-02+at+1.25.06+PM.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Policy structure" border="0" data-original-height="954" data-original-width="1730" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic6CR4zob9lSOhInc2qVntgRXcp37vwT9TRLyt193dmTJz3ZDP0mf1Z22tZQq6fgWhAgAGXmOKKjMtCA5TW8345kJDAbJ6b-Vyc1oK_yamCf-YuPGmb4LBVF3-hnQwAeEHwMRCeIWUadk/w400-h220/Screen+Shot+2021-02-02+at+1.25.06+PM.png" width="400" /></a></div><br /><div>Should policy always have these components? No, it depends on usage and the service:</div><div><ul style="text-align: left;"><li><b>Identity-based policies</b>: Principal is not required ( and can't be used at all), as we always attach the policy to the particular principal.</li><li><b>Resource-based policies: </b>Resource is not required (but could be provided), as the resource to which the action applies, is the resource to which the policy is attached.</li><li><b>Service control policies (SCPs): </b>Principal is not required ( and can't be used at all), but could be specified using condition (and in several different ways: StringLike: aws:PrincipalArn, aws:PrincipalAccount, and even like ArnNotLike: aws:PrincipalARN) <br /></li></ul><h3 style="text-align: left;"><br /></h3><h3 style="text-align: left;">Policy evaluation process:</h3><div><br /></div><div>Oversimplified:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-cq9xsKRln9-E_AdTMj9oF_ZtACeYfbhxmUiX8pWz95mlZZCsjX_Ilw9o6d-zH4ajXBe64NhOTH-5upjESz-q9LCKXqcYYl4GC7mzT5Bd1EGQ-R6SsaXDejvOiNHRf9pJ-X4kw9o3bbU/s1720/Screen+Shot+2021-02-02+at+1.41.01+PM.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Generic IAM Policy evaluations" border="0" data-original-height="946" data-original-width="1720" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-cq9xsKRln9-E_AdTMj9oF_ZtACeYfbhxmUiX8pWz95mlZZCsjX_Ilw9o6d-zH4ajXBe64NhOTH-5upjESz-q9LCKXqcYYl4GC7mzT5Bd1EGQ-R6SsaXDejvOiNHRf9pJ-X4kw9o3bbU/w400-h220/Screen+Shot+2021-02-02+at+1.41.01+PM.png" width="400" /></a></div><div><br /></div><div><br /></div><div>But based on what IAM makes a decision? </div><div>Based on request <b>context</b>.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnVtdlY0Uf3b1U6IPgWIZht9VF31vXP5VcryB8-cvMnnAqHWyDP7gMOuLoEgT62P9PvFWxIarPM_Qp2KrOruVRCBVW-Cdg666K1jh5WAOWc2QkJPfBxZXDqEMKDLmC85QY-xybWjqP8zs/s1738/Screen+Shot+2021-02-02+at+2.03.42+PM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="950" data-original-width="1738" height="219" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnVtdlY0Uf3b1U6IPgWIZht9VF31vXP5VcryB8-cvMnnAqHWyDP7gMOuLoEgT62P9PvFWxIarPM_Qp2KrOruVRCBVW-Cdg666K1jh5WAOWc2QkJPfBxZXDqEMKDLmC85QY-xybWjqP8zs/w400-h219/Screen+Shot+2021-02-02+at+2.03.42+PM.png" width="400" /></a></div><br /><div>What is request context and what it includes: </div><div><br /></div><div>AWS processes each request to gather the following information into a request context:</div><div><ul style="text-align: left;"><li><b>Actions (or operations)</b> – The actions or operations that the principal wants to perform.</li><li><b>Resources</b> – The AWS resource object upon which the actions or operations are performed.</li><li><b>Principal </b>– The user, role, federated user, or application that sent the request. Information about the principal includes the policies that are associated with that principal.</li><li><b>Environment data</b> – Information about the IP address, user agent, SSL enabled status, or the time of day.</li><li><b>Resource data</b> – Data related to the resource that is being requested. This can include information such as a DynamoDB table name or a tag on an Amazon EC2 instance.</li></ul></div><div><br /></div><div>Does this cover all cases of the policy evaluations? Not <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html">really</a>.</div><div><br /></div><div><br /></div><h3 style="text-align: left;">2 Main cases of the policy evaluation process:</h3><h4 style="text-align: left;">Single account:</h4><div><br /></div><div>Rule of thumb:</div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimTxsN39YIeVp_yl6YVEiBr4Kb_9n5Sj6cZeYCM5thPiamq87E7UvV0BXRz4A1OKC6kWLJ-m6I0q3Pza5HTAuoIo6K_bvMiZT65MZcGw_OWZfs4sbKzlo99NxjXdFVVobL4oVhI3OL2Do/s1740/Screen+Shot+2021-02-02+at+4.02.01+PM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="948" data-original-width="1740" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimTxsN39YIeVp_yl6YVEiBr4Kb_9n5Sj6cZeYCM5thPiamq87E7UvV0BXRz4A1OKC6kWLJ-m6I0q3Pza5HTAuoIo6K_bvMiZT65MZcGw_OWZfs4sbKzlo99NxjXdFVVobL4oVhI3OL2Do/w400-h217/Screen+Shot+2021-02-02+at+4.02.01+PM.png" width="400" /></a></div><div><br /></div><div>Some examples:</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiB5xdz2RqxqNGLFaj-pmptVc-7m7jNmr0kq5pPIm9PhXE8Rz1FAx493eo_fwTGbAyxGFvv6SRRBmbVoEKxP1QmlksqUDUcayrQMjAuczCIp_ZNyeW-gM-rw-iWo7w15mwAPvKfAIuSMxY/s688/Screen+Shot+2021-02-02+at+7.28.42+PM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="546" data-original-width="688" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiB5xdz2RqxqNGLFaj-pmptVc-7m7jNmr0kq5pPIm9PhXE8Rz1FAx493eo_fwTGbAyxGFvv6SRRBmbVoEKxP1QmlksqUDUcayrQMjAuczCIp_ZNyeW-gM-rw-iWo7w15mwAPvKfAIuSMxY/s320/Screen+Shot+2021-02-02+at+7.28.42+PM.png" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhdj2ccOZ791K1RNeGbK38IETJZ4Cd9tJz_Od3BCa_DFwXOp4N8uY6WuACfEXtVQLkHvBtqyIgMmU1hyGshzrRffu-I7BQJevSdhJfG80t6RBmxKxUYDM4q8xOVTsHluUyfyzFWtQf22o/s604/Screen+Shot+2021-02-02+at+7.28.48+PM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="586" data-original-width="604" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhdj2ccOZ791K1RNeGbK38IETJZ4Cd9tJz_Od3BCa_DFwXOp4N8uY6WuACfEXtVQLkHvBtqyIgMmU1hyGshzrRffu-I7BQJevSdhJfG80t6RBmxKxUYDM4q8xOVTsHluUyfyzFWtQf22o/s320/Screen+Shot+2021-02-02+at+7.28.48+PM.png" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRfkT_emNM6WtndrPRO9IbITklnTEHDx2EuL2T_7xsz8v-z2_3u-rFJsl-kqgd1af16kuR990IDC3uMnhkB3yFM1TOOEYn1hrl1sOQ9XHURqekDLHMW1nyTx0KnpSbAVBLz4xTEUG2Z34/s638/Screen+Shot+2021-02-02+at+7.28.54+PM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="556" data-original-width="638" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRfkT_emNM6WtndrPRO9IbITklnTEHDx2EuL2T_7xsz8v-z2_3u-rFJsl-kqgd1af16kuR990IDC3uMnhkB3yFM1TOOEYn1hrl1sOQ9XHURqekDLHMW1nyTx0KnpSbAVBLz4xTEUG2Z34/s320/Screen+Shot+2021-02-02+at+7.28.54+PM.png" width="320" /></a></div><br /><div><br /></div><div><br /></div><div>Overall evaluation process:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMRC9u6Z44hycKgzKgy5RUvKtThz95KL31SONaYcRM9QBWRjXtgwjyDjFfd4ZNwZjqG4YitAY0iD8OZgDMj12cib4-8rxgX7vxVBesjto42q0w142LlraixXz8UjHDRx2q56hNo7mYshE/s1022/Screen+Shot+2021-02-02+at+1.49.10+PM.png" style="margin-left: 1em; margin-right: 1em;"><img alt="IAM evaluation_in_account" border="0" data-original-height="480" data-original-width="1022" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMRC9u6Z44hycKgzKgy5RUvKtThz95KL31SONaYcRM9QBWRjXtgwjyDjFfd4ZNwZjqG4YitAY0iD8OZgDMj12cib4-8rxgX7vxVBesjto42q0w142LlraixXz8UjHDRx2q56hNo7mYshE/w400-h188/Screen+Shot+2021-02-02+at+1.49.10+PM.png" width="400" /></a></div><div><br /></div><div><br /></div><h4 style="text-align: left;">Cross-account:</h4><div><b><br /></b></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHYlepMsfRBkVf85XnzLiB1aoCJdWKvzJ9ffO7OOGxA9EA9Laij_6lTWxf4ep-uQJVQs3w-UCwZkFRnftID6s4R4_OkgFrHvtZJD-w_sFPUYyIY6oMcljmj0tmhH-07ve9-jeXnICyzEg/s1752/Screen+Shot+2021-02-02+at+4.05.09+PM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="968" data-original-width="1752" height="221" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHYlepMsfRBkVf85XnzLiB1aoCJdWKvzJ9ffO7OOGxA9EA9Laij_6lTWxf4ep-uQJVQs3w-UCwZkFRnftID6s4R4_OkgFrHvtZJD-w_sFPUYyIY6oMcljmj0tmhH-07ve9-jeXnICyzEg/w400-h221/Screen+Shot+2021-02-02+at+4.05.09+PM.png" width="400" /></a></div><br /></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW-yZd5ZaGZaUJ7Rz0LsMpitHIy6TF2xvve4g7yJyffbF8YRpMOXGy9HAA-r3GYroGUdROGHZovWjmHHwL8qiUS8AxYM6vjkwPZnbR9Xy-T1We_99_gHhhUpT5wUjlnxQ53JCFFy04cE0/s1104/Screen+Shot+2021-02-02+at+1.46.41+PM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1104" data-original-width="900" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW-yZd5ZaGZaUJ7Rz0LsMpitHIy6TF2xvve4g7yJyffbF8YRpMOXGy9HAA-r3GYroGUdROGHZovWjmHHwL8qiUS8AxYM6vjkwPZnbR9Xy-T1We_99_gHhhUpT5wUjlnxQ53JCFFy04cE0/s320/Screen+Shot+2021-02-02+at+1.46.41+PM.png" /></a></div><div><br /></div>How you can test the IAM policy? <a href="https://policysim.aws.amazon.com/">IAM Policy Simulator </a> </div><div><br /></div><div>Note: IAM policy simulator only supports Identity-based policy, but can be used for the SCP evaluation as well.</div><div><br /></div><div><h3><a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inheritance_auth.html"> SCP:</a></h3><div>SCP evaluation is a bit more complicated as it includes policy <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inheritance_auth.html">inheritance</a> (remember MS AD? ) </div></div><div>At the end, each AWS API call will be evaluated against effective policy (similar to the Resultant Set of Policy in classical Microsfot AD):</div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC26ZimZ0rMfKpkVM-BVJiFY27xPq-Lmkujx-M93zCnC5fwcSKshmrz1SoKK7Yey95Vk7VnSRhkcWFzxLBKtHA4CHsDFfdKD6oZg7ANBAXV-HYl8NCkBiElgEbX3OLsHlwpevZw56H1VY/s1172/Screen+Shot+2021-02-02+at+1.59.03+PM.png" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img alt="SCP_inheritance" border="0" data-original-height="564" data-original-width="1172" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC26ZimZ0rMfKpkVM-BVJiFY27xPq-Lmkujx-M93zCnC5fwcSKshmrz1SoKK7Yey95Vk7VnSRhkcWFzxLBKtHA4CHsDFfdKD6oZg7ANBAXV-HYl8NCkBiElgEbX3OLsHlwpevZw56H1VY/w400-h193/Screen+Shot+2021-02-02+at+1.59.03+PM.png" width="400" /></a></div><div>Hint: Always remember that for action to be allowed in the particular account, this action must be allowed in all policies that attached to all parent to the account OU (continues, uninterrupted chain of Allow)</div><div><br /></div><h3 style="text-align: left;"><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session policy (STS)</a></h3><div>A resource-based policy can specify the ARN of the user or role as a principal: </div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3miY-FtLZUFobj8SoHldFjiM2tZ5iMpB7pd_FFQqpbx7hdp7H5kQhh3jd2U6fErJN6QUhZlEvtA73JFl3jjwUspiStoCf2uB9sPKvKFCCNBGAkmOQdO3iz9G3kDBypIjRC0mAEwqDboY/s922/Screen+Shot+2021-02-02+at+7.53.30+PM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="724" data-original-width="922" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3miY-FtLZUFobj8SoHldFjiM2tZ5iMpB7pd_FFQqpbx7hdp7H5kQhh3jd2U6fErJN6QUhZlEvtA73JFl3jjwUspiStoCf2uB9sPKvKFCCNBGAkmOQdO3iz9G3kDBypIjRC0mAEwqDboY/s320/Screen+Shot+2021-02-02+at+7.53.30+PM.png" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;"><br /></div><br /><div>A resource-based policy can specify the ARN of the session as a principal.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRM3Vhq-TAJMxNRSzksvosTvnH-8ytgO00_-flMP446_dPbn5XCtxzzxn14nnqsbGZD7q6wTWF5FVLfYhM-c2wXtANt6lTUiuUTlFiRJYdfMKkwVzCq4l924bRWn3-6KajiIM-ZiBlPFE/s928/Screen+Shot+2021-02-02+at+7.54.31+PM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="698" data-original-width="928" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRM3Vhq-TAJMxNRSzksvosTvnH-8ytgO00_-flMP446_dPbn5XCtxzzxn14nnqsbGZD7q6wTWF5FVLfYhM-c2wXtANt6lTUiuUTlFiRJYdfMKkwVzCq4l924bRWn3-6KajiIM-ZiBlPFE/s320/Screen+Shot+2021-02-02+at+7.54.31+PM.png" width="320" /></a></div><div><br /></div>A permissions boundary can set the maximum permissions for a user or role that is used to create a session<div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAeY7-lvGOlJqj2n1jmsLA0vTfOoXBnBjl7drKDhc0QORlz2DP3-ZtLKC3Wjm1rKVZMhGvp_AmEQD7wb_A59Kyj-zceqdj94FBLr2TCZGyXPhdx5bW_Pu2OF1pkzdFYzXo4AGPDD-IRyM/s918/Screen+Shot+2021-02-02+at+7.56.09+PM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="688" data-original-width="918" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAeY7-lvGOlJqj2n1jmsLA0vTfOoXBnBjl7drKDhc0QORlz2DP3-ZtLKC3Wjm1rKVZMhGvp_AmEQD7wb_A59Kyj-zceqdj94FBLr2TCZGyXPhdx5bW_Pu2OF1pkzdFYzXo4AGPDD-IRyM/s320/Screen+Shot+2021-02-02+at+7.56.09+PM.png" width="320" /></a></div><br /><div><br /><div><br /></div><div><br /></div><h3 style="text-align: left;">Various policies and Root user: </h3><div>The AWS account root user is affected by some policy types but not others:</div><div><br /></div><div><ul style="text-align: left;"><li>You cannot attach identity-based policies to the root user</li><li>You cannot set the permissions boundary for the root user. </li><li>You can specify the root user as the principal in a resource-based policy or an ACL. </li><li>Resource-based policies do not affect Root user. (If you mistakenly locked your bucket(or KMS) with Deny *, you can use root user to regain control over this bucket)</li><li>As a member of an account, the root user is affected by any SCPs for the account.</li></ul></div><div><br /></div><div>--------------------------------------------------------------------------------------------------</div><div><br /></div><h3 style="text-align: left;">Known security issues and best practices:</h3><div><h3 style="text-align: left;">Identity-based policies: </h3><h4 style="text-align: left;"><b>Managed policies:</b></h4><div><b>AWS managed policy: </b></div><div><br /></div><div>AWS manage all life cycle of the policy. This seems to be nice, but:</div><div><ul style="text-align: left;"><li>AWS regularly makes mistakes in the managed policy that could even lead to the privilege escalations: </li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiz_UHwy1MqIlneaUfzKHeCDGRglN3U14nTQ_JMtNU2TVMQ_yVBUqW3kfW35bW0Fjk2puGRfGjVhfAQ72ShN_locP7K0jPNBJgDmBJ3kgntHX0SHNROae903gljvpxsdv5STw5sHO7mhws/s1044/Screen+Shot+2021-02-03+at+9.18.21+PM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="376" data-original-width="1044" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiz_UHwy1MqIlneaUfzKHeCDGRglN3U14nTQ_JMtNU2TVMQ_yVBUqW3kfW35bW0Fjk2puGRfGjVhfAQ72ShN_locP7K0jPNBJgDmBJ3kgntHX0SHNROae903gljvpxsdv5STw5sHO7mhws/s320/Screen+Shot+2021-02-03+at+9.18.21+PM.png" width="320" /></a></div><br /> <br /><ul style="text-align: left;"><li>AWS adds and removes permissions on it will, causing either potential outage (unexpected lack of permission) or violation of the least permission principle (extra permissions that were not expected)</li></ul></div><div style="text-align: left;"><b>Customer managed policy:</b></div><div style="text-align: left;"><b><br /></b></div><div style="text-align: left;"><u>Configuration mistakes leading to the simple privilege escalation:</u><b> </b></div><div style="text-align: left;"><ul style="text-align: left;"><li>A user/role allowed to add its own account to an Admin group</li><li>A user/role allowed to create a new API key for a more privileged user account</li><li>A user/role allowed to update the account password for a more privileged user account</li><li>A user/role allowed to assume a privileged role directly </li></ul></div><div style="text-align: left;"><b><br /></b></div><div style="text-align: left;"><u>NotActions: </u></div><div style="text-align: left;">Quite often we use NotActions. Using NotActions in policy Allow statements is like creating a blacklist of actions. But, everything that not included in such a list will be implicitly allowed. </div><div style="text-align: left;">Unfortunately for the security, some privileged or dangerous permissions have not obvious names and easy to forget/miss when building this list.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><i><br /></i></div><div style="text-align: left;"><i><br /></i></div><div style="text-align: left;"><u>Granting user permissions on the IAM policies:</u></div><div style="text-align: left;"><div><i> </i>Following policy permissions provide an easy path to privilege escalation:</div><div><ul style="text-align: left;"><li>iam:CreatePolicyVersion</li><li>iam:SetDefaultPolicyVersion</li><li>iam:AttachUserPolicy</li><li>iam:AttachGroupPolicy</li><li>iam:AttachRolePolicy</li><li>iam:PutUserPolicy</li><li>iam:PutGroupPolicy</li><li>iam:PutRolePolicy</li></ul></div><div>Simply as that: CreatePolicyVersion really means the user can create a new policy of his choice.</div></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><u>iam:UpdateAssumeRolePolicy :</u></div><div style="text-align: left;"><u><br /></u></div><div style="text-align: left;">Allowing users to update assume role policy (IAM resource-based policy a.k.a trust policy) can lead to the modification of this trust and adding malicious actors to the list of trusted entities. </div><div style="text-align: left;"><br /></div><div style="text-align: left;"><u>iam:PassRole:*: </u></div><div style="text-align: left;"><u><br /></u></div><div style="text-align: left;">allows a user to pass a role to an AWS entity, ANY role. A malicious actor can use this option to pass a privileged role to the entity in his control (Example: pass a privileged role to the EC2 instance I created or pwned). </div><div style="text-align: left;">Compensating control, in this case, is AssumRole policy that should allow resources to assume this privileged role being passed to it. Note: this control won't help if the attacker has control over the resource trust configuration.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><u>Privilege Escalation Using AWS Services:</u></div><div style="text-align: left;">Using AWS service such as Lambda or Glue to perform actions on attacker's request if the malicious actor can update Lambda code.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><b><br />Inline policies:</b></div><div style="text-align: left;"><br /><div>As we all know, AWS managed policies are recommended over inline policy.</div><div><br /></div><div>reasons:</div><div><br /></div><div>- Inline policies are not reusable</div><div>- lifecycle of the policy match lifecycle of the principal it's attached to.</div><div>- Inline policies do not have versions</div><div>- inline policy can't be used as permissions boundaries </div><div>- hard to automate using config management as it's part of the user/role definition</div></div><div style="text-align: left;"><b><br /></b></div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">Resource-based policies:</h3><div><b><br /></b></div><div>S3 :</div><div><br /></div><div>IAM policy without resource restrictions allows user/role to read All S3 buckets:</div><div><pre class="wp-block-code" style="background: 0px 0px rgb(255, 255, 255); border: 0px; box-sizing: border-box; color: #474747; font-family: "Courier New", monospace; font-size: 14px; margin-bottom: 10px; margin-top: 0px; outline: 0px; padding: 0px; text-size-adjust: 100%; vertical-align: baseline;"><code style="background: 0px 0px; border: 0px; box-sizing: border-box; font-family: "Courier New", monospace; margin: 0px 0px 10px; outline: 0px; overflow-wrap: break-word; padding: 0px; text-size-adjust: 100%; vertical-align: baseline; white-space: pre-wrap;">{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "*"
