Cloud Security
Activity 6.1: Run a ScoutSuite Assessment
In this step, I will download ScoutSuite and run the tool. ScoutSuite is a security auditing tool which works across any cloud environment.
-
Download ScouteSuite from GitHub https://github.com/nccgroup/ScoutSuite
-
Extract the zipped directory. Open a terminal window and navigate to the directory where scoutsuite is downloaded. Setup a virtual python env for this project. If you have never setup a virtual environment before, details are available here: https://docs.python.org/3/tutorial/venv.html
python scout.py
-
I am going to run the scan against an existing AWS account which I have pre-configured to use the AWS CLI. For the purposes of this scan, I have defined a user in AWS with minimum policy permissions. The minmimum policy is provided on the Git Hub site. https://github.com/nccgroup/ScoutSuite/wiki/AWS-Minimal-Privileges-Policy
-
In order to start the scan, I will run:
python scout.py aws
-
Scoute suite will then use a range of API calls to scan all of the resources in your AWS account. Grab some popcorn and wait.
-
When everything is finished ScoutSuite will generate a handy html report.
-
Clicking on individual entries of the report will then drill down into reccommended security configurations.
Activity 6.2: Explort the Exploits Available with Pacu
In this lab activity I will download Pacu, a python script which is designed for offensive security testing against cloud environments. Pacu allows pen testers to leverage flaws within an AWS environment. Obviously, this tool should only be used against an account you have permission to access.
-
First we will navigate to the Github page and examine Pacu’s repo. https://github.com/rhinosecuritylabs/pacu
-
Next we will follow the quick installation instructions in order to setup Pacu. I will be installing Pacu inside Kali Linux. The installation instructions are as follows:
> git clone https://github.com/RhinoSecurityLabs/pacu
> cd pacu
> bash install.sh
> python3 pacu.py
-
We will then run it using the command
python3 pacu.py
-
Once Pacu is running, I will configure it to scan my AWS account. I will provide pacu with a pair or read-only keys in order to programatically access my AWS account. Note: These keys no longer work ;)
-
In order to view a list of exploit modules we can run the list command.
-
Using the run command we can run any of the listed modules, for example if you wanted to perform recon and check the credentials in an account, you could run:
run iam__get_credential_report
The range of commands here are significant, such as checking the amount of spending in an account:
aws aws__enum_spend
Activity 6.3: Scan an AWS Account with Prowler
Next we will check out an AWS account with Prowler. Prowler can be downloaded from: https://github.com/toniblyx/prowler
As described on Github, Prowler is a tool that “Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.”
-
I will again run prowler inside my Kali VM.
-
As Prowler uses the AWS CLI under the hood, we wil need to first install the AWS CLI. Follow the instructions here: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-linux.html#cliv2-linux-prereq
-
Next install the python awscli lib and jq.
sudo apt install jq
pip install awscli
-
Clone prowler from Github and navigate to the directory.
git clone https://github.com/toniblyx/prowler
cd prowler
-
Now configure the AWS CLI. I will use my read-only keys from the previous session.
-
Next we can run prowler by typing:
./prowler
Now prowler will run a full audit and check of our aws account. Again, only run this against an account which you have access to. Here is a screenshot for example. The full output is much longer.
Once the checks are run, we can analyze the report and remediate any pressing vulnerabilities. Huzzah!
Glossary
A glossary of all the terms, acronyms and slang I run across for this chapter.
mutlitenancy | when many different customers share access to the same physical resource pool in a cloud environment |
scoutsuite | multi cloud auditing tool |
pacu | cloud-focused exploitation framework, i.e. metasploit for the cloud |
prowler | AWS cloud security configuration testing tool |
CASB | Cloud Access Security Broker - software tools that serve as intermediaries between cloud service users and cloud service providers |
Inline CASB | Physically or logically reside inbetween the network path of the user and service provider. Allows the CASB to see requests and block them if they violate policy |
API based CASB | Do not interaact directly with the user but interact with the cloud provider through their API; does not require a hardware or logical middleman but does not allow policy enforcement |