Forem: Nathan Getty

aws security automation concepts for beginners (s3).

Nathan Getty — Wed, 20 Nov 2019 01:33:33 +0000

I plan to make multiple posts with implementation later, lets get through some concepts first!

whoami

Hey, I'm Nathan. I work in Canada and have a bunch of experience in security and AWS. I just wanna share some beginner tips and techniques/tools I use to help secure my organizations cloud environment.

Automation Concepts

Let's be honest, responding to threats after they happen is much worse than being able to detect and respond as soon as they happen (or within a reasonable time). What can we do in AWS to make this a little bit more efficient? Well, lucky for us AWS CloudWatch offers a capability called events! This allows us to listen for events and launch responses as we wish. (You can also do this with systems manager but that isn't included). When using cloudwatch events, we want to listen for high security API calls. Stuff like:

s3:CreateBucket
s3:PutBucketPolicy
ec2:RunInstance
ec2:AuthorizeSecurityGroupIngress

For each one of these events we'd like to ensure they are called with the correct parameters. We wouldn't want someone to update the bucket policy and make the bucket public, or if someone launches an EC2 instance we want to make sure that ec2 instance isn't allowing ssh or rdp open to the world.

Lets take a look at s3! What are some possible security concerns around s3?

Public buckets
Most of the time, when we see public buckets, it's normally a dev trying to do some testing, which isn't necessarily malicious, but having an open bucket can lead to unauthorized access or data leakage, depending whats in the bucket. We can use CloudWatch events to trigger a lambda when a bucket is created and when a bucket policy is updated. This lambda should have your code (leveraging boto3) and should grab the bucket name and look at the policy, if the policy exceeds what you want, use boto3 to set a new policy to remove public access.
Updating Bucket Policy
Non-Encrypted buckets
Again, depending on your organizations requirements and risk apetite. You should always consider using encrypted buckets. Encrypting the data ensures that if assets get stolen from the AWS data center, they are encrypted. This does not encrypt each object independently. Like above, Use CloudWatch events and lambda to update the encryption status of the bucket.
Updating Bucket Encryption
No S3 access logging enabled
S3 Access logging is a pretty nice feature. It gives us apache like logs when people access s3 objects. This is pretty nice in incident response scenarios when you need to identify how many times an object was accessed, or which IP accessed an object, although this should not be used to identify a malicious actor. You will need more data to attribute someone to the activity. Just like with the above two, We can use CloudWatch events when a bucket is created to ensure S3 Access logging is enabled. Take a look at the docs below for lambda creation help.
Put Bucket Logging

Thats it for now.

Stay tuned, I will be making more posts to detail the exact implementation of the above concepts. There will be more posts that talk about other services too!

Integrate static security checking for python!

Nathan Getty — Mon, 18 Nov 2019 19:33:15 +0000

The basics

Today we will be talking about bandit, a python static analysis tool that reviews your code for possible security flaws. We will be using bandit, lets create a virtual environment and use pip to install bandit.

python -m venv venv
source venv/bin/activate
pip install bandit

Lets use the following application below as an example.

from os import system

system('sudo su')

Obviously using sudo su in a shell process isn't good practice, but we're just showing off the capabilities of bandit. So, lets run bandit against our file.

bandit app_name.py

Below is an example of the response

Test results:
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell
   Severity: Low   Confidence: High
   Location: bad.py:3
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
2
3       system('sudo su')

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
   Severity: Low   Confidence: High
   Location: bad.py:3
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html
2
3       system('sudo su')

--------------------------------------------------

Code scanned:
        Total lines of code: 2
        Total lines skipped (#nosec): 0

Run metrics:
        Total issues (by severity):
                Undefined: 0.0
                Low: 2.0
                Medium: 0.0
                High: 0.0
        Total issues (by confidence):
                Undefined: 0.0
                Low: 0.0
                Medium: 0.0
                High: 2.0
Files skipped (0):

This is pretty nice it gives us all the results we need. We can use these results in a bunch of different ways, but in what I do is grep the report and look to see if there are any "High or Medium" severity items, and then kill the CI/CD pipeline.

VSCode Implementation

In VSCode, what you can do is use CMD+Shift+P while in your python application and select linter, and choose bandit, you may be asked to install it, choose yes, ensure you tell VSCode to use bandit once more, and now, if you hover over the marked text, you will see the error/warnings.

Reverse Shell Generation.

Nathan Getty — Mon, 18 Nov 2019 19:20:47 +0000

The below tool is a good resource for generating reverse shells for a whole bunch of different systems and programming languages.

https://github.com/mzfr/rsh