}
]
}</code></pre><pre class="wp-block-code" style="background: 0px 0px rgb(255, 255, 255); border: 0px; box-sizing: border-box; color: #474747; font-family: "Courier New", monospace; font-size: 14px; margin-bottom: 10px; margin-top: 0px; outline: 0px; padding: 0px; text-size-adjust: 100%; vertical-align: baseline;"><br /></pre></div><div>Not a big deal? what about buckets with sensitive information in this case. </div><div><br /></div><div>It's becoming even more challenging when we are using ALLOW based bucket policies:</div><div><br /></div><div><br class="Apple-interchange-newline" /><span style="background-color: white; color: #474747; font-family: "Courier New", monospace; font-size: 14px; white-space: pre-wrap;">{
"Version": "2012-10-17",
"Id": ProtectSensitiveBucket",
"Statement": [{
"Sid": "AllowCICDOnly",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::12345678:role/jenkins-prod"
]
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectACL
],
"Resource": [
"arn:aws:s3:::generated-gift-cards",
"arn:aws:s3:::</span><span style="background-color: white; color: #474747; font-family: "Courier New", monospace; font-size: 14px; white-space: pre-wrap;">generated-gift-cards</span><span style="background-color: white; color: #474747; font-family: "Courier New", monospace; font-size: 14px; white-space: pre-wrap;">/*",
]
}]</span></div><div><span style="color: #474747; font-family: Courier New, monospace;"><span style="background-color: white; font-size: 14px; white-space: pre-wrap;">}</span></span></div><div><span style="color: #474747; font-family: Courier New, monospace;"><span style="background-color: white; font-size: 14px; white-space: pre-wrap;"><br /></span></span></div><div><br /></div><div>Looks like we are protecting sensitive bucket by allowing only Jenkins role to have access there, right?</div><div>- Not really, if we have anywhere in IAM role that grants access to S3 WITHOUT resource restrictions like we mentioned above. IAM policy and Resource-based (S3) policies evaluated as OR. </div><div>So in this case our bucket (or KMS key, or smth else) will stay unprotected as IAM will still allow access regardless of the ALLOW statements in the S3 policy. </div><div><br /></div><div>How to fix it?</div><div>Use DENY statements in the Resource-based policies to restrict access to sensitive resources:</div><div><br /></div><div><span style="background-color: white; color: #474747; font-family: "Courier New", monospace; font-size: 14px; white-space: pre-wrap;">{
"Version": "2012-10-17",
"Id": ProtectSensitiveBucket",
"Statement": [{
"Sid": "AllowCICDOnly",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::12345678:role/jenkins-prod"
]
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectACL
],
"Resource": [
"arn:aws:s3:::generated-gift-cards",
"arn:aws:s3:::</span><span style="background-color: white; color: #474747; font-family: "Courier New", monospace; font-size: 14px; white-space: pre-wrap;">generated-gift-cards</span><span style="background-color: white; color: #474747; font-family: "Courier New", monospace; font-size: 14px; white-space: pre-wrap;">/*"
]
</span><pre class="wp-block-code" style="background: 0px 0px rgb(255, 255, 255); border: 0px; box-sizing: border-box; color: #474747; font-family: "Courier New", monospace; font-size: 14px; margin-bottom: 10px; margin-top: 0px; outline: 0px; padding: 0px; text-size-adjust: 100%; vertical-align: baseline;"><code style="background: 0px 0px; border: 0px; box-sizing: border-box; font-family: "Courier New", monospace; margin: 0px 0px 10px; outline: 0px; overflow-wrap: break-word; padding: 0px; text-size-adjust: 100%; vertical-align: baseline; white-space: pre-wrap;"> },{
"Sid": "DenyOthers",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::generated-gift-cards",
"arn:aws:s3:::generated-gift-cards/*"
],
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::12345678:role/jenkins-prod"
]
}
}
}
]
}</code></pre></div><div><br /></div><div>Now it should work as expected explicitly blocking access to the sensitive bucket regardless of the IAM policy.</div><div><br /></div><div><br /><b>IAM (trust policy)</b></div><div><br /></div><div>Cross-account trust: </div><div><br /></div><div>1. Trusting the root of the external account: </div><div><div>in fact, “root” means that the whole account is trusted, and that trust can be delegated on the other side to any principal in the external account.</div><div><br /></div><div><span style="color: #333333; font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-size: 14px; white-space: pre;">{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::</span><span style="color: #333333; font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-size: 14px; white-space: pre;">111122223333</span><span style="color: #333333; font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-size: 14px; white-space: pre;">:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}</span></div><div><br /></div><div>In this example, we are trusting ANY user and role from the AWS account <span style="color: #333333; font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-size: 14px; white-space: pre;">111122223333. </span></div><div><br /></div><div>How to do this better? </div><div><br /></div><div><span style="color: #333333; font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-size: 14px; white-space: pre;">{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/LiJuan"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}</span></div><div><span style="color: #333333; font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-size: 14px; white-space: pre;"><br /></span></div><div><br /></div><div>Here we are trusting only a particular user (LiJuan) from the external account to perform an action (assume role) in our account.</div><div><br /></div><div>2. Not using or easy guessable ExternalId:</div></div><div>If this trust is used for the s3 party SaaS service integration, a malicious actor can use this 3d party website to get access (within 3 party SaaS offer functionality) to your account by misrepresenting/claiming it as own. </div><div>Solution? </div><div><br /></div><div><span style="color: #333333; font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-size: 14px; white-space: pre;">{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "123jjjuu-dhdydy-2344-djju766-ddhh"
}
}
}
]
}</span></div><div><br /></div><div>Use strong random-based unique ExternalId</div><div><br /></div><div>Additional important security measures that could and should be used within Trust policy:</div><div><br /></div><div>1. MFA enforcement</div><div>2. Time frame enforcement </div><div>3. Location (IP) enforcement </div><div>4. ABAC or granting access based on Tags - Tags enforcement</div><div>5. AWS ORG enforcement </div><div>6. Enforce proper role chaining </div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /><h3 style="text-align: left;"><b>IAM permissions boundaries:</b></h3></div><div>Why we need this? To delegate developer ability to create and manage required roles and policy, but prevent privilege escalation or account takeover. </div><div><b><br /></b></div><div><b><br /></b></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAf05WRqe7sKhEKvw8oWi25FYwiQ4bbVB0EUW3nUSbRngTIdVBwu4TX1-TNRrNgjBpmumnjlLQXW_CfyUm3DIr4TE5NAmYo_vjT30Cak1rOakkMLEhE8ZDOarYeOAimcctLRX3xN-BpvE/s1714/Screen+Shot+2021-02-18+at+10.36.17+AM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="948" data-original-width="1714" height="221" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAf05WRqe7sKhEKvw8oWi25FYwiQ4bbVB0EUW3nUSbRngTIdVBwu4TX1-TNRrNgjBpmumnjlLQXW_CfyUm3DIr4TE5NAmYo_vjT30Cak1rOakkMLEhE8ZDOarYeOAimcctLRX3xN-BpvE/w400-h221/Screen+Shot+2021-02-18+at+10.36.17+AM.png" width="400" /></a></div><br /><div><br /></div><div><b><br /></b></div><div>How to apply these principles?</div><div><br /></div><div>1. Allow user/group to create policies a.k.a delegate</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiV3e7q0IiQ08ANWfpQVEwqvGcYQbWArvxMCX7RM0udzuJx3nkuxEZDg3qb4lNchUraBS4Ea7a4-sDf-JhLKzsvorjJ5WPKqR00Yp7Ih4C9Th70iW3XUkE33kjxDD9gw_FvePYP793roI/s1292/Screen+Shot+2021-02-18+at+10.37.32+AM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="582" data-original-width="1292" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiV3e7q0IiQ08ANWfpQVEwqvGcYQbWArvxMCX7RM0udzuJx3nkuxEZDg3qb4lNchUraBS4Ea7a4-sDf-JhLKzsvorjJ5WPKqR00Yp7Ih4C9Th70iW3XUkE33kjxDD9gw_FvePYP793roI/w400-h180/Screen+Shot+2021-02-18+at+10.37.32+AM.png" width="400" /></a></div><br /><div>2. Allow the developer to create required roles and attach policies (managed policies), but only with enforced boundaries.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJWsWQVLkQEPrZQJRpErQLx9ZzxKAR0UvRF1zJ7A48JsQYvDij4yxzaz7BFGRxJrPlAOWxq2gthWtHlC02PXn9Je7P3SejZ9yiPd8Kgek8xBjZuEgaX81nn5HHpP-j4TURBqU9SJKjdfg/s1700/Screen+Shot+2021-02-18+at+10.43.27+AM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="942" data-original-width="1700" height="221" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJWsWQVLkQEPrZQJRpErQLx9ZzxKAR0UvRF1zJ7A48JsQYvDij4yxzaz7BFGRxJrPlAOWxq2gthWtHlC02PXn9Je7P3SejZ9yiPd8Kgek8xBjZuEgaX81nn5HHpP-j4TURBqU9SJKjdfg/w400-h221/Screen+Shot+2021-02-18+at+10.43.27+AM.png" width="400" /></a></div><div><br /></div>The overall workflow looks like this:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPbWbw9BLgSxH3a-Zh-NS-pXEQEpHyVzeLe43DygVM7eMxqQob9DcQ5NAk-xY4pfkIHsQQADZzl1e1Q5Y9ZO7vkx9oXcHj9OmvmY-AOOFrYbFw6Cul-IBxo70e9clEKjRAiHVzRfa-PpU/s1732/Screen+Shot+2021-02-18+at+10.45.18+AM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="942" data-original-width="1732" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPbWbw9BLgSxH3a-Zh-NS-pXEQEpHyVzeLe43DygVM7eMxqQob9DcQ5NAk-xY4pfkIHsQQADZzl1e1Q5Y9ZO7vkx9oXcHj9OmvmY-AOOFrYbFw6Cul-IBxo70e9clEKjRAiHVzRfa-PpU/w400-h217/Screen+Shot+2021-02-18+at+10.45.18+AM.png" width="400" /></a></div><br /><div><br /><div><h3><b>ABAC or Tag-based controls:</b></h3></div><div>Further extends IAM capabilities allowing resource Tags to become part of the access authorization process. </div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjek4cAqouAvgA0jB2bfak2-_7LiMXmW3RUFsLAlIlmcXgh0iDTjS_Q4PPUvkpXkwFJeciGqNeRnsUWZs-59Cwded6q_NXFZozpioGoOEZ1OTKfnVHRtWCooeuYwJ57GiMAjlpdYkeCCQE/s1696/Screen+Shot+2021-02-18+at+10.50.07+AM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="908" data-original-width="1696" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjek4cAqouAvgA0jB2bfak2-_7LiMXmW3RUFsLAlIlmcXgh0iDTjS_Q4PPUvkpXkwFJeciGqNeRnsUWZs-59Cwded6q_NXFZozpioGoOEZ1OTKfnVHRtWCooeuYwJ57GiMAjlpdYkeCCQE/w400-h214/Screen+Shot+2021-02-18+at+10.50.07+AM.png" width="400" /></a></div><br /><div>Examples of the steps:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRgRVHMtSQxzAP__OWxsDjPGvzIxhNUmebRCe3HKStEjNDpqm3hCPhc35ckC9HqUb-QKbp_30yJ1JGnCCR_ZwST2aDt1Pt69-Tq3Vmu2Aj5TycFqEFoiwbJWWJY26nbXFWCUrvOhy8JXg/s1678/Screen+Shot+2021-02-18+at+10.51.44+AM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="816" data-original-width="1678" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRgRVHMtSQxzAP__OWxsDjPGvzIxhNUmebRCe3HKStEjNDpqm3hCPhc35ckC9HqUb-QKbp_30yJ1JGnCCR_ZwST2aDt1Pt69-Tq3Vmu2Aj5TycFqEFoiwbJWWJY26nbXFWCUrvOhy8JXg/w400-h195/Screen+Shot+2021-02-18+at+10.51.44+AM.png" width="400" /></a></div><div><br /></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAcVPdx9uVaxQFjO7a4zOcDtGwlbqUmUTadBxesHnaYqrr5rHlM1b4WqEQF7bTV78zVgfubrchAtC-tgs6JLsghyM5x2lxcii-WkbAzZVDoghTkfH8KneG7Nz1LgFcuzPOnCbEJCxAc7w/s1722/Screen+Shot+2021-02-18+at+11.03.18+AM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="810" data-original-width="1722" height="189" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAcVPdx9uVaxQFjO7a4zOcDtGwlbqUmUTadBxesHnaYqrr5rHlM1b4WqEQF7bTV78zVgfubrchAtC-tgs6JLsghyM5x2lxcii-WkbAzZVDoghTkfH8KneG7Nz1LgFcuzPOnCbEJCxAc7w/w400-h189/Screen+Shot+2021-02-18+at+11.03.18+AM.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyHEhp2ffTTj7HLnJLxuBfgI0Zqhy4cywllSJsHA-FGw1WcvoH2YCIv8ZJBJYmkWJx0myrK14woVNpDiglu9Bnt91n88gHF8iAOBDOFSBu-tUUTQ96QvBTTGb3xrMcYbTIBMfqt-3dszE/s1718/Screen+Shot+2021-02-18+at+11.05.50+AM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="832" data-original-width="1718" height="194" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyHEhp2ffTTj7HLnJLxuBfgI0Zqhy4cywllSJsHA-FGw1WcvoH2YCIv8ZJBJYmkWJx0myrK14woVNpDiglu9Bnt91n88gHF8iAOBDOFSBu-tUUTQ96QvBTTGb3xrMcYbTIBMfqt-3dszE/w400-h194/Screen+Shot+2021-02-18+at+11.05.50+AM.png" width="400" /></a></div><br /><div><br /></div><div>Potential Security issues? </div><div><ul style="text-align: left;"><li>Tags becoming the Key to the whole AWS kingdom. </li><li>The ability to create/manage tags must be extremely well enforced and controlled.</li><li>Not all AWS services support Tags (limited scope of usage)</li></ul></div><h3 style="text-align: left;"><b><br /></b></h3><h3 style="text-align: left;"><b>Service control policies (SCPs)</b></h3><div><ul style="text-align: left;"><li>Conditions could be used <b>only</b> in the DENY statements. <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html">Details here</a>.</li><li>Always remember about <a href="https://blog.it-security.ca/2021/01/lack-of-spelling-checks-for-aws-iam-api.html" target="_blank">spelling mistakes </a> in the IAM action names. </li><li>You can't attach more than 5 SCP policies to the OU/Account (Hard limit)</li><li>Policy size must be 5120 bytes max, including spaces. (Hard limit)</li></ul></div><h3 style="text-align: left;"><b>Access control lists (ACLs) </b></h3><div><b>Mistake prone groups: </b></div><div><ul style="text-align: left;"><li><b>Authenticated Users group: </b>represents all AWS accounts. Access permission to this group allows <b>any AWS account</b> to access the resource</li><li><b>All Users group: </b>Access permission to this group allows anyone in the world access to the resource. The requests can be signed (authenticated) or unsigned (anonymous)</li></ul></div><div><b><br /></b></div><h3 style="text-align: left;"><br /></h3></div><div><br /></div><div><br /></div><div><br /><div><br /></div><h2 style="text-align: left;">------------------------</h2><h3 style="text-align: left;">Reading list:</h3></div><div><br /></div><div>AWS IAM Privilege Escalation Methods by Rhino Labs : <a href="https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation">https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation</a> , <a href="https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/">https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/</a></div><div><br /></div><div>Investigating PrivEsc Methods in AWS: <a href="https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws">https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws</a></div><div><br /></div><div>AWS IAM Assume Role Vulnerabilities Found in Many Top Vendors: <a href="https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities/">https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities/</a></div><div><br /></div><div>Breaking Attacker Kill Chains in AWS: IAM Roles: <a href="https://disruptops.com/breaking-attacker-kill-chains-in-aws-iam-roles/">https://disruptops.com/breaking-attacker-kill-chains-in-aws-iam-roles/</a></div><div><br /></div><div>AWS IAM Exploitation: <a href="https://sra.io/blog/aws-iam-exploitation/">https://sra.io/blog/aws-iam-exploitation/</a></div><div><br /></div><div>How to use trust policies with IAM roles: <a href="https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/">https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/</a></div><div><br /></div><h4 style="text-align: left;">AWS videos:</h4><div><ul style="text-align: left;"><li><a href="https://www.youtube.com/watch?v=Zvz-qYYhvMk">AWS re:Invent 2019: [REPEAT 1] Getting started with AWS identity (SEC209-R1)</a></li><li><a href="https://www.youtube.com/watch?v=YQsK4MtsELU&t">AWS re:Invent 2018: [REPEAT 1] Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1)</a></li></ul></div><h4 style="text-align: left;">Tools:</h4><div><ul style="text-align: left;"><li><a href="https://github.com/nccgroup/PMapper">https://github.com/nccgroup/PMapper</a></li><li><a href="https://github.com/duo-labs/parliament">https://github.com/duo-labs/parliament</a></li><li><a href="https://github.com/salesforce/cloudsplaining">https://github.com/salesforce/cloudsplaining</a></li></ul></div><p></p></div>Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com0tag:blogger.com,1999:blog-639364588792879566.post-656441600687195382021-01-24T20:19:00.004-05:002021-01-24T21:41:16.472-05:00Lack of the spelling checks for the AWS IAM API actions and security implications<p> AWS IAM policy language used everywhere:</p><p>- to define IAM policy itself</p><p>- to define resource-based policy like S3 bucket policy</p><p>- to define the most important AWS control - SCP (Service Control Policy)</p><p>- to define VPC endpoint policies </p><p>Let's take a look at the AWS IAM policy structure:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgxOkgpDL1JFaH7jkcLX_ragvL8oP-ZHsQSWMAaGxzHzLiioXpnGTLLYBDHx2UF41hq5I1Yhd4zi2S_JOPVtIqxBcouUXtd0TnspQGPBgS6vRMzeLpQw1I5Z-09c-GUCQ1S72PqmgzhiI/s1718/Screen+Shot+2021-01-24+at+7.19.40+PM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="958" data-original-width="1718" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgxOkgpDL1JFaH7jkcLX_ragvL8oP-ZHsQSWMAaGxzHzLiioXpnGTLLYBDHx2UF41hq5I1Yhd4zi2S_JOPVtIqxBcouUXtd0TnspQGPBgS6vRMzeLpQw1I5Z-09c-GUCQ1S72PqmgzhiI/w400-h223/Screen+Shot+2021-01-24+at+7.19.40+PM.png" width="400" /></a></div><br /><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">This policy's vital element is "Action," which is a list of AWS APIs that will be Allowed or Denied by the policy. <u></u><u></u></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;"><br /></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">Currently, there are several thousands of AWS actions. A list of all of them could be found <a data-saferedirecturl="https://www.google.com/url?q=https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html&source=gmail&ust=1611628492660000&usg=AFQjCNF3vgyWMvDvnXc1taZPwKS6__QE4Q" href="https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html" style="color: #1155cc;" target="_blank"><span style="color: #4a6ee0;">here</span></a>. <u></u><u></u></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;"><br /></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">It's extremely easy to make a typo in the action name when you are creating a policy. <u></u><u></u></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;"><br /></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">But, AWS will detect and warn you, right? <u></u><u></u></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;"><br /></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">Nope!