Select Monthly Archives
- March 2018
- February 2018
- December 2017
- November 2017
- September 2017
- August 2017
- June 2017
- May 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- March 2016
- October 2015
- September 2015
- July 2015
- May 2015
- March 2015
- February 2015
- January 2015
- December 2014
- September 2014
- August 2014
- July 2014
- June 2014
- March 2014
- January 2014
- December 2013
- September 2012
Written By: Stephen Haywood March 21, 2018
Many companies are moving to Infrastructure-as-a-Service (IaaS) offerings such as Amazon Web Services (AWS), Azure, and others. There are many benefits to moving to services like this, including cost management, a centralized management console, and APIs that allow automated infrastructure management. Unfortunately, IaaS has many of the same drawbacks as onsite infrastructure. The onus is still on the network owner to secure the infrastructure and to perform regular auditing and penetration testing of the infrastructure.
While auditing the machines operating inside the IaaS system, don’t forget to audit your IaaS control panel as well. Here is an example of some questions that should be answered:
- What user accounts have access to the IaaS Control Panel?
- What user accounts have privileged access?
- Are there any user accounts that are no longer needed?
- Are there any user accounts that have not accessed the Control Panel in the last 90 days?
- Are there any shared user accounts?
- Are there any shared API keys?
- Are there users with API keys that have not used those keys in the last 90 days?
- How many machines are running in the IaaS environment?
- Are they all needed?
Many of these questions are the same as would be asked when auditing an on-premise network. Fortunately, many IaaS providers offer APIs that can provide the data needed to answer many of these questions in a programmatic fashion. AppSec Consulting has developed an example script to pull basic user information from Amazon Web Services to help answer some of these questions in your environment. In addition, AppSec Consulting has