Securing & strengthening my cloud resources — how?
Hello fellow readers ~
After our previous article where we shared our experiences on conducting a “marriage” between Quality and Cybersecurity, we’d like to share our newly-found potential “couple” and how to potentially spark chemistry between them!
With the recent trend in shifting workloads from traditional on-prem hosting to cloud-based hosting, organisations can set up and host their workloads in a much faster and flexible method through the use of Platform as a Service (PaaS) or Infrastructure as a Service (IaaS).
This shift, however, also means that organisations are required to constantly review the various configurations that are being used in the Cloud Service Provider. Although the Cloud Service Providers have provided various services to help review and secure cloud workload, it is still the responsibility of the tenant to ensure that they secure and protect the cloud workload.
Now you must be wondering — how can I, as a tenant, secure and strengthen the posture of my cloud workloads with the existing resources that I’ve invested and obtained?
Oh well~ there’s no fixed answer to this, but it does create a good use case of “Security Productivity Engineering”. Although there’s no direct definition, here’s a simple yet catchy explanation: “Accelerate Security and Productivity through Engineering”. In short, it is about reusing and combining different open-source products that are known and commonly used by both Infrastructure and Cybersecurity engineers.
Now, we will be running through the steps on how we can “boost” the chemistry between this “couple”, and here’s the tech stack used to simulate an environment that has some flaws in the configuration:
These tools do have a pre-defined docker image of it. However, our objective is to provide alternatives to the readers in case they wish to perform their own customisations.
- Some basic understanding of AWS
- Setup and install docker on your own machine
- Configure an AWS access key that has the ReadOnlyAccess and SecurityAudit policies tagged to it
Alright! Now we’re ready to start!
Creation of the docker image
The docker image will consist of a total of 7 parts (you can always add/modify based on your own preferences):
- The choice of base image
- Naming conversion to be used in the image
- Patching and updating of the image
- Installation of additional networking tools
- Creation of directories in the image
- Installation of Cloud Configuration Review tool (choose the tool you preferred)
- Installation CLI Choose the version that suits your current platform)
# using debian base image
FROM debian# setting standard arguments
ARG AWS_CLI=AwsCLI# install and update the image
RUN apt-get update && \
apt-get upgrade -y# install nano, git, python, pip, venv, nmap, sslscan, ffuf, curl, wget, net-tools
RUN apt-get install nano git python3 python3-pip python3-venv nmap sslscan ffuf curl wget net-tools zip jq inetutils-ping -y# create the list of directories
RUN mkdir -p /home/app/tools/$SS_FOLDER && \
mkdir -p /home/app/tools/$AWS_CLI# clone the PACU ,ScoutSuite, Sec Wordlist repo
RUN git clone https://github.com/nccgroup/ScoutSuite.git /home/app/tools/$SS_FOLDER# install the requirements for Pacu, ScoutSuite, Prowler
# (Do not change the sequence)RUN pip install -r /home/app/tools/$SS_FOLDER/requirements.txt && \
pip install detect-secrets==1.0.3# install AWS CLI for aarch64 (Macbook M1, ARM64)
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "/home/app/tools/$AWS_CLI/awscliv2.zip" && \unzip /home/app/tools/$AWS_CLI/awscliv2.zip && \
./aws/install && \rm -rf /aws && \rm -rf /home/app/tools/$AWS_CLI
# install AWS CLI for x64 (Intel , AMD)
#RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "/home/app/tools/$AWS_CLI/awscliv2.zip" && \# unzip /home/app/tools/$AWS_CLI/awscliv2.zip && \
# ./aws/install && \
# rm -rf /aws && \
# rm -rf /home/app/tools/$AWS_CLI
Build and run the docker image
Once the docker image has been created, execute the following to build your image and spin up a new container of your image.
S1: Launch command prompt/terminal
S2: Change current working directory to the docker image file’s
S3: Build the docker
docker build -t cloud-config-rev-tool:1.0 .
S4: Launch and gain access to your container
docker run — tty — interactive — name c1 cloud-config-rev-tool:1.0
Configure user profile
Proceed to run the AWS CLI commands to configure your profile with the access and secret key that you have gotten when creating a new user through IAM.
Run the scan
Once you have changed your working directory to ScoutSuite directory, execute the run to allow ScoutSuite to perform a review of your setup. The run will take awhile… So ~~~ time to grab a cup of coffee! 😎
Review the scan results
Once the run is completed, you can view the generated report by Scoutsuite by doing the following (do not change your current working directory after you have triggered the run):
S1: Zip up the “scoutsuite-report” folder
zip <filename> -r scoutsuite-report/
S2: Copy this zip file from your container to your local machine
docker cp <source_path> <destination_path>
S3: Unzip the content on your local machine and click on the HTML file
From your web browser, navigate the page to see what are the issues found inside your AWS account.
Clean up the resources
Once you have completed the run, it is important to perform a clean-up:
- Terminate and prune the container
- Revoke and delete the AWS key that is being used in this tutorial
- Remove and delete the resources that you have created in this tutorial to prevent your AWS bill from exploding
The above shows how we can leverage docker to build an image that contains the tools that you required to perform Cloud Configuration Assessment on your cloud workload. We also showed that the docker allows different levels of customisation to suit the needs of anyone!
After reading this article, feel free to explore and share with us on the customisation you’ve done to help secure your cloud workload!
🧙🏼♀Team Merlin 💛
Application security is not any individual’s problem but a shared responsibility.