</span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;"><br /></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">It might come as a surprise even for the experienced cloud engineers, but AWS does not verify API actions spelling. <u></u><u></u></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">Proof: <a data-saferedirecturl="https://www.google.com/url?q=https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_policy-validator.html&source=gmail&ust=1611628492660000&usg=AFQjCNEM6FdeBF5bsgBtxOHVhFIXpP72DA" href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_policy-validator.html" style="color: #1155cc;" target="_blank"><span style="color: #4a6ee0;">https://docs.aws.<wbr></wbr>amazon.com/IAM/latest/<wbr></wbr>UserGuide/access_policies_<wbr></wbr>policy-validator.html</span></a><u></u><u></u></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;"><br /></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">Yes, when you are using a policy <a data-saferedirecturl="https://www.google.com/url?q=https://awspolicygen.s3.amazonaws.com/policygen.html&source=gmail&ust=1611628492660000&usg=AFQjCNFWh4fpSUICf1Jq9SYD2jjBdyFPQA" href="https://awspolicygen.s3.amazonaws.com/policygen.html" style="color: #1155cc;" target="_blank"><span style="color: #4a6ee0;">generator</span></a>, you can choose from the dropdown list of the available API actions. <u></u><u></u></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">But if you are using CLI, Cloudformation, Terraform, or any SDK, your policy will be accepted as long as a policy syntax and grammar will pass (policy grammar, but not action names or resource ARNs )<u></u><u></u></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;"><br /></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">So what? Not a big deal? If policy not working, you can troubleshoot it using the <a data-saferedirecturl="https://www.google.com/url?q=https://policysim.aws.amazon.com/&source=gmail&ust=1611628492660000&usg=AFQjCNGtoyzMZdCibQyZrgmI3H6XaRKrzA" href="https://policysim.aws.amazon.com/" style="color: #1155cc;" target="_blank"><span style="color: #4a6ee0;">policy simulator</span></a>, right, and find a problem? <u></u><u></u></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;"><br /></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">The challenge is that even an AWS native policy simulator will not check API (action names) spelling. It will show if the desired actions are allowed or blocked but will not point you to the simple typo in your policy. <u></u><u></u></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;"><br /></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">As long as your policy is for the ALLOW effect, it's not a big deal. You might spend some time troubleshooting and not understanding why access is not granted, but generally, it should be OK, right?<u></u><u></u></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;"><br /></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">Even in the case of ALLOW, not precisely: </span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">when you are using Infra as a code, you might make a typo in production-related IAM/SCP/etc. policy and cause quite an outage!<u></u><u></u></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;"><br /></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">What about policies that suppose to protect, a.k.a DENY effect? Imp</span><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">lications, in this case, might be quite catastrophic:</span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;"><br /></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">- SCP that implements your AWS Account level preventative controls will allow actions that you think you have blocked, making controls not-exiting.<u></u><u></u></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;"><br /></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">- IAM policy will not protect against destructive or unsafe actions.<u></u><u></u></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;"><br /></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">- Resource-based policy might become unintentionally too open.<u></u><u></u></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;"><br /></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">Luckily, AWS has a second layer of protection ( and implicitDeny ) that, up to a certain extent, will compensate for such mistakes: as long as API call (Action name) is not explicitly Allowed, it will be deemed as implicitDeny. This helps and might save your backend, but not in all cases. Moreover, relying on this it's definitely a bad security practice. <u></u><u></u></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;"><br /></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">What could be a solution to the problem we just discussed? <u></u><u></u></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;"><br /></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">A process and a tool of the IAM policy validation for the syntax and spelling.<u></u><u></u></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;"><br /></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">The process is an IAM policy linting that must be done before any deployment or during PR review in your code repo.<u></u><u></u></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;"><br /></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">As for the tool, it might be home built linting tool (example: extension or rule to the CloudFormation Linter <a data-saferedirecturl="https://www.google.com/url?q=https://github.com/aws-cloudformation/cfn-python-lint&source=gmail&ust=1611628492660000&usg=AFQjCNEoK334EJZwfwnVsuxg49VEI2QUtg" href="https://github.com/aws-cloudformation/cfn-python-lint" style="color: #1155cc;" target="_blank"><span style="color: #4a6ee0;">https://github.com/<wbr></wbr>aws-cloudformation/cfn-python-<wbr></wbr>lint</span></a> ) or an open-source linting tool that performs IAM action names validation. (example: <a data-saferedirecturl="https://www.google.com/url?q=https://github.com/duo-labs/parliament&source=gmail&ust=1611628492660000&usg=AFQjCNG3LXOtGbH0Oa0Uyl_8uq2lAT6WZw" href="https://github.com/duo-labs/parliament" style="color: #1155cc;" target="_blank"><span style="color: #4a6ee0;">https://github.com/<wbr></wbr>duo-labs/parliament</span></a>)<u></u><u></u></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;"><br /></span></p><p class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; margin: 0px;"><span style="color: #0e101a; font-family: "Times New Roman", serif; font-size: 12pt;">Note, the tool must be regularly and automatically synced with the latest list of the AWS IAM actions or manually updated to reflect any changes AWS might do to the subj. </span></p><p><br /></p>Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com3tag:blogger.com,1999:blog-639364588792879566.post-37499542620248651942021-01-04T16:30:00.007-05:002021-01-05T19:49:35.229-05:00My notes on the AWS security: "Where we’ve been, where we’re going" reInvent 2020 session by Steve Schmidt. <p> </p><p>After finally having time to watch some AWS reInvent 2020 sessions over the holidays, I decided to make some notes and share them in case someone will find this useful.</p><p>My notes on "Where we’ve been, where we’re going" reInvent 2020 session by Steve Schmidt :</p><h2 style="text-align: left;"><b><span style="font-size: medium;">Topics:</span></b></h2><p>1) 2020 security highlights </p><p>2) Security product launches </p><p>3) Enabling Zero Trust </p><p>4) Ten places to focus on today</p><h2 style="text-align: left;"><span style="font-size: medium;"><b><u>2020 security highlights (new features):</u></b></span></h2><p style="text-align: left;"><b>GuardDuty:</b></p><p style="text-align: left;"></p><ul style="text-align: left;"><li>new threat and service coverage </li><li>S3 data advance (s3 protection)</li><li>better organization support (designated account to manage GD in the organization)</li></ul><div><b>Firewall Manager:</b></div><div><ul style="text-align: left;"><li>support
for AWS WAF and
AWS Managed Rules</li><li>supports
centralized logging (for WAF)</li></ul></div><div><b>AWS Detective </b>now supports IAM role session analysis (better understands assumed roles cases )</div><p></p><p style="text-align: left;"><b>AWS IAM
Access Analyzer</b> works the awesome way in the organization (very useful with huge amount of the use cases) </p><p style="text-align: left;"><b>AWS Single SignOn</b> adds AWS
CloudFormation
support</p><div style="text-align: left;"><b>ACM private CA</b>:</div><p style="text-align: left;"></p><ul style="text-align: left;"><li>Using AWS ACM private CA could be shared (using AWS RAM) with other accounts to allow them to provision, manage, and deploy private certificates.</li><li>Better integration of the certificate lifecycle for the private CA with supported AWS services (LB, API GW, IoT..)</li><li>ACM supports 5X more APIs (performance )</li><li>ACM support for the AWS S3 bucket encryption (looks like only for CRL and audit report exports)</li></ul><p></p><p style="text-align: left;"><b>AWS Nitro Enclaves is GA</b>: use case: an isolated environment for very sensitive data . </p><p style="text-align: left;"><b>AWS Macies</b> reduces the costs to up 80% and dashboard redesign.</p><div style="text-align: left;"><b>AWS Security Hub</b>:</div><p style="text-align: left;"></p><ul style="text-align: left;"><li>GA. </li><li>auto-remediation support</li><li>CIS, AWS best practices and PCI DSS security standards </li><li>prepackaged with 10 playbooks </li><li>Single dashboard for the patching status in the Security Hub using AWS patch manager (part of system manager) </li></ul><p></p><p style="text-align: left;"><b>AWS Detective</b> now supports VPC flow logs and does aggregations and dashboarding for this. </p><p style="text-align: left;"><span style="font-size: medium;"><u>Security product launches</u> </span> </p><p><b>AWS Nitro Enclaves</b>: </p><p><b>AWS Audit Manager</b>: </p><p></p><ul style="text-align: left;"><li>continuously assess control for the risk and compliance (helps with evidence collection for the Auditors and proactively collects evidences) </li><li>Currently supports following frameworks: CIS, GDPR, PIC DSS + build own assessment templates</li><li>Highlights: known and custom assessment templates, automated evidence collection, built-in audit workflow.</li></ul><div><b>Cloud Audit Academy</b> - training for the auditor to better understand what the cloud is and how to perform cloud audit.</div><p></p><p><b>AWS Network Firewall</b> (based on the docs looks like managed Suricata IPS): </p><p></p><ul style="text-align: left;"><li>inspect all traffic entering or leaving VPC.</li><li>zonal service with AZ isolated inspection points</li><li>basically, a fleet of AWS managed firewall ec2 instances behind a load balancer</li><li>supports DNS names in the firewall rules. </li><li>IDS/IPS functionality as well</li></ul><p></p><h2 style="text-align: left;"><span style="font-size: medium;"><u>Enabling Zero Trust </u></span></h2><p>Zero Trust - augmenting network-based controls with identity-based controls </p><p>Network:</p><p></p><ul style="text-align: left;"><li>First dimension</li><li> Network </li><li>Microperimeters? </li><li>Security above network? </li><li>Gateways or proxies? </li><li>More dynamic VPNs? </li><li> Combinations?</li></ul><p></p><p>Identity</p><p></p><ul style="text-align: left;"><li>Second dimension </li><li> Identity </li><li>Humans? </li><li>Machines? </li><li>Software components? </li><li>Combinations?</li></ul><p></p><p>Avoid binary choice: just identity or just network controls. </p><p>One size doesn't fit all in each case Zero Trust might and will be implemented differently.</p><h2 style="text-align: left;"><span style="font-size: medium;"><u>Ten places to focus on today:</u></span></h2><div><span style="font-size: medium;"><b>from 2019: </b></span></div><div><ol style="text-align: left;"><li>Accurate account info </li><li>Use MFA</li><li>No hard-coding secrets</li><li>Limit security groups</li><li>Intentional data policies</li><li>Centralize AWS CloudTrail logs</li><li>Validate IAM roles</li><li>Take action on GuardDuty findings</li><li>Rotate your keys</li><li>Be involved in dev cycle</li></ol></div><div><span style="font-size: medium;"><b><br /></b></span></div><div><span style="font-size: large;"><b>new one (2020): </b></span></div><p></p><ol style="text-align: left;"><li>Use AWS Organizations</li><li>Understand your usage</li><li>Use cryptography services</li><li>Federation for human access</li><li>Block public access on accounts</li><li>Edge protect external resources </li><li>Patch and measure </li><li>No hard / soft defense (perimeter is both: Network and Identity)</li><li>Transparent leadership reviews</li><li>Diverse hiring</li></ol><p></p>Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com0tag:blogger.com,1999:blog-639364588792879566.post-53581652014460726452020-05-28T23:19:00.003-04:002020-05-28T23:19:50.025-04:00Deployment time security audit using CloudFormation custom resource. <div dir="ltr" style="text-align: left;" trbidi="on">
<br />
To prevent deployment of the potentially sensitive resources or infrastructure into the AWS account that might not meet current organizational security standard we can use AWS CloudFormation custom resource to perform quick security audit (or kind of sanity check) of the cloud account before processing with deployment.<br />
<br />
Why we need this if we can scan/audit account as a part of the CI/CD pipeline? For the cases when deployments are performed manually or to have CI/CD independent "portable" CloudFormation template that has all security checks built-in and not bolt-on.<br />
<br />
How it will look like:<br />
<br />
<ol style="text-align: left;">
<li>To you normal CloudFormation template you will add a custom resource.</li>
<li>This custom resource it technically speaking a Lambda function that created and called during CloudFormation stack deployment.</li>
<li>This Lambda function will perform quick (to meet CloudFormation deployment timeouts restrictions) security audit of the account where template going to be deployed</li>
<li>As result of this audit Lambda will return status that will be interpreted by CloudFormation as a resource creation outcome.</li>
<li>If AWS environment pass security check - deployment of other resources in you stack continue as usual</li>
<li>If AWS environment fail security check - stack deployment will interrupted and rolled back as a result of the custom resource failure. </li>
</ol>
I will publish example on such functionality on my <a href="https://github.com/ihorkravchuk">Github</a> shorty and will update this post with more details. </div>
Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com7tag:blogger.com,1999:blog-639364588792879566.post-45186039514379962242020-05-24T21:26:00.003-04:002020-05-24T21:27:30.342-04:00Nmap.me new version - now with vulnerability scan<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Now service:<br />
<ul style="text-align: left;">
<li>Does full port and vulnerability scan of the caller's IP</li>
<li>Immediately perform and return tcp scan results. Starts vulnerability scan in background.</li>
<li>Visit nmap.me again in about 30min(depends on load), and results of the vulnerability scan (port, service, vulnerability, CVE) for you IP will be displayed. </li>
<li>You can use, console friendly endpoint : <a href="http://scan.nmap.me/">scan.nmap.me</a> , or</li>
<li> use a human readable website: <a href="http://nmap.me/">nmap.me</a></li>
</ul>
<b>Scan results examples:</b><br />
<br />
Good scan results:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVyP8B1ErHttEuv_a3Q4Zr5WlCmPxcStET9SYxmtr2BX5yTKkXgs9ell5FGfcJOqZN1vv6mbSoPpboTSJGDXTP6QjDWuyKp8Lt65YJHeeLkjdNUr3qsUHUYzWRolwydKNzGRuVuT1-WCY/s1600/Screen+Shot+2020-05-24+at+9.17.51+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="647" data-original-width="1600" height="161" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVyP8B1ErHttEuv_a3Q4Zr5WlCmPxcStET9SYxmtr2BX5yTKkXgs9ell5FGfcJOqZN1vv6mbSoPpboTSJGDXTP6QjDWuyKp8Lt65YJHeeLkjdNUr3qsUHUYzWRolwydKNzGRuVuT1-WCY/s400/Screen+Shot+2020-05-24+at+9.17.51+PM.png" width="400" /></a></div>
<br />
Not so good scan results:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbA904TK2aJWHIjlr4ELrLlAeJQ33qjq25a97oPK8lZcayZrRqGE_Lo6j5FwVZQK89VEb14BYui7K5daF2VqwWA-y4wVodzWzc2jgW85mIFka892mRF9WJVRlNAwPNRowpchvt1FuGhqU/s1600/Screen+Shot+2020-05-24+at+9.23.16+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1346" data-original-width="1338" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbA904TK2aJWHIjlr4ELrLlAeJQ33qjq25a97oPK8lZcayZrRqGE_Lo6j5FwVZQK89VEb14BYui7K5daF2VqwWA-y4wVodzWzc2jgW85mIFka892mRF9WJVRlNAwPNRowpchvt1FuGhqU/s400/Screen+Shot+2020-05-24+at+9.23.16+PM.png" width="397" /></a></div>
<br />
<br />
<br />
As previously service is built using AWS native capabilities, serverless and containerized approach and design to be extremely scalable.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNAA6sj1YI-oC7DWXSki2CWx6YDNcNPshvo4dsYxmOeLVjsNs9L5-EnRGieiydPjwD112C2RZlq_FfuD45fKH_rSr-f2p6SViHfKzrqabB7PEH-atvJvBNgbirwUngsOkEdW6sss9ZKXg/s1600/Nmap.me+%25281%2529.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1316" height="435" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNAA6sj1YI-oC7DWXSki2CWx6YDNcNPshvo4dsYxmOeLVjsNs9L5-EnRGieiydPjwD112C2RZlq_FfuD45fKH_rSr-f2p6SViHfKzrqabB7PEH-atvJvBNgbirwUngsOkEdW6sss9ZKXg/s640/Nmap.me+%25281%2529.png" width="640" /></a></div>
<br />
<div>
<br /></div>
<div>
<b>Quick FAQ:</b></div>
<div>
<b><br /></b></div>
<div>
<div>
<b>What's new?</b> Now it does full vulnerability scan of the IP.</div>
<div>
<br /></div>
<div>
<b>What it does?</b> Scan your external IP for open TCP ports and known vulnerabilities.</div>
<div>
<b>How to use?</b> Simply do _curl scan.nmap.me_ from your console/terminal or open this webite in browser. You will get TCP scan results immediately and you will need to visit same page in an hour to get vulnerability scan results.</div>
<div>
<b><br /></b></div>
<div>
<b>What it's scanning for?</b>: Uses nmap NSE script to perform scan for known vulnerabilities. Based on https://github.com/vulnersCom/nmap-vulners</div>
<div>
<b><br /></b></div>
<div>
<b>How fast?</b> Whole TCP scan takes about a few second and results are immediately shown. After this vuln scan is starting. Depending of the backend load it might take about an hour to get scanned. After this simply visit the same page again to get vulnerability scan results. Scan results for each requester IP are cached for 1 hour (TCP scan) and 24 hours (Vuln scan) to reduce load and prevent abuse.</div>
</div>
</div>
Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com0tag:blogger.com,1999:blog-639364588792879566.post-6352623785188852020-05-15T18:18:00.003-04:002020-05-15T18:18:53.418-04:00Using MFA with AWS CLI<div dir="ltr" style="text-align: left;" trbidi="on">
It quite obvious nowadays that you must use MFA if it's available.<br />
Enabling MFA for your user account in AWS IAM will automatically enforce it for the AWS Web UI login. <br />
<br />
But what about AWS CLI, your code using AWS SDK and 3d party SDK based tools?<br />
In this case, to leverage MFA you need to enforce it using "Condition" statement for the IAM policy assigned to you user as it described in following AWS manual:<br />
<a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html">https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html</a><br />
<br />
In nutshell something like this:<br />
<br />
Enforce MFA for the assume role:<br />
<span style="color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">{</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">
</span><span class="hljs-attr" style="color: #986801; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">"Version"</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">: </span><span class="hljs-string" style="color: #0b6125; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">"2012-10-17"</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">,
</span><span class="hljs-attr" style="color: #986801; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">"Statement"</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">: [
</span><span style="color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">{</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">
</span><span class="hljs-attr" style="color: #986801; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">"Sid"</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">: </span><span class="hljs-string" style="color: #0b6125; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">""</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">,
</span><span class="hljs-attr" style="color: #986801; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">"Effect"</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">: </span><span class="hljs-string" style="color: #0b6125; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">"Allow"</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">,
</span><span class="hljs-attr" style="color: #986801; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">"Principal"</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">: </span><span style="color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">{</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;"> </span><span class="hljs-attr" style="color: #986801; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">"AWS"</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">: </span><span class="hljs-string" style="color: #0b6125; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">"arn:aws:iam::123456789012:user/anika"</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;"> },
</span><span class="hljs-attr" style="color: #986801; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">"Action"</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">: </span><span class="hljs-string" style="color: #0b6125; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">"sts:AssumeRole"</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">,
</span><span style="color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; font-weight: 700; white-space: pre;"><span class="hljs-attr" style="color: #986801;">"Condition"</span>: { <span class="hljs-attr" style="color: #986801;">"Bool"</span>: { <span class="hljs-attr" style="color: #986801;">"aws:multifactorAuthPresent"</span>: <span class="hljs-literal" style="color: #0184bb;">true</span> } }</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">
}
]
}</span><br />
<br />
Add MFA to you AWS CLI profile:<br />
<br />
<span class="hljs-section" style="color: #794938; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">[profile role-with-mfa]</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">
</span><span class="hljs-attr" style="color: #986801; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">region</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;"> = us-west-</span><span class="hljs-number" style="color: #986801; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">2</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">
</span><span class="hljs-attr" style="color: #986801; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">role_arn</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">= arn:aws:iam::</span><span class="hljs-number" style="color: #986801; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">128716708097</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">:role/cli-role
</span><span class="hljs-attr" style="color: #986801; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">source_profile</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;"> = cli-user
</span><span class="hljs-attr" style="color: #986801; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">mfa_serial</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;"> = arn:aws:iam::</span><span class="hljs-number" style="color: #986801; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">128716708097</span><span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">:mfa/cli-user</span><br />
<br />
Simple? Not exactly - here some tricky things that not covered by AWS documentation (at least I was not able to find).<br />
<br />
1. AWS documentation a bit misleading: in the AIM statement and documentation user name mentioned is Anika but all CLI configs are pointing to the non existing cli profile "<span style="background-color: #f9f9f9; color: #16191f; font-family: Monaco, Menlo, Consolas, "Courier Prime", Courier, "Courier New", monospace; font-size: 14.88px; white-space: pre;">cli-user</span>"<br />
<br />
2. AWS CLI MFA configuration will work ONLY when you are assuming Role. Yep, if you have one simple account, few users and groups (as many small companies do) you can't leverage this functionality without some small trick(item 3)<br />
<br />
3. You can still leverage MFA with CLI using role:<br />
<br />
<ul style="text-align: left;">
<li>Strip all access from the user you are using to login, except "assume role", or alternatively, enforce the MFA for all the actions using condition from the above. </li>
</ul>
Note:<br />If you will strip all permissions you will need to assume role even if you are using WEB UI.<br />
If you use alternative approach and enforce MFA for all API actions you can keep using WEB UI without assuming role the same way as you was doing before.<br />
<ul style="text-align: left;">
<li>Create a role (exampe: <span style="background-color: rgba(0, 0, 0, 0.9); color: #2fff12; font-family: "Andale Mono"; font-size: 12px; font-variant-ligatures: no-common-ligatures;">MyOrganizationAccountAccessRole</span>) to assume in the same account with MFA enforced and all required access rights. If you have more than one account - create this role in other accounts as well with the same MFA enforcement condition.</li>
<li>Create extra profile <span style="background-color: rgba(0, 0, 0, 0.9); color: #2fff12; font-family: "Andale Mono"; font-size: 12px; font-variant-ligatures: no-common-ligatures;">my-account-mfa</span> (in addition to the main account profile <span style="background-color: rgba(0, 0, 0, 0.9); color: #2fff12; font-family: "Andale Mono"; font-size: 12px; font-variant-ligatures: no-common-ligatures;">my_account</span> ) for the accessing the same account (<span style="background-color: rgba(0, 0, 0, 0.9); color: #2fff12; font-family: "Andale Mono"; font-size: 12px; font-variant-ligatures: no-common-ligatures;">my-account</span>) using this role: </li>
</ul>
<div class="p1" style="background-color: rgba(0, 0, 0, 0.9); color: #2fff12; font-family: "Andale Mono"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
<span class="s1" style="font-variant-ligatures: no-common-ligatures;">[profile my-account-mfa]</span></div>
<div class="p1" style="background-color: rgba(0, 0, 0, 0.9); color: #2fff12; font-family: "Andale Mono"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
<span class="s1" style="font-variant-ligatures: no-common-ligatures;">role_arn = arn:aws:iam:: 123456789:role/MyOrganizationAccountAccessRole</span></div>
<div class="p1" style="background-color: rgba(0, 0, 0, 0.9); color: #2fff12; font-family: "Andale Mono"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
<span class="s1" style="font-variant-ligatures: no-common-ligatures;">source_profile = my_account</span></div>
<div class="p1" style="background-color: rgba(0, 0, 0, 0.9); color: #2fff12; font-family: "Andale Mono"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
<span class="s1" style="font-variant-ligatures: no-common-ligatures;">mfa_serial = arn:aws:iam:: 123456789:mfa/it-security@ca</span></div>
<div class="p2" style="background-color: rgba(0, 0, 0, 0.9); color: #2fff12; font-family: "Andale Mono"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; min-height: 14px;">
<span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span><br /></div>
<div class="p1" style="background-color: rgba(0, 0, 0, 0.9); color: #2fff12; font-family: "Andale Mono"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
<span class="s1" style="font-variant-ligatures: no-common-ligatures;">[profile my_account]</span></div>
<div class="p1" style="background-color: rgba(0, 0, 0, 0.9); color: #2fff12; font-family: "Andale Mono"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
<span class="s1" style="font-variant-ligatures: no-common-ligatures;">output = json</span></div>
<div class="p1" style="background-color: rgba(0, 0, 0, 0.9); color: #2fff12; font-family: "Andale Mono"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
<span class="s1" style="font-variant-ligatures: no-common-ligatures;">region = us-east-1</span></div>
<div class="p1" style="background-color: rgba(0, 0, 0, 0.9); color: #2fff12; font-family: "Andale Mono"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
<span class="s1" style="font-variant-ligatures: no-common-ligatures;">mfa_serial = arn:aws:iam::123456789:mfa/</span><span style="font-variant-ligatures: no-common-ligatures;">it-security@ca</span></div>
<div class="p1" style="background-color: rgba(0, 0, 0, 0.9); color: #2fff12; font-family: "Andale Mono"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
<span class="s1" style="font-variant-ligatures: no-common-ligatures;"><br /></span></div>
<div class="p1" style="background-color: rgba(0, 0, 0, 0.9); color: #2fff12; font-family: "Andale Mono"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
<span class="s1" style="font-variant-ligatures: no-common-ligatures;">[profile my_second_account]</span></div>
<div class="p1" style="background-color: rgba(0, 0, 0, 0.9); color: #2fff12; font-family: "Andale Mono"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
<span class="s1" style="font-variant-ligatures: no-common-ligatures;">ole_arn = arn:aws:iam:: 987654321:role/MyOrganizationAccountAccessRole</span></div>
<div class="p1" style="background-color: rgba(0, 0, 0, 0.9); color: #2fff12; font-family: "Andale Mono"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
<span class="s1" style="font-variant-ligatures: no-common-ligatures;">source_profile = my_account</span></div>
<div class="p1" style="background-color: rgba(0, 0, 0, 0.9); color: #2fff12; font-family: "Andale Mono"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
<span class="s1" style="font-variant-ligatures: no-common-ligatures;">mfa_serial = arn:aws:iam:: 123456789:mfa/it-security@ca</span></div>
<div>
<br /></div>
Note : all profile reference <span style="background-color: rgba(0, 0, 0, 0.9); color: #2fff12; font-family: "Andale Mono"; font-size: 12px; font-variant-ligatures: no-common-ligatures;">my_account</span> profile as a source<br /><br />
<br />
If needed create an extra profile(<span style="background-color: rgba(0, 0, 0, 0.9); color: #2fff12; font-family: "Andale Mono"; font-size: 12px; font-variant-ligatures: no-common-ligatures;">my_second_account</span>) for any other account you need to access using the role.<br />
<br />
Use profile <span style="background-color: rgba(0, 0, 0, 0.9); color: #2fff12; font-family: "Andale Mono"; font-size: 12px; font-variant-ligatures: no-common-ligatures;">my-account-mfa </span>for you CLI access to the main account or for any tools. You will see MFA request and after providing MFA everything will work like a charm.<br />
<br />
Enjoy and stay secure!</div>
Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com0tag:blogger.com,1999:blog-639364588792879566.post-23180099085852926402019-12-04T18:15:00.002-05:002019-12-04T18:15:45.644-05:00Nmap.me completetly rebuilded<div dir="ltr" style="text-align: left;" trbidi="on">
To improve performance and service scalability nmap.me was completely rebuild leveraging aws native services and serverless approach.<br />
<br />
Now service:<br />
<ul style="text-align: left;">
<li>support both http and https</li>
<li>has dedicated scanning endpoint: <a href="http://scan.nmap.me/">scan.nmap.me</a></li>
<li>has a human readable website: <a href="http://nmap.me/">nmap.me</a></li>
<li>scanning endpoint now api driven and will support rest api calls for advanced functionality</li>
<li>serverless and scalable</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAXoqeevju2SZ0dPJQZEPKPft5Tu0YfxllyuQW4IRuniUuqYnG6pv-NA4XcURxKlpCpxiw_lqqfPxcf3BE5ZEP1Fg46ibnASYCp90x5Vp15lxFOG1nPRxnmOeRubSZXVgwPW8YigyqFQ8/s1600/Nmap.me.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="640" data-original-width="1291" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAXoqeevju2SZ0dPJQZEPKPft5Tu0YfxllyuQW4IRuniUuqYnG6pv-NA4XcURxKlpCpxiw_lqqfPxcf3BE5ZEP1Fg46ibnASYCp90x5Vp15lxFOG1nPRxnmOeRubSZXVgwPW8YigyqFQ8/s400/Nmap.me.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Main functionality so far unchanged: </div>
<b>What it does?</b> TCP Scan of you external IP.<br />
<b>What it scanning for:</b> 100 most used tcp ports. Actually a bit more than 100 - I'm slowly adding more ports.<br />
<b>How to use:</b> simply <i><b><span style="background-color: black; color: white;">curl scan.nmap.me</span></b></i> from your console/terminal or open it in browser or visit nmap.me(javascript will trigger scan)<br />
<b>How fast:</b> whole scan takes about a second. Results for each requester IP are cached for 1 hour to reduce load and prevent abuse.<br />
<br />
<b>Why? </b>Needed quick way to check open ports on server/gateway/fw/router while being inside the console.<br />
<div>
<br /></div>
</div>
Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com0tag:blogger.com,1999:blog-639364588792879566.post-13418896331451163182019-05-04T12:50:00.003-04:002019-05-04T12:51:15.323-04:00Awesome list of Native AWS logging capabilities<div dir="ltr" style="text-align: left;" trbidi="on">
While looking on centralized logging capabilities of AWS and going trough bunch of documentation, I noticed lack of the one "big table" where I can find all AWS native logging capabilities per each service and up-to-date service coverage for AWS cloudwatch logs service.<br />
Building I big table is not really version control friendly, so please welcome:<br />
<br />
Awesome list of Native AWS logging capabilities:<br />
<a href="https://github.com/IhorKravchuk/it-security/blob/master/AWS_logging.md">https://github.com/IhorKravchuk/it-security/blob/master/AWS_logging.md</a><br />
<br />
While I was building this list, some service have already changed their capabilities causing some information in the list being out-of-sync.<br />
I'll try my best to regularly review existing services and keep adding new one, but if you find mistake or would like to contribute feel free to contact me or create a PR.</div>
Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com0tag:blogger.com,1999:blog-639364588792879566.post-13380250545489165852019-04-12T21:38:00.001-04:002019-04-12T21:52:18.755-04:00Using Terraform to create project and users required in GCP and GSuite <div dir="ltr" style="text-align: left;" trbidi="on">
This article is more like quick HOWTO/QuickNote page to start using Terraform with GCP, grant required permission, connect Terraform to GSuite and create users and projects using Terraform.<br />
<br />
Connect Terraform to GCP:<br />
<br />
1. Download and install Google Cloud SDK: https://cloud.google.com/sdk/install<br />
<br />
2. Initialize SDK <span style="background-color: #cccccc;">gcloud init </span><br />
This process will launch browser-based authorization flow https://cloud.google.com/sdk/docs/initializing<br />
<br />
3. Use browser to create project, service account and download credentials: https://cloud.google.com/sdk/docs/authorizing Note: You need to have GCP billing account and payment method configured first. You can use cli as well:<br />
<br />
<span style="background-color: #cccccc;">gcloud projects list</span><br />
<span style="background-color: #cccccc;">gcloud beta billing accounts list</span><br />
<span style="background-color: #cccccc;">gcloud beta billing projects link infosec-gcp --billing-account 01122-74525-1222</span><br />
<span style="background-color: #cccccc;">gcloud config list</span><br />
<span style="background-color: #cccccc;">gcloud iam service-accounts create infosec-terraform --display-name "Infosec Terraform admin account"</span><br />
<span style="background-color: #cccccc;">gcloud iam service-accounts keys create ~/.config/gcloud/infosec-terraform-admin.json --iam-account infosec-terraform@infosec-gcp.iam.gserviceaccount.com</span><br />
<br />
4. Give appropriate permissions to the Terraform:<br />
<span style="background-color: white;">get you organization id</span><br />
<span style="background-color: #cccccc;">gcloud organizations list</span><br />
<br />
Enable iam api (yes you need to enable each api set you are planning to use with GCP, they are disabled by default) you can check what services are enabled using gcloud services list --available<br />
<span style="background-color: #cccccc;">gcloud services enable iam.googleapis.com</span><br />
<br />
Check existing IAM policies in you org:<br />
<span style="background-color: #cccccc;">gcloud organizations get-iam-policy ORGANIZATION_ID</span><br />
<br />
Grant all required permissions(example):<br />
<span style="background-color: #cccccc;">gcloud organizations add-iam-policy-binding ORGANIZATION_ID --member serviceAccount:infosec-terraform@infosec-gcp.iam.gserviceaccount.com --role roles/resourcemanager.projectCreator</span><br />
<span style="background-color: #cccccc;"><br /></span>
<span style="background-color: #cccccc;">gcloud organizations add-iam-policy-binding ORGANIZATION_ID --member serviceAccount:infosec-terraform@infosec-gcp.iam.gserviceaccount.com --role roles/billing.user</span><br />
<span style="background-color: #cccccc;"><br /></span>
<span style="background-color: #cccccc;">gcloud organizations add-iam-policy-binding ORGANIZATION_ID --member serviceAccount:infosec-terraform@infosec-gcp.iam.gserviceaccount.com --role roles/owner</span><br />
<br />
5. Start using terraform from my example to create project and grant access to it.<br />
<br />
The only missing part is actually users.<br />
<b>Connecting Terraform to GSuite:</b><br />
<br />
Why do we need GSuite at all? GCP does not provide you any built-in identity and rely on the user identities from Gmail, GSuite or Google Cloud Identity (+ service accounts)<br />
<br />
As AWS user I do really love to have user/groups management and infra/project creation using the same automation tool. Unfortunately, user/GSuite functionality is not provided by GCP Terraform provider. Luckily, there is pretty nice open-sourced Terraform provider for GSuite writtend by DeviaVir: <a href="https://github.com/DeviaVir/terraform-provider-gsuite">https://github.com/DeviaVir/terraform-provider-gsuite</a><br />
At the moment when I tested it, some group membership functionality was still lacking idempotency, but using the way from my example everything started to work like a charm.<br />
<br />
So the code finally:<br />
<a href="https://github.com/IhorKravchuk/it-security/tree/master/GCP">https://github.com/IhorKravchuk/it-security/tree/master/GCP</a><br />
<br />
<br />
PS.<br />
Way more details and examples are in the articles below :<br />
<a href="https://medium.com/@josephbleroy/using-terraform-with-google-cloud-platform-part-1-n-6b5e4074c059">https://medium.com/@josephbleroy/using-terraform-with-google-cloud-platform-part-1-n-6b5e4074c059</a><br />
<a href="https://cloud.google.com/community/tutorials/managing-gcp-projects-with-terraform">https://cloud.google.com/community/tutorials/managing-gcp-projects-with-terraform</a><br />
<a href="https://cloud.google.com/community/tutorials/getting-started-on-gcp-with-terraform">https://cloud.google.com/community/tutorials/getting-started-on-gcp-with-terraform</a><br />
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Andale Mono'; color: #2fff12; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)}
span.s1 {font-variant-ligatures: no-common-ligatures}
</style></div>
Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com4tag:blogger.com,1999:blog-639364588792879566.post-81634046547916124262019-02-26T14:25:00.001-05:002019-02-26T14:25:18.453-05:00Revamping AWS APIs' security review and SCP policy generation process.<div dir="ltr" style="text-align: left;" trbidi="on">
AWS Cloud provides endless amount of the capabilities and services. Unleashing all this power on the without proper security review process is extremely risky.<br />
Each service and quite often even each api call should be reviewed and evaluated according to the organizational security standards and compliance requirements. Yes, but.. curently AWS has about 170 services and endless amount of APIs. AWS constantly evolves, introduce new services, APIs and modifying existing.<br />
One of the biggest challenge for me was finding a way to automatically fetch up-to-date annotated list of the services and api provided by AWS. Luckily, <a href="https://aws.amazon.com/developer/community/heroes/matt-weagle/">Matt Weagle</a> suggested to use AWS GO SDK as a source of truth. This <a href="https://github.com/aws/aws-sdk-go/tree/master/models/apis" target="_blank">SDK</a> provides well documented lists of the AWS APIs (<a href="https://github.com/aws/aws-sdk-go/blob/master/models/apis/budgets/2016-10-20/docs-2.json">docs-2.json</a>)<br />
<br />
I crafted small python program that builds/updates following yaml files (one per each service) using json files as a source:<br />
<br />
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187s1">guardduty:</span><u></u><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">description: Assess, monitor, manage, and remediate security issues across your</span><u></u><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">AWS infrastructure, applications, and data.</span><u></u><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">links: [http://guardduty.docs.here]</span><u></u><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">security_risk: Cloud IDS</span><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">Allowed_on</span><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">- Prod_en</span><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">Denied_on:</span><u></u><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">- none</span><u></u><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187s1">AcceptInvitation:</span><u></u><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">description: Accepts the invitation to be monitored by a master GuardDuty account.</span><u></u><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">links: [https://awsdocs.com]</span><u></u><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">security_risk: should be allowed only from trusted accounts</span><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">Allowed_on:</span><u></u><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">- none</span><u></u><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">Denied_on:</span><u></u><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">- none</span><u></u><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187s1">ArchiveFindings:</span><u></u><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">description: Archives Amazon GuardDuty findings specified by the list of finding</span><u></u><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">IDs.</span><u></u><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">links: []</span><u></u><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">security_risk: Not defined</span><u></u><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">Allowed_on:</span><u></u><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">- none</span><u></u><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">Denied_on:</span><u></u><u></u></div>
<div class="m_1192564069087286187p1" style="background: black; color: #28fe14; font-family: "Andale Mono"; font-size: 9pt; margin: 0cm 0cm 0.0001pt;">
<span class="m_1192564069087286187apple-converted-space"> </span><span class="m_1192564069087286187s1">- none</span></div>
<br />
Structure of this file is quite self-explanatory and simplifies security review(still manual process) of the AWS APIs. During security review, you specify which services/api are enabled/disabled and on which environments by adding environment name to the <b>Allowed_on</b> and <b>Denied_on</b> lists. Files are stored in the git repo.<br />
<br />
After the review, using these files as a source of truth, I (actually another python program) generate an SCP (Service Control Policy) for AWS Organization's accounts, IAM policies and permission boundaries (it depends on the case.)<br />
Due to the <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html">very strict SCP size restrictions</a> , generating this policy using automation allows you:<br />
<br />
<ul style="text-align: left;">
<li>aggregate APIs using wildcards to reduce SCP size</li>
<li>validate API wildcards preventing unintentional service exposure/blockage</li>
<li>perform cross check for the API to avoid whitelisting/blacklisting conflicts</li>
<li>re-generate/validate SCP if AWS introduces new API calls/services</li>
</ul>
<div>
Everything mentioned above is valid not only for the SCP, but for the IAM policy/permission boundaries generation process.</div>
<div>
<br /></div>
<div>
This automated approach opens another possibility - automated compliance validation for AWS: using the same <b>yaml</b> files as a source of truth , perform API calls to the AWS to ensure that these calls will fail. This step could be done after deployment (to validate deployment) or on a regular basis(audit).<br />
<br />
PS. Unfortunately code of the tools can't be open-sourced as of now.</div>
<div>
<br /></div>
<br />
- </div>
Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com0tag:blogger.com,1999:blog-639364588792879566.post-75238231980029190252018-11-27T14:32:00.001-05:002018-11-27T14:32:04.276-05:00AWS Landing Zones current docs<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
It took me a quite time to find latest AWS Landing Zones official docs. </div>
<div style="text-align: left;">
To save you time here are they <span style="font-size: x-small;">(<span style="font-family: Georgia;">November </span><span style="color: #212120; font-family: Georgia;">2018</span>):</span></div>
<br />
<div class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; font-variant-ligatures: normal; orphans: 2; widows: 2;">
Deployment Guide:<u></u><u></u></div>
<div class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; font-variant-ligatures: normal; orphans: 2; widows: 2;">
<a data-saferedirecturl="https://www.google.com/url?q=https://s3.amazonaws.com/solutions-reference/aws-landing-zone/latest/aws-landing-zone-implementation-guide.pdf&source=gmail&ust=1543433356011000&usg=AFQjCNEdyQa-41ORn0mu_T2hQ-SWsdUSwQ" href="https://s3.amazonaws.com/solutions-reference/aws-landing-zone/latest/aws-landing-zone-implementation-guide.pdf" style="color: #1155cc;" target="_blank">https://s3.amazonaws.com/<wbr></wbr>solutions-reference/aws-<wbr></wbr><span class="il">landing</span>-<span class="il">zone</span>/latest/aws-<wbr></wbr><span class="il">landing</span>-<span class="il">zone</span>-implementation-<wbr></wbr>guide.pdf</a><u></u><u></u></div>
<div class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; font-variant-ligatures: normal; orphans: 2; widows: 2;">
<br /></div>
<div class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; font-variant-ligatures: normal; orphans: 2; widows: 2;">
User Guide:<u></u><u></u></div>
<div class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; font-variant-ligatures: normal; orphans: 2; widows: 2;">
<a data-saferedirecturl="https://www.google.com/url?q=https://s3.amazonaws.com/solutions-reference/aws-landing-zone/latest/aws-landing-zone-user-guide.pdf&source=gmail&ust=1543433356011000&usg=AFQjCNHJnMf3J8gZ2wSyWVK303lGcoDklQ" href="https://s3.amazonaws.com/solutions-reference/aws-landing-zone/latest/aws-landing-zone-user-guide.pdf" style="color: #1155cc;" target="_blank">https://s3.amazonaws.com/<wbr></wbr>solutions-reference/aws-<wbr></wbr><span class="il">landing</span>-<span class="il">zone</span>/latest/aws-<wbr></wbr><span class="il">landing</span>-<span class="il">zone</span>-user-guide.pdf</a><u></u><u></u></div>
<div class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; font-variant-ligatures: normal; orphans: 2; widows: 2;">
<br /></div>
<div class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; font-variant-ligatures: normal; orphans: 2; widows: 2;">
Developer Guide:<u></u><u></u></div>
<div class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; font-variant-ligatures: normal; orphans: 2; widows: 2;">
<a data-saferedirecturl="https://www.google.com/url?q=https://s3.amazonaws.com/solutions-reference/aws-landing-zone/latest/aws-landing-zone-developer-guide.pdf&source=gmail&ust=1543433356011000&usg=AFQjCNFm1KoMRuv9BfOegkLBZETf2jbHPA" href="https://s3.amazonaws.com/solutions-reference/aws-landing-zone/latest/aws-landing-zone-developer-guide.pdf" style="color: #1155cc;" target="_blank">https://s3.amazonaws.com/<wbr></wbr>solutions-reference/aws-<wbr></wbr><span class="il">landing</span>-<span class="il">zone</span>/latest/aws-<wbr></wbr><span class="il">landing</span>-<span class="il">zone</span>-developer-guide.<wbr></wbr>pdf</a></div>
<br />
Please be aware that before deploying AWS landing zones solution in your account, you need to contact AWS Support to get default AWS Account limits extended.</div>
Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com0tag:blogger.com,1999:blog-639364588792879566.post-32136987381798190582018-09-26T16:02:00.002-04:002018-09-26T16:02:50.771-04:00nmap.me<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-size: large;">Happy to present new self-scan service - nmap.me:</span><br />
<br />
<b>What it does?</b> TCP Scan of you external IP.<br />
<b>What it scanning for:</b> 100 most used tcp ports. Actually a bit more than 100 - I'm slowly adding more ports.<br />
<b>How to use:</b> simply <i><b><span style="background-color: black; color: white;">curl nmap.me</span></b></i> from your console/terminal or open it in browser.<br />
<b>How fast:</b> whole scan takes about a second. Results for each requester IP are cached for 1 hour to reduce load and prevent abuse.<br />
<br />
<b>Why? </b>Needed quick way to check open ports on server/gateway/fw/router while being inside the console.<br />
<br />
<b>New features?</b> Coming...<br />
<b>Feature request, bug, service down?</b> Let me know!</div>
Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com0tag:blogger.com,1999:blog-639364588792879566.post-51500653724058573172018-01-30T09:37:00.001-05:002018-01-30T09:37:55.227-05:00AWS Route53 DNS records backup/change using aws cli<div dir="ltr" style="text-align: left;" trbidi="on">
<b>Challenge</b>:<br />
you need to change a lot of DNS records inside the AWS Route53 hosted zone. In prod...<br />
<i> Let's skip the obvious question why these DNS records are not managed as Infra-as-aCode..</i><br />
Sure thing, you need to backup all these record prior to change for rollback purpose.<br />
<br />
<b>Solution: </b><br />
1. create a list of the dns names to change<br />
<div style="background-color: rgba(0, 0, 0, 0.901961); color: #28fe14; font-family: "Andale Mono"; font-size: 15px; font-stretch: normal; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">cat multisitest.it-security.ca.list </span></div>
<div style="background-color: rgba(0, 0, 0, 0.901961); color: #28fe14; font-family: "Andale Mono"; font-size: 15px; font-stretch: normal; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">test1.it-security.ca.</span></div>
<div style="background-color: rgba(0, 0, 0, 0.901961); color: #28fe14; font-family: "Andale Mono"; font-size: 15px; font-stretch: normal; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">test2.</span>it-security.ca.</div>
<div style="background-color: rgba(0, 0, 0, 0.901961); color: #28fe14; font-family: "Andale Mono"; font-size: 15px; font-stretch: normal; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">test3.</span>it-security.ca.</div>
<br />
2. get zone id from AWS cli:<br />
<div style="background-color: rgba(0, 0, 0, 0.901961); color: #28fe14; font-family: "Andale Mono"; font-size: 15px; font-stretch: normal; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">aws route53 list-hosted-zones</span></div>
<br />
3. Normally <span style="background-color: rgba(0 , 0 , 0 , 0.901961); color: #28fe14; font-family: "andale mono"; font-size: 15px;">aws route53 list-resource-record-sets --hosted-zone-id Z1YS</span><br />
will give you JSON, but unfortunately it's not useful for quick restore due to the format difference from the change-resource-record-sets.json file you need to have to change/restore records.<br />
<br />
4. With a quick and quite dirty bash we can get better formatted JSON:<br />
<div style="background-color: rgba(0, 0, 0, 0.901961); color: #28fe14; font-family: "Andale Mono"; font-size: 15px; font-stretch: normal; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">while read site; do echo '{ "Action": "UPSERT","ResourceRecordSet":'; aws route53 list-resource-record-sets --hosted-zone-id Z1YS --query "ResourceRecordSets[?Name == '$site']" --profile it-sec | jq .[] ; echo "},"; done < </span>multisitest.it-security.ca.list > multisitest.it-security.ca.back.json</div>
<br />
This file has almost everything needed to build change-batch file for the aws cli: <a href="https://docs.aws.amazon.com/cli/latest/reference/route53/change-resource-record-sets.html">https://docs.aws.amazon.com/cli/latest/reference/route53/change-resource-record-sets.html</a><br />
Almost.. We need to add<br />
<div style="background-color: rgba(0, 0, 0, 0.901961); color: #28fe14; font-family: "Andale Mono"; font-size: 15px; font-stretch: normal; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">{</span></div>
<div style="background-color: rgba(0, 0, 0, 0.901961); color: #28fe14; font-family: "Andale Mono"; font-size: 15px; font-stretch: normal; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> "Comment": "Point some Test TLS1.2 enviroments to the Incapsula",</span></div>
<div style="background-color: rgba(0, 0, 0, 0.901961); color: #28fe14; font-family: "Andale Mono"; font-size: 15px; font-stretch: normal; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> "Changes": [</span></div>
in the beginning of the change set, and<br />
remove "<b>,</b>" and add<br />
<div style="background-color: rgba(0, 0, 0, 0.901961); color: #28fe14; font-family: "Andale Mono"; font-size: 15px; font-stretch: normal; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> ]</span></div>
<div style="background-color: rgba(0, 0, 0, 0.901961); color: #28fe14; font-family: "Andale Mono"; font-size: 15px; font-stretch: normal; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">}</span></div>
att the end.<br />
<br />
5. Now you have Route53 DNS records backed up and ready to restore.<br />
Next step is to create a copy of you backup file and modify it to reflect changes you need to make.<br />
<br />
6. Final step: apply your changes:<br />
<div style="background-color: rgba(0, 0, 0, 0.901961); color: #28fe14; font-family: "Andale Mono"; font-size: 15px; font-stretch: normal; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">aws route53 change-resource-record-sets --hosted-zone-id Z1YS --change-batch file://multisitest.it-security.ca.json --profile it-sec</span></div>
<br />
7. And, in case of disaster, use the same command to roll it back quickly specifying backup file:<br />
<br />
<span style="background-color: rgba(0 , 0 , 0 , 0.901961); color: #28fe14; font-family: "andale mono"; font-size: 15px;">aws route53 change-resource-record-sets --hosted-zone-id Z1YS --change-batch file://multisitest.it-security.ca.back.json --profile it-sec</span><br />
<br />
<br />
<br />
<br />
<br /></div>
Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com0tag:blogger.com,1999:blog-639364588792879566.post-80821108855011637532018-01-20T21:22:00.001-05:002018-01-20T21:22:16.732-05:00Secure your AWS account using Terrafrom and CloudFormation<div dir="ltr" style="text-align: left;" trbidi="on">
<i>This is very updated version of the blog post: </i><a href="http://blog.it-security.ca/2016/11/secure-your-aws-account-using.html">http://blog.it-security.ca/2016/11/secure-your-aws-account-using.html</a><br />
<br />
As I mention before:<br />
The very first thing you need to do while building your AWS infrastructure is to enable and configure all AWS account level security features such as: CloudTrail, CloudConfig, CloudWatch, IAM, etc.<br />
<br />
Time flies when you're having fun and flies even faster in the infosec world. My templates become outdated and now I'm presenting an updated version of the AWS security automation with following new features:<br />
<br />
<ol style="background-color: #282c34; box-sizing: border-box; color: #abb2bf; font-family: system-ui, "Lucida Grande", "Segoe UI", Ubuntu, Cantarell, sans-serif; font-size: 14.4px; font-variant-ligatures: normal; margin-bottom: 8.5px; margin-top: 0px; orphans: 2; widows: 2;">
<li style="box-sizing: border-box;">integrated with Terraform (use terraform templates in the folder <strong style="box-sizing: border-box; color: white;">tf</strong>)</li>
<li style="box-sizing: border-box;">creates prerequisites for Splunk integration (User, key, SNS, and SQS)</li>
<li style="box-sizing: border-box;">configures cross-account access (for multiaccount organizations, adding ITOrganizationAccountAccessRole with MFA enforced)</li>
<li style="box-sizing: border-box;">implements Section 3 (Monitoring) of the <strong style="box-sizing: border-box; color: white;">CIS Amazon Web Services Foundations benchmark.</strong></li>
<li style="box-sizing: border-box;">configures CloudTrail according to the new best practices (KMS encryption, validation etc)</li>
<li style="box-sizing: border-box;">configures basic set of the CloudConfig rules to monitor best practices</li>
</ol>
First, my security framework now consists of two main parts: cf (CloudFormation) and tf (Terraform) with Terraform template as a bootstrapper of the whole deployment.<br />
<br />
You can use Terraform, you can use CloudFormation, but why both ?<br />
Terraform is very quickly evolves, has cross-cloud support and implements some missing in CloudFormation features (like account level password policy configuration, etc); CloudFormation is native for AWS, well supported, and, most important, AWS provides a lot of best practices and solutions in the form of the CloudFormation templates.<br />
<br />
Using both (tf and cf) gives me (and you) ability to reuse solutions, suggested and provided by AWS, without rewriting the code, have flexibility and power of terraform and one single interface for whole cloud automation.<br />
No more bucket pre-creation or specific sequence of the CloudFormation deployment - just <b>terraform apply</b>. It will take care of all CloudFormation prerequisites, version control and template updates.<br />
But, if you wish, at current state you can use only my CloudFormation templates - cf still does all heavy lifting.<br />
<br />
The main trick of the Terraform - CloudFormation integration was to tell terrafrom when CloudFormation template is updated to ensure that terraform will trigger cf stack update.<br />
I achieved this using S3 bucket with version control enabled and always updating (just setting template version) <b>security.global.yaml</b>.<br />
<br />
This code takes care of Terraform and CloudFormation integration:<br />
<i># creating Security cloudforation stack</i><br />
<i><br /></i>
<i>resource "aws_cloudformation_stack" "Security" {</i><br />
<i> name = "Security"</i><br />
<i> depends_on = ["aws_s3_bucket_object.iam_global", "aws_s3_bucket_object.cloudtrailalarms_global", "aws_s3_bucket_object.awsconfig_global", "aws_s3_bucket_object.cloudtrail_global", "aws_s3_bucket_object.security_global"]</i><br />
<i> parameters {</i><br />
<i> AccountNickname = "${var.enviroment_name}",</i><br />
<i> CompanyName = "${var.company_name}",</i><br />
<i> MasterAccount = "${var.master_account}"</i><br />
<i> }</i><br />
<i> template_url = "https://s3.amazonaws.com/${aws_s3_bucket.CFbucket.bucket}/${var.security_global}?versionId=${aws_s3_bucket_object.security_global.version_id}"</i><br />
<i> capabilities = [ "CAPABILITY_NAMED_IAM" ]</i><br />
<i> tags { "owner" = "infosec"}</i><br />
<i>}</i><br />
<br />
And finally deployment steps are:<br />
<br />
<ol style="text-align: left;">
<li>Get code from my git repo: <a href="https://github.com/IhorKravchuk/it-security">https://github.com/IhorKravchuk/it-security</a></li>
<li>Switch to<b> tf</b> folder and update <b>terraform.tfvars</b> specifying: your AWS profile name (configured for aws cli using <b>aws configure --profile profile_name</b>); name for the environment (prod, test, dev ..) ; company(or division) name; region and AWS master account ID.</li>
<li><b>terraform init</b> to get aws provider downloaded by terraform</li>
<li><b>terraform plan</b></li>
<li><b><b>terraform apply</b></b></li>
</ol>
<br />
<br /></div>
Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com0tag:blogger.com,1999:blog-639364588792879566.post-46547501305480777452017-07-24T15:51:00.000-04:002017-07-24T15:52:44.576-04:00S3 buckets audit: check bucket's public access level, etc .. updated with authorised audit support<div dir="ltr" style="text-align: left;" trbidi="on">
I previous post: <a href="http://blog.it-security.ca/2017/07/s3-buckets-audit-check-bucket-existence.html" target="_blank">S3 buckets audit: check bucket existence, public access level, etc - without having access to target AWS account</a> I described and released tool to audit s3 buckets even without access to the AWS account these buckets belong to.<br />
<br />
But what about if I have access to the bucket's account or I would like to audit all buckets in my AWS account?<br />
<br />
These features have been addressed in the new release of the s3 audit tool:<br />
<br />
<a href="https://github.com/IhorKravchuk/it-security/tree/master/scripts.aws" target="_blank">https://github.com/IhorKravchuk/it-security/tree/master/scripts.aws</a><br />
<span style="background-color: #eeeeee;"><br /></span>
<span style="background-color: #eeeeee;">$python aws_test_bucket.py --profile prod-read --bucket bucket2test</span><br />
<span style="background-color: #eeeeee;"><br /></span>
<span style="background-color: #eeeeee;">$python aws_test_bucket.py --profile prod-read --file aws</span><br />
<br class="Apple-interchange-newline" />
<span style="background-color: #eeeeee;">$python aws_test_bucket.py --profile prod-read --file buckets.list</span><br />
<span style="background-color: #eeeeee;"><br /></span>
<span style="background-color: #eeeeee;"> -P AWS_PROFILE, --profile=AWS_PROFILE</span><br />
<span style="background-color: #eeeeee;"> Please specify AWS CLI profile</span><br />
<span style="background-color: #eeeeee;"> -B BUCKET, --bucket=BUCKET</span><br />
<span style="background-color: #eeeeee;"> Please provide bucket name</span><br />
<span style="background-color: #eeeeee;"> -F FILE, --file=FILE Optional: file with buckets list to check or aws to check all buckets in your account</span><br />
<div>
<br /></div>
<div>
<br /></div>
<div>
<div>
<b>Note:</b></div>
<div>
<i>--profile=AWS_PROFILE - yours AWS access profile (from aws cli). This profile might or might not have access to the audited bucket (we need this just to become Authenticated User from AWS point of view ).</i></div>
<div>
<br /></div>
<div>
If AWS_PROFILE allows authorised access to the bucket being audited - tool will fetch bucket's ACLs, Policies and S3 Static Web setting and perform authorised audit.</div>
<div>
<br /></div>
<div>
If AWS_PROFILE does not allow authorised access - tool will work in pentester mode</div>
<div>
<br /></div>
<div>
You can specify:</div>
<div>
<ul style="text-align: left;">
<li> one bucket to check using <b>--bucket</b> option</li>
<li> file with list of buckets(one bucket name per line) using<b> --file</b> option</li>
<li> all buckets in your AWS account (accessible using AWS_PROFILE) using <b>--file=aws </b>option</li>
</ul>
</div>
</div>
<div>
<br /></div>
<div>
Based on the your AWS profile limitations tool will provide you:</div>
<div>
<ul style="text-align: left;">
<li>indirect scan results (AWS_profile have no API access to the bucket being audited)</li>
<li>validated scan results based on you s3 buckets settings like ACL, bucket policy and s3 website config. (AWS_profile have API access to the bucket being audited )</li>
</ul>
<div>
Enjoy and stay secured.</div>
</div>
<div>
<br /></div>
<div>
PS. Currently tool does not support bucket check for Frankfurt region (AWS Signature Version 4). Working on it.</div>
<div>
<br /></div>
</div>
Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com3tag:blogger.com,1999:blog-639364588792879566.post-74630964720425898102017-07-19T12:35:00.000-04:002017-07-22T11:24:54.044-04:00S3 buckets audit: check bucket existence, public access level, etc - without having access to target AWS account<div dir="ltr" style="text-align: left;" trbidi="on">
Currently, publicly accessible buckets become a big deal and root cause of many recent <a href="https://www.google.ca/search?q=s3+public+access+leak&oq=s3+public+access+leak" target="_blank">data leaks</a>.<br />
All of these events even drive Amazon AWS to proactively send out emails to the customers who has such s3 configurations. Let's become a bit more proactive as well and audit s3 buckets<br />
<br />
First, let's take look why bucket might become publicly available:<br />
- Configured for public access intentionally (S3 static web hosting or just public resource) or by mistake<br />
- Configured for the access of the <b>Authenticated Users</b> (option, misinterpreted by many as users from your account, which is wrong, it's <b>any AWS authenticated user</b> from any account)<br />
<br />
Auditing AWS account you have full access to is quite easy - just list the buckets and check theirs ACL, users and bucket policies via aws cli or web gui.<br />
<br />
What about cases when you:<br />
- have many accounts and buckets (will take forever to audit manually)<br />
- do not have enough permissions in the target AWS account to check bucket access<br />
- you do not have permissions at all in this account (pentester mode)<br />
<br />
To address everything above I've created small tool to do all dirty job for you (updated to v2):<br />
<a href="https://github.com/IhorKravchuk/it-security/tree/master/scripts.aws" target="_blank">https://github.com/IhorKravchuk/it-security/tree/master/scripts.aws</a><br />
<br />
<span style="background-color: #cccccc;"><br /></span>
<span style="background-color: #eeeeee;">$python aws_test_bucket.py --profile prod-read --bucket test.bcuket</span><br />
<span style="background-color: #eeeeee;"><br /></span>
<span style="background-color: #eeeeee;"> -P AWS_PROFILE, --profile=AWS_PROFILE</span><br />
<span style="background-color: #eeeeee;"> Please specify AWS CLI profile</span><br />
<span style="background-color: #eeeeee;"> -B BUCKET, --bucket=BUCKET</span><br />
<span style="background-color: #eeeeee;"> Please provide bucket name</span><br />
<span style="background-color: #eeeeee;"> -F FILE, --file=FILE Optional: file with buckets list to check</span><br />
<span style="background-color: #eeeeee;"><br /></span>
<span style="background-color: #eeeeee;">Note: --profile=AWS_PROFILE - any your AWS access profile (from aws cli). This profile HAS to NOT have access to the audited bucket (we need this just to become <b>Authenticated User </b>from AWS point of view )</span><br />
<span style="background-color: #eeeeee;"><br /></span>
<span style="background-color: #eeeeee;">You can specify one bucket to check using --bucket option or file with list of buckets(one bucket name per line) using --file option</span><br />
<div>
<br /></div>
<div>
<br /></div>
<div>
Based on the bucket access status tool will provide you following responses:</div>
<div>
<br /></div>
<div>
<span style="color: #38761d;">Bucket: test.bucktet</span> - The specified bucket does not exist</div>
<div>
<span style="color: #0b5394;">Bucket: test.bucktet</span> - Bucket exists, but Access Denied</div>
<div>
<span style="color: #f1c232;">Bucket: test.bucktet</span> - Found index.html, most probably S3 static web hosting is enabled</div>
<div>
<span style="color: red;">Bucket: test.bucktet</span> - Bucket exists, publicly available and no S3 static web hosting, most probably misconfigured! </div>
<div>
<br /></div>
<div>
Enjoy!</div>
<div>
<br /></div>
<div>
PS. More over, you can create list of the buckets(even using some DNS/name alterations and permutations) to test in the file and loop through it checking each.</div>
<div>
<br /></div>
<div>
Stay secure.<br />
<br />
<br /></div>
</div>
Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com0tag:blogger.com,1999:blog-639364588792879566.post-51350859663221877012017-03-30T21:58:00.001-04:002017-03-30T21:59:15.854-04:00Trailing dot in DNS name, incorrect S3 website endpoint work and possible back-end information leak<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
I discovered that AWS S3 website endpoint incorrectly interpret <span class="il">trailing</span> dot (which is actually essential part of FQDN according to RFC1034 ) in the website FQDN. </div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
Instead of referring to the correct bucket endpoint gives "No such bucket error" revealing information about web site back-end. </div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
I have not considered this initially as a security issue more as a misconfiguration or even expected undocumented behaviour , but found one case that could lead to others:</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<br /></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
If web site use 3rd party DDOS and WAF protection service like CloudFlare this technic(adding <span class="il">trailing</span> dot ) could reveal and expose web-site origin. </div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<span style="font-size: 12.8px;"><br /></span></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<span style="font-size: 12.8px;">Example of the possible information disclose below:</span></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<br /></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
Dns name resolution pointing to the <span style="font-size: 12.8px;">CloudFlare:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTksellM1licVvvdyQ5eaN9h3NWTHyDsM1xAvbtFY5nX4No70x2Z08aG0JnnjHKXXojRoCREEwQ9uAZGPM-H5gJqGgKANW1RXN93mE2uR2PNm3AVLYl65Q5UC52wUlVvyBG7kYNyD5YWo/s1600/dns_response.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="325" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTksellM1licVvvdyQ5eaN9h3NWTHyDsM1xAvbtFY5nX4No70x2Z08aG0JnnjHKXXojRoCREEwQ9uAZGPM-H5gJqGgKANW1RXN93mE2uR2PNm3AVLYl65Q5UC52wUlVvyBG7kYNyD5YWo/s400/dns_response.png" width="400" /></a></div>
</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<br /></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<span class="il" style="font-size: 12.8px;"><br class="Apple-interchange-newline" />Trailing</span><span style="font-size: 12.8px;"> dot error pointing to S3 bucket back-end with rest of information pointing to CloudFlare:</span></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<span style="font-size: 12.8px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQFn6dK5CpOr30HlqSH9JdV89jdA4LahMZTUCdAiazC8rY5SxPucBfveD7tAAmTX4KljgjSPCLV3mb-gG4BPN5Y74LBZP2gj1sWJwzK5aB4NidRVMpwaINEQYIOoNroSloRYPFSXcPTaM/s1600/headers_response.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="101" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQFn6dK5CpOr30HlqSH9JdV89jdA4LahMZTUCdAiazC8rY5SxPucBfveD7tAAmTX4KljgjSPCLV3mb-gG4BPN5Y74LBZP2gj1sWJwzK5aB4NidRVMpwaINEQYIOoNroSloRYPFSXcPTaM/s400/headers_response.png" width="400" /></a></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<span style="font-size: 12.8px;">PS. </span><span style="font-size: 12.8px;">One of the possible usage of the s3 back-end information leak could be s3 backet name squatting to block possible sub-domain usage due to the uniqueness of the s3 bucket names.</span></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<br /></div>
</div>
Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com0tag:blogger.com,1999:blog-639364588792879566.post-52277789421883483722017-02-01T18:09:00.004-05:002017-02-01T18:09:53.273-05:00MediaWiki as a static website and content sharing<div dir="ltr" style="text-align: left;" trbidi="on">
Using wiki for knowledge management in a teams or individually is easy and often is an obvious choice.<br />
<div>
Challenges appear when you need to share information stored in the wiki. </div>
<div>
Challenges are: hardening MediaWiki installation for public access and partially sharing wiki content.</div>
<div>
<br /></div>
<div>
If your main goal is to just to publish content, you can extract wiki pages as a static html pages using relatively simple wget one-liner. After extracting, you can publish your wiki using AWS S3 static web hosting.</div>
<div>
<br /></div>
<div>
To share only part of the information available in the wiki you can leverage <a href="https://www.mediawiki.org/wiki/Help:Categories" target="_blank">Categoies</a> and restrict user access to specified categories using <a href="https://www.mediawiki.org/wiki/Extension%3aRestrict_access_by_category_and_group" target="_blank">special extension</a>. Afterwards, you can use this user restricted access to grab wiki content.<br />
Another simple way is to use <a href="https://www.mediawiki.org/wiki/Help:Categories#Creating_a_category_page" target="_blank">Category special wiki page</a> as a starting point for crawler to grab pages related to the specific category, let's say Public category.<br />
The code is way shorter than all description above:<br />
<br />
<pre style="background-color: #f9f9f9; border: 1px solid rgb(221, 221, 221); font-family: monospace, Courier; font-size: 14px; line-height: 1.3em; padding: 1em; white-space: pre-wrap;"># get the wiki content
wget --recursive --level=1 --page-requisites --html-extension --no-directories --convert-links --no-parent -R "*Special*" -R "*action=*" -R "*printable=*" -R "*oldid=*" -R "*title=Talk:*" -R "*limit=*" "http://mywikiprivate:80/wiki/index.php/Category:Public"
# replace sensitive by the link to the stub page
sed -i -E 's/http:\/\/mywikiprivate[^"]*/http:\/\/wiki.your_website.ca\/404.html/g' *.html
# remove sensitive file
rm Category\:Public.1.html
# rename Public category pages to be an a list of published pages
mv Category:Public.html Public.html
# sync content to AWS
aws s3 sync ./ s3://you_bucket/</pre>
<br />
<br />
Result of such script running along with some public notes from my wiki could be found here:<br />
<a href="http://wiki.it-security.ca/">http://wiki.it-security.ca</a></div>
<div>
<br />
<br /></div>
<div>
<b>Disclaimer:</b> current wiki publication contains only small part of the information available and will be updated on almost daily basis to add more content cleared for publishing. Main purpose of this wiki is to keep technical notes and references in the structured way. Some of them are obvious, outdated or incomplete.<br />
<br />
Goal of the establishing public publishing process is to keep wiki information up-do-date and have ability to publish small useful notes which does not fit blog format and style.</div>
<div>
<br /></div>
</div>
Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com0tag:blogger.com,1999:blog-639364588792879566.post-55596316401030409002016-11-07T14:58:00.000-05:002016-11-14T11:20:36.254-05:00Secure your AWS account using CloudFormation<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
<br /></div>
<div>
The very first thing you need to do while building your AWS infrastructure is to enable and configure all AWS account level security features such as: CloudTrail, CloudConfig, CloudWatch, IAM, etc..</div>
<div>
To do this, you can use mine <a href="http://security-ingvar-ua.blogspot.ca/2016/06/aws-account-security-check-list-and-how.html" target="_blank">Amazon AWS Account level security checklist and how-to</a> or any other source.</div>
<div>
To avoid manual steps and to be align with SecuityAsCode concept, I use set of CloudFormation templates, simplified version of which I would like to share: </div>
<div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b>GitHub: <a href="https://github.com/IhorKravchuk/it-security">https://github.com/IhorKravchuk/it-security</a></b></div>
<h4 style="text-align: left;">
</h4>
<h4 style="text-align: left;">
Global Security stack template structure:</h4>
<h4 style="text-align: left;">
<b><br /></b></h4>
<h4 style="text-align: left;">
<b>security.global.json </b>- <span style="font-weight: normal;">parent template for all nested templates to link them together and control dependency between nested stacks.</span></h4>
<h4 style="text-align: left;">
<b><br /></b></h4>
<h4 style="text-align: left;">
<b>cloudtrail.clobal.json</b> - <span style="font-weight: normal;">nested template for Global configuration of the CloudTrail:</span></h4>
<div>
<ul style="text-align: left;">
<li>creates S3 bucket for the logs</li>
<li>creates CloudTrail-related IAM roles and policies</li>
<li>creates CloudLog LogGroup</li>
<li>enables CloudTrail on default region including global events and multi-region feature</li>
<li>creates SNS ans SQS configuration for easy integration with Splunk AWS app.</li>
</ul>
<div>
<br /></div>
<b>cloudtrailalarms.global.json</b> - nested template for Global CloudWatch Logs alarms and security metrics creation. Uses FilterMap to create different security-related filters for ClouTrail LogGroup, corresponding metrics and notifications for suspicious or dangerous events. You can customise filter per environment basis.</div>
<div>
<br /></div>
<div>
Predefined filters are:</div>
<div>
<ul style="text-align: left;">
<li>rds-change: RDS related changes</li>
<li>iam-change; IAM changes</li>
<li>srt-instance: Start, Reboot, Terminate instance</li>
<li>large-instance: launching large instances</li>
<li>massive-operations: massive operations- more 10 in 5 min </li>
<li>massive-terminations: massive terminations- more 10 in 5 min </li>
<li>detach-force-ebs: force detachment of the EBS volume from the instance</li>
<li>change-critical-ebs: any changes related to the critical EBS volumes</li>
<li>change-secgroup: any changes related to the security group</li>
<li>create-delete-secgroup: creation and deletion of the security group </li>
<li>secgroup-instance: attaching security group to the instance</li>
<li>route-change: routing changes</li>
<li>create-delete-vpc: creation and deletion of a VPC</li>
<li>netacl-change: changes at Network ACL</li>
<li>cloudtrail-change: changes in the CloudTrail configuration</li>
<li>cloudformation-change: changes related to the CloudFormation</li>
<li>root-access: any root access events</li>
<li>unauthorised: failed and unauthorised operations</li>
<li>igw-change: Internet Gateway related changes</li>
<li>vpc-flow-logs: Delete or Create VPC flow logs</li>
<li>critical-instance: any operation on the critical instances</li>
<li>eip-change: Elastic IP changes</li>
<li>net-access: Any access outside of predefined known IP ranges</li>
</ul>
</div>
<div>
<br /></div>
<div>
4 preconfigured notification topics : </div>
<div>
<ul style="text-align: left;">
<li>InfosecEmailTopic, </li>
<li>DevOpsEmailTopic</li>
<li>InfosecSMSTopic</li>
<li>DevOpsSMSTopic</li>
</ul>
</div>
<div>
<br /></div>
<div>
<br />
<b>awsconfig.global.json</b> - nested template for Global AWS Config Service configuration.</div>
<div>
<ul style="text-align: left;">
<li>creates S3 bucket for the config dumps</li>
<li>creates AWS Config-related IAM roles and policies</li>
<li>creates AWS config delivery channel and schedule config dumps (hourly)</li>
<li>creates and enables AWS config recorder </li>
<li>creates SNS ans SQS configuration for easy integration with Splunk AWS app.</li>
</ul>
<div style="font-weight: bold;">
<br /></div>
<div style="font-weight: bold;">
cloudwatchsubs.global.json <span style="font-weight: normal;">- nested template for configuring AWS CloudWatch Subscription Filter to extract and analyse most severe CloudTrail events using custom Lambda function:</span></div>
<div>
<ul style="text-align: left;">
<li style="font-weight: bold;"><b><div style="display: inline !important;">
<span style="font-weight: normal;">creates Lambda function and all requred roles and permissions</span></div>
</b></li>
<li><div style="display: inline !important;">
creates Subscription filter as a compilation<span style="font-weight: normal;"> of the filters from the FilterMap</span></div>
</li>
</ul>
</div>
<div>
Currently uses following filters and aggregate them to one due to the AWS CloudWatch Logs subscription limitation (only one filter supported):</div>
<div>
<div>
<ul style="text-align: left;">
<li>critical-instance</li>
<li>iam-change</li>
<li>srt-instance</li>
<li>cloudtrail-change</li>
<li>root-access</li>
<li>net-access</li>
<li>detach-force-ebs</li>
<li>unauthorised</li>
</ul>
</div>
</div>
<div>
<b><br /></b></div>
<div>
<b>iam.global.json</b> - nested template for IAM Global configuration: </div>
</div>
</div>
<div>
<ul style="text-align: left;">
<li>creates Infosec Team IAM Group and managed policy</li>
<li>creates DevOps Team IAM Group and managed policy</li>
<li>creates DBA Team IAM Group and managed policy</li>
<li>creates Self Service Policy for users to manage API keys and MFA</li>
<li>creates ProtectProdEnviroment to protect production environment from destructive actions </li>
<li>creates EnforceMFAPolicy to enforce MFA for sensitive operations</li>
<li>creates EnforceAccessFromOfficePolicy to restrict some operation to office source IPs</li>
<li>creates DomainJoin role and all required policy to perform automated domain join</li>
<li>creates SaltMasterPolicy and Role for Configuration Management Tool (in this case - Salt)</li>
<li>creates SQLDataBaseInstancePolicy and Instance profile example policy</li>
<li>creates SIEM system example policy</li>
<li>creates VPC flow log role</li>
<li>creates and manages SIEM user and API keys</li>
<li>creates and manages SMTP user (for the AWS SES service ) and API keys</li>
</ul>
</div>
<div>
<br /></div>
<div>
<b><br /></b></div>
<div>
<b>cloudwatchsubs_kinesis.global.json</b><span style="font-weight: bold;"> </span>- PoC template (not linked as nested to the <b>security.global.json) </b> for configuring AWS CloudWatch Subscription Filter to send most severe CloudTrail events to AWS Kinesis stream using subscription filter similar to the <span style="font-weight: bold;">cloudwatchsubs.global.json</span><span style="font-weight: bold;"> </span></div>
<div>
<br /></div>
<h4 style="text-align: left;">
</h4>
<h4 style="text-align: left;">
Supported features:</h4>
<div>
<b><br /></b></div>
<div>
<b>Environments and regions:</b> Stack supports unlimited amount of environments with 4 environments predefined (staging, dev, prod, and dr) and use 1 account and 1 region per environment concept to reduce blast radius (if account become compromised)</div>
<div>
<br /></div>
<div>
<b>AWS services used by stack</b>: CloudTrail, AWS Config, CloudWatch, CloudWatch Logs and Events, IAM, Lambda, Kinesis.</div>
<div>
<br /></div>
<h4 style="text-align: left;">
</h4>
<h4 style="text-align: left;">
To deploy:</h4>
<div>
<ol style="text-align: left;">
<li>Create bucket using following naming convention: com.ChangeMe.EnviromentName.cloudform, replacing <b>ChangeMe</b> and <b>EnviromentName </b>with your value to make it look like this: <i>com.it-security.prod.cloudform</i></li>
<li>Enable bucket versioning </li>
<li>in the templates <b> security.global.json </b>and <b>cloudwatchsubs.global.json</b> replace "<b>ChangeMe</b>" with name used in the bucket creation.</li>
<li>In the template <b>cloudtrailalarms.global.json </b>modify SNS endpoints for email notification <b>infosec@ChangeMe.com </b>and <b>devops@ChangeMe.com</b>; Add endpoints with mobile phone numbers for SMS notification to appropriate SNS topics if needed.</li>
<li>Modify iam.global.json template to adrress you SQL DataBase bucket location (<i>com-ChangeMe-", {"Ref": "Environment"} , "-sqldb/</i>) and modify any permission if need according to your organisation structure, roles, responsibilities and services.</li>
<li>Modify <b>FilterMap</b> in <b>cloudtrailalarms.global.json</b> and <b>cloudwatchsubs.global.json</b> templates make filters work for your infrastructure (Critical Instance IDs, Critical Volume IDs, you ofiice IP range, you NAT gateways, etc) </li>
<li>Zip example Lambda function LogCritical_lambda_security_global.py like LogCritical_lambda_security_global.zip</li>
<li>Upload this function into S3 bucket created at step 1 and copy object version (GUI- show version -object properties ) and insert into <b>cloudwatchsubs.global.json</b> template into "LogCriticalLambdaCodeVer" mapping at the appropriate environment (prod, staging ..)</li>
<li>Modify <b>"regions"</b> Environments mapping in the <b>iam.global.json</b>, and <b>cloudwatchsubs.global.json</b> templates to specify correct AWS region you are using for the deployment.</li>
<li>Upload all <b>*.global.json</b> templates into S3 bucket created at step 1. </li>
<li>Create new CloudFormation stack using parent security template <b>security.global.json </b>and your bucket name (Example: <i>ttps://s3.amazonaws.com/com.it-security.prod.cloudform/security.global.json</i> ), <b> </b>call it "Security" and specify environment name you going to deploy.</li>
<li>Done!</li>
</ol>
</div>
<div>
<br /></div>
</div>
Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com0tag:blogger.com,1999:blog-639364588792879566.post-20720291702778597792016-10-18T17:01:00.001-04:002016-10-25T22:22:47.940-04:00Self-Defending Cloud PoC or Amazon CloudWatch Events usage<div dir="ltr" style="text-align: left;" trbidi="on">
<h3 style="text-align: left;">
</h3>
<b>Problem</b>: Malicious attacker get privileged access to your AWS account and destroying your production infrastructure in a matter of seconds.<br />
<br />
In case of cloud based infrastructures you can't rely on classic SIEM solutions - by the time your SIEM will detect attack, your infrastructure will be gone. We need a "near real time" way to detect and mitigate the attack.<br />
<br />
<b>Attack scenario:</b> using compromised aws api key (no MFA) and CLI/SDK to perform destructive actions.<br />
<br />
<b>Attack detection and mitigation strategy: </b><br />
All destructive actions start with EC2 instance termination. To prevent such scenario, you should always have "TerminationProtection" feature enabled on your production instances. Based on this, attacker must disable termination protection before demolishing your environment. For the PoC, I will use disabling "TerminationProtection" event as a attack detector (sure thing, real attack detection is a way more complicated process).<br />
<br />
<b>Starting point: </b>AWS api key with admin policy attached, all production instances protected using AWS Termination Protection.<br />
<b><br /></b>
<br />
<br />
<br />
<h3 style="text-align: left;">
<b>Possible solutions and attack mitigation delays:</b></h3>
SIEM:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheEYfLR0mFJ7eFA_1QX4YlCm9XE38Gcwo2ZOvWCjyV4JyUhpkSXF_Iv6Lp4N_y5YzjJkLzPKfX8uH90KhIqmBTVw9sCcHahqXMLEFUJwcd57f27ulu8zugBjehlMT5IwivpRXrpaRpD6s/s1600/self_defence_SIEM+-+Page+1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="326" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheEYfLR0mFJ7eFA_1QX4YlCm9XE38Gcwo2ZOvWCjyV4JyUhpkSXF_Iv6Lp4N_y5YzjJkLzPKfX8uH90KhIqmBTVw9sCcHahqXMLEFUJwcd57f27ulu8zugBjehlMT5IwivpRXrpaRpD6s/s640/self_defence_SIEM+-+Page+1.png" width="640" /></a></div>
<br />
CloudWatch Logs and alarms:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLMOr0uXalypy-hWN8OIjuCzgiHuoPOjASPnSZeg5M9Ok-uDRVvY0KV-oGtwmi8WrHmcZBicm4YzxQk58KbSMl8JOMfmosiZyO82FUqHQ3iLEPMvkX931zQMd_pkCt7UsNB17z87EZt-0/s1600/self_defence_CloudwatchLogs+-+Page+1+%25281%2529.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="340" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLMOr0uXalypy-hWN8OIjuCzgiHuoPOjASPnSZeg5M9Ok-uDRVvY0KV-oGtwmi8WrHmcZBicm4YzxQk58KbSMl8JOMfmosiZyO82FUqHQ3iLEPMvkX931zQMd_pkCt7UsNB17z87EZt-0/s640/self_defence_CloudwatchLogs+-+Page+1+%25281%2529.png" width="640" /></a></div>
<br />
<br />
CloudWatch Subscriptions:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEib6YPKCOa84bjIeOrb_2pHkbawFBvha-Rwa5RyN-LqpdMC0HwYV9LQgApYHOmGp_iId1RHgJxyL91jQl52jC5kzsD7oE-L0Ira6hdGinmusY6ART8PvBtziIts2uSKtKE7ViY2GSsiCwY/s1600/self_defence_CloudwatchLogs_subs+-+Page+1+%25281%2529.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="434" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEib6YPKCOa84bjIeOrb_2pHkbawFBvha-Rwa5RyN-LqpdMC0HwYV9LQgApYHOmGp_iId1RHgJxyL91jQl52jC5kzsD7oE-L0Ira6hdGinmusY6ART8PvBtziIts2uSKtKE7ViY2GSsiCwY/s640/self_defence_CloudwatchLogs_subs+-+Page+1+%25281%2529.png" width="640" /></a></div>
<br />
<br />
CloudWatch Events:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZWnmE2jLkhX9ifjPkmpEdyy-boElHo5-G0Vb5nGFCdTMQGT4jt2lPe9Tdk963uNzIQuwVHiITKZpKfPLjUpmMA6dMXATv8DEmZYMvMMWRkFpXtXiyJurncS1cqgPa8RJidIDkkgkwZig/s1600/self_defence_Cloudwatch+events+-+Page+1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="450" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZWnmE2jLkhX9ifjPkmpEdyy-boElHo5-G0Vb5nGFCdTMQGT4jt2lPe9Tdk963uNzIQuwVHiITKZpKfPLjUpmMA6dMXATv8DEmZYMvMMWRkFpXtXiyJurncS1cqgPa8RJidIDkkgkwZig/s640/self_defence_Cloudwatch+events+-+Page+1.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<h3 style="text-align: left;">
<b>Implementation: </b></h3>
<b>Design:</b><br />
Based on the implementation scenarios shown above and their performance (tested during PoC) - the fastest way is to leverage AWS CloudWatch events and trigger a lambda function.<br />
<br />
Speaking AWS technical language we need:<br />
<br />
<ol style="text-align: left;">
<li>choose what type of AWS event we are looking for. Based on the our attack detection strategy, we are looking for ec2 call: modify-instance-attribute. Using exactly this API call you can enable/disable TerminationProtection. So let's look for "<a href="http://docs.aws.amazon.com/AmazonCloudWatch/latest/events/EventTypes.html#api_event_type" target="_blank">AWS API Call Events</a>" type of the CloudWatch events.</li>
<li>Create: <a href="http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-events-rule.html" target="_blank">event rule </a>: "match incoming events and route them to one or more targets for processing" in our case target is a Lambda function.</li>
<li>Create all required policies and Lambda function role in IAM.</li>
<li>Build the Lambda function itself.</li>
</ol>
<br />
<br />
<b>Setting-up event rule:</b><br />
<br />
I was using following event pattern inside the CloudWatch Event rule:<br />
<span style="background-color: #f6f6f6; color: #444444; font-family: "menlo" , "monaco" , "consolas" , "courier new" , monospace; font-size: 11px; white-space: pre-wrap;">{
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"ec2.amazonaws.com"
],
"eventName": [
"ModifyInstanceAttribute"
]
} </span><span style="background-color: #f6f6f6; color: #444444; font-family: "menlo" , "monaco" , "consolas" , "courier new" , monospace; font-size: 11px; white-space: pre-wrap;">}</span><br />
<br />
<br />
<b>Getting sample event:</b><br />
<b><br /></b>
To start writing our event-detection-mitigation lambda function we need to get example of the AWS events for the API call we are monitoring.<br />
We can achieve this with the following simple Lambda function:<br />
<span style="background-color: #eeeeee;"><br /></span>
<span style="background-color: #eeeeee;">import json</span><br />
<span style="background-color: #eeeeee;"><br /></span>
<span style="background-color: #eeeeee;">def lambda_handler(event, context):</span><br />
<span style="background-color: #eeeeee;"> print event</span><br />
<br />
<br />
or, if you need nice formatted json to test you lambda function offline:<br />
<br />
<span style="background-color: #eeeeee;">import json</span><br />
<span style="background-color: #eeeeee;"><br /></span>
<span style="background-color: #eeeeee;">def lambda_handler(event, context):</span><br />
<span style="background-color: #eeeeee;"> print json.dumps(event, indent=4, sort_keys=False)</span><br />
<br />
You will find output of your lambda function (result of the print statement) in appropriate (naming as your lambda function) CloudWatch Log Stream<br />
<br />
<br />
<b>Challenges with event format:</b><br />
<b><br /></b>
During first tests, I've found that Amazon AWS not following any JSON contract (defined format) even for the same 1 API call. Making the same API call in the 3 different ways produced 3 different event formats:<br />
<br />
<i>Disabling TerminationProtection from GUI with MFA:</i><br />
<br />
<span style="background-color: #eeeeee; color: #444444; font-family: "monaco" , "menlo" , "consolas" , "courier prime" , "courier" , "courier new" , monospace; font-size: 12px;">{u'account': u'150905', u'region': u'eu-west-1', u'detail': {u'eventVersion': u'1.05', u'eventID': u'b3c4d3b4-353e-44bf-8973-37abccd085b5', u'eventTime': u'2016-10-14T17:31:37Z', u'requestParameters': {u'instanceId': u'i-d8916d57', u'disableApiTermination': {u'value': False}}, u'eventType': u'AwsApiCall', u'responseElements': {u'_return': True}, u'awsRegion': u'eu-west-1', u'eventName': u'ModifyInstanceAttribute', u'userIdentity': {u'userName': u'ihork', u'principalId': u'AIDAI3UNW', u'accessKeyId': u'ASIAIN2', u'invokedBy': u'signin.amazonaws.com', u'sessionContext': {u'attributes': {u'creationDate': u'2016-10-14T16:48:44Z', u'mfaAuthenticated': u'true'}}, u'type': u'IAMUser', u'arn': u'arn:aws:iam::150905:user/igor', u'accountId': u'150905'}, u'eventSource': u'ec2.amazonaws.com', u'requestID': u'e7b585e-af38-49d0-88a8-979ef5052f', u'userAgent': u'signin.amazonaws.com', u'sourceIPAddress': u'174.231.5.2'}, u'detail-type': u'AWS API Call via CloudTrail', u'source': u'aws.ec2', u'version': u'0', u'time': u'2016-10-14T17:31:37Z', u'id': u'55084ea-e4bc-45e6-a7a6-0c8e7d16b32', u'resources': []}</span><br />
<br />
<i>Disabling TerminationProtection from aws cli (no MFA):</i><br />
<br />
command:<br />
<span style="background-color: #cccccc;">$ aws ec2 modify-instance-attribute --no-disable-api-termination --instance-id i-378579b8 </span><br />
<span style="background-color: #cccccc;"><br /></span>
<span style="background-color: white;">event:</span><br />
<span style="background-color: #eeeeee; color: #444444; font-family: "monaco" , "menlo" , "consolas" , "courier prime" , "courier" , "courier new" , monospace; font-size: 12px;">{u'account': u'150905', u'region': u'eu-west-1', u'detail': {u'eventVersion': u'1.05', u'eventID': u'f8ae9323-91b0-4100-b27b-dce348641a5c', u'eventTime': u'2016-10-14T17:31:46Z', u'requestParameters': {u'instanceId': u'i-d8916d57', u'disableApiTermination': {u'value': True}}, u'eventType': u'AwsApiCall', u'responseElements': {u'_return': True}, u'awsRegion': u'eu-west-1', u'eventName': u'ModifyInstanceAttribute', u'userIdentity': {u'userName': u'ihork', u'principalId': u'AIDAI3UNW', u'accessKeyId': u'ASIAIN2', u'invokedBy': u'signin.amazonaws.com', u'sessionContext': {u'attributes': {u'creationDate': u'2016-10-14T16:48:44Z', u'mfaAuthenticated': u'true'}}, u'type': u'IAMUser', u'arn': u'arn:aws:iam::150905:user/igor', u'accountId': u'150905'}, u'eventSource': u'ec2.amazonaws.com', u'requestID': u'cd889e-039e-4f8f-bfe9-4d293012335', u'userAgent': u'signin.amazonaws.com', u'sourceIPAddress': u'174.231.5.2'}, u'detail-type': u'AWS API Call via CloudTrail', u'source': u'aws.ec2', u'version': u'0', u'time': u'2016-10-14T17:31:46Z', u'id': u'cd32fc6-39ae-4237-b46d-62d237d4d89', u'resources': []}</span><br />
<br />
<i>Disabling TerminationProtection from aws cli. 2nd variant</i><br />
<div>
<br /></div>
<div>
command:</div>
<div>
<span style="background-color: #cccccc;">$ aws ec2 modify-instance-attribute --attribute disableApiTermination --value false --instance-id i-199a6696 </span><br />
<br />
event:<br />
<span style="background-color: #eeeeee; color: #444444; font-family: "monaco" , "menlo" , "consolas" , "courier prime" , "courier" , "courier new" , monospace; font-size: 12px;">{u'account': u'150905', u'region': u'eu-west-1', u'detail': {u'eventVersion': u'1.05', u'eventID': u'75fe4852-d3d9-4c9c-a702-7f025e0c4c50', u'eventTime': u'2016-10-14T17:29:24Z', u'requestParameters': {u'instanceId': u'i-d8916d57', u'attribute': u'disableApiTermination', u'value': u'false'}, u'eventType': u'AwsApiCall', u'responseElements': {u'_return': True}, u'awsRegion': u'eu-west-1', u'eventName': u'ModifyInstanceAttribute', u'userIdentity': {u'userName': u'ihork', u'principalId': u'AIDAI3U7LBIY', u'accessKeyId': u'AKIAJL7', u'type': u'IAMUser', u'arn': u'arn:aws:iam::150905:user/igor', u'accountId': u'150905'}, u'eventSource': u'ec2.amazonaws.com', u'requestID': u'd3c46-2def-4450-b3c1-4827d9f78', u'userAgent': u'aws-cli/1.10.45 Python/2.7.11 Linux/4.7.3-100.fc23.x86_64 botocore/1.4.60', u'sourceIPAddress': u'174.231.5.2'}, u'detail-type': u'AWS API Call via CloudTrail', u'source': u'aws.ec2', u'version': u'0', u'time': u'2016-10-14T17:29:24Z', u'id': u'9fb88a9e-025b-4859-9b98-6180cd14a9b', u'resources': []}</span><br />
<span style="background-color: #eeeeee; color: #444444; font-family: "monaco" , "menlo" , "consolas" , "courier prime" , "courier" , "courier new" , monospace; font-size: 12px;"><br /></span>
<br />
Take a precise look on:<br />
<br />
<span style="background-color: #eeeeee; color: #444444; font-family: "monaco" , "menlo" , "consolas" , "courier prime" , "courier" , "courier new" , monospace; font-size: 12px;">'sessionContext': {u'attributes': {u'creationDate': u'2016-10-14T16:48:44Z', u'mfaAuthenticated': u'true'}} -<b> not expect this part of JSON if you are not using Mfa</b></span><br />
<span style="background-color: #eeeeee; color: #444444; font-family: "monaco" , "menlo" , "consolas" , "courier prime" , "courier" , "courier new" , monospace; font-size: 12px;"><br /></span>
<span style="background-color: #eeeeee; color: #444444; font-family: "monaco" , "menlo" , "consolas" , "courier prime" , "courier" , "courier new" , monospace; font-size: 12px;"> u'disableApiTermination': {u'value': True}} and </span><span style="background-color: #eeeeee;"><span style="color: #444444; font-family: "monaco" , "menlo" , "consolas" , "courier prime" , "courier" , "courier new" , monospace;"><span style="font-size: 12px;"><span style="font-size: 12px;">'attribute': u'disableApiTermination', u'value': u'false'} </span><b><span style="font-size: 12px;">same API call done using different AWS CLI options, but serving the same purpose produce 2 different events</span></b></span></span></span><br />
<b><br class="Apple-interchange-newline" />How we can disable a user in AWS ?</b><br />
<br />
You just can't disable user in AWS. You can delete it, but you need to remove it from the groups first. It takes times, lines of code and API calls. Solution? - attach inline user policy with explicit deny (will override all allows) for all the actions you need to block.<br />
<br />
<b>Lambda function:</b><br />
<b><br /></b>
Here my PoC lambda function: really "dirty" and serving only one simple use case:<br />
<br />
<span style="background-color: #eeeeee;">def lambda_handler(event, context):</span><br />
<span style="background-color: #eeeeee;"> print event</span><br />
<span style="background-color: #eeeeee;"># analyzing event</span><br />
<span style="background-color: #eeeeee;"> if event['detail']['requestParameters'].get('disableApiTermination')!= None:</span><br />
<span style="background-color: #eeeeee;"> protection_status = event['detail']['requestParameters']['disableApiTermination']['value']</span><br />
<span style="background-color: #eeeeee;"> UserName = event['detail']['userIdentity']['userName']</span><br />
<span style="background-color: #eeeeee;"> UserID = event['detail']['userIdentity']['principalId']</span><br />
<span style="background-color: #eeeeee;"> if event['detail']['userIdentity'].get('sessionContext') != None:</span><br />
<span style="background-color: #eeeeee;"> mfa = event['detail']['userIdentity']['sessionContext']['attributes']['mfaAuthenticated']</span><br />
<span style="background-color: #eeeeee;"> else:</span><br />
<span style="background-color: #eeeeee;"> mfa = "false"</span><br />
<span style="background-color: #eeeeee;"> print protection_status, UserName, UserID, mfa</span><br />
<span style="background-color: #eeeeee;"># disabling user using inline user policy if no MFA being used</span><br />
<span style="background-color: #eeeeee;"> if mfa != "true" and not protection_status:</span><br />
<span style="background-color: #eeeeee;"> iam = boto3.resource('iam')</span><br />
<span style="background-color: #eeeeee;"> user_policy = iam.UserPolicy(UserName,'disable_user')</span><br />
<span style="background-color: #eeeeee;"> response = user_policy.put(PolicyDocument='{ "Version": "2012-10-17", "Statement": [{"Sid": "Disableuser01","Effect": "Deny","Action": ["ec2:StopInstances", "ec2:TerminateInstances"],"Resource": ["*"]}]}')</span><br />
<span style="background-color: #eeeeee;"> print response</span><br />
<br />
<b><br /></b>
<b><br /></b>
<b>How near this "near real time" events:</b><br />
My test showed about 40 second delay. IMHO too much for the "near real time". I'm looking for the potential bottleneck and delays that may caused by Lambda function itself on Event type I used.<b> </b><br />
<br />
<br />
<b>Conclusions:</b><br />
- not a "near real time" to react fast and mitigate attack without additional protective measures.<br />
- could work if you able to detect attack 40 second earlier<br />
- could reduce overall damages<br />
- definitely very very promising if reaction delay will be less (let's say 5-10 sec).<br />
<br />
<h3 style="text-align: left;">
Update:</h3>
<div>
Fill free to pull from <a href="https://github.com/IhorKravchuk/it-security" target="_blank">GitHub AWS CloudFormation template</a> for the PoC above.</div>
<div>
<br /></div>
<div>
To deploy you need: </div>
<div>
<br /></div>
<div>
1. selfdefence.infosec.vpc.json - template itself.</div>
<div>
<br /></div>
<div>
2. selfdefence_infosec.py - Lambda function. You will need to Zip it and upload to the s3 bucket with versioning enabled.</div>
<div>
<br /></div>
<div>
3. Edit template (selfdefence.infosec.vpc.json) and specify: S3 bucket name in format you.bucket.name.env.cloudform (where env - is your environment name: prod, test, staging, etc) and S3 version for selfdefence_infosec.zip file. </div>
<div>
<br /></div>
<div>
4. upload template to the same s3 bucket.</div>
<div>
<br /></div>
<div>
5. Create a stack using this template end specify corresponding environment name at the creation time.</div>
<div>
<br /></div>
<div>
Enjoy! </div>
<b><br /></b>
</div>
</div>
Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com0tag:blogger.com,1999:blog-639364588792879566.post-2020630813937964272016-09-21T16:07:00.001-04:002016-10-25T22:21:57.406-04:00S3 bucket policies for sensitive security logs storage <div dir="ltr" style="text-align: left;" trbidi="on">
Inspired by this AWS blog post : <a href="https://blogs.aws.amazon.com/security/post/TxK5WUJK3DG9G8/How-to-Restrict-Amazon-S3-Bucket-Access-to-a-Specific-IAM-Role" target="_blank">How to Restrict Amazon S3 Bucket Access to a Specific IAM Role</a><br />
<br />
<b>Goal: </b><br />
Build a storage for sensitive security logs using S3 bucket.<br />
<br />
<b>Restrictions: </b><br />
<br />
<ul style="text-align: left;">
<li>EC2 instances could only upload logs. </li>
<li>Infosec team could only download logs and (just for this particular case) delete them with MFA .</li>
<li> All other user must not have any access despite whatever mentioned in their IAM policies.</li>
</ul>
<b> Solution:</b><br />
custom bucket policy<br />
<br />
<br />
"PolicyDocument": {<br />
"Version": "2012-10-17",<br />
"Statement": [<br />
{<br />
"Sid": "OnlyForInfosecEyes",<br />
"Effect": "Deny",<br />
"Principal":"*",<br />
"Action": ["s3:GetObject*", "s3:Delete*", "s3:PutObjectAcl", "s3:PutObjectVersionAcl"],<br />
"Resource": "s3-top-secret-bucket/*",<br />
"Condition": {<br />
"StringNotLike": {<br />
"aws:userId": "InfosecGroupUserIDs"<br />
}<br />
}<br />
},<br />
{<br />
"Sid": "OnlyServerAllowToPut",<br />
"Effect": "Deny",<br />
"Principal":"*",<br />
"Action": ["s3:PutObject"],<br />
"Resource": "s3-top-secret-bucket/*",<br />
"Condition": {<br />
"StringNotLike": {<br />
"aws:userId": "SeverIAMRoleID:*"<br />
}<br />
}<br />
},<br />
{<br />
"Sid": "EnforceEncryption",<br />
"Effect": "Deny",<br />
"Principal":"*",<br />
"Action": ["s3:PutObject"],<br />
"Resource": "s3-top-secret-bucket/*",<br />
"Condition": {<br />
"Null": {<br />
"s3:x-amz-server-side-encryption": "true"<br />
}<br />
}<br />
},<br />
{<br />
"Sid": "EnforceMFADelete",<br />
"Effect": "Deny",<br />
"Principal":"*",<br />
"Action": ["s3:Delete*"],<br />
"Resource": "s3-top-secret-bucket/*",<br />
"Condition": {<br />
"Null": {<br />
"aws:MultiFactorAuthAge": true<br />
}<br />
}<br />
}<br />
]<br />
}<br />
<br />
<b>Where</b>:<br />
<br />
InfosecGroupUserIDs - list of IAM infosec users' IDs (<span style="background-color: white; color: #222222; font-family: "courier new" , "courier" , monospace; font-size: 13px;">aws iam get-user -–user-name </span><span style="background-color: white; border: 0px; color: red; font-family: "courier new" , "courier" , monospace; font-size: 13px; font-stretch: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><strong>USER-NAME</strong></span>)<br />
<br />
SeverIAMRoleID:* - ID of the IAM role used by the your EC2 server instances with ":*" added to cover all instances in this role (<span style="background-color: white; border: 0px; color: #222222; font-family: "courier new" , "courier" , monospace; font-size: 13px; font-stretch: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">aws iam get-role -–role-name <span style="border: 0px; color: red; font-family: inherit; font-size: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><strong>ROLE-NAME</strong></span></span><span style="background-color: white; color: #222222; font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: 13px;">.</span>)<br />
<br /></div>
Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com0tag:blogger.com,1999:blog-639364588792879566.post-32111965458439904192016-08-04T22:46:00.000-04:002016-08-05T11:01:02.854-04:00AWS EC2 status check alarms using python and boto3 <div dir="ltr" style="text-align: left;" trbidi="on">
Important part of security that we (infosec guys) often delegate :-) to the Operation teams(NOC) is Availability.<br />
For the IaaS service provider (Amazon AWS) is responsible for Infrastructure availability, but we must design all layers above ( Availability Zones, VPCs, Networks, Instances and LB ) for high availability or at least fault tolerance. One of the most important step in this process is actually detection IaS failure.<br />
<a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-system-instance-status-check.html" target="_blank">From AWS:</a><br />
<i>"With instance status monitoring, you can quickly determine whether Amazon EC2 has detected any problems that might prevent your instances from running applications. Amazon EC2 performs automated checks on every running EC2 instance to identify hardware and software issues. You can view the results of these status checks to identify specific and detectable problems."</i><br />
<br />
Below simple python script that will help you to configure status check alarms for all you running instances:<br />
<br />
#!/usr/bin/python<br />
<br />
import boto3<br />
import pprint<br />
<br />
boto3.setup_default_session(profile_name='staging', region_name='eu-west-1')<br />
ec2 = boto3.resource('ec2')<br />
cloudwatch=boto3.resource('cloudwatch')<br />
<br />
# Getting all running instances<br />
instance_iterator = ec2.instances.all()<br />
for instance in instance_iterator:<br />
instance_name = "unnamed"<br />
for tag in instance.tags:<br />
if tag['Key'] == "Name":<br />
instance_name = tag['Value']<br />
print instance_name, instance.id<br />
if instance.state["Name"] == "running" :<br />
metric = cloudwatch.Metric("AWS/EC2", "StatusCheckFailed")<br />
response = metric.put_alarm(<br />
AlarmName = instance.id + "/" + instance_name + "-status-alarm",<br />
AlarmDescription = 'status check for %s %s' % (instance.id, instance_name),<br />
ActionsEnabled = True,<br />
OKActions = ["arn:aws:sns:eu-west-1:your_account_id:YOUR_SNS-EmailSMS-Notification"],<br />
AlarmActions = ["arn:aws:sns:eu-west-1:your_account_id:YOUR_SNS-EmailSMS-Notification"],<br />
Statistic = "Maximum",<br />
Dimensions = [{'Name': 'InstanceId', 'Value': instance.id}],<br />
Period = 60,<br />
EvaluationPeriods = 2,<br />
Threshold = 1.0,<br />
ComparisonOperator = "GreaterThanOrEqualToThreshold"<br />
)<br />
pprint.pprint(response)<br />
<div>
<br /></div>
</div>
Ihor Kravchukhttp://www.blogger.com/profile/00914180514059860509noreply@blogger.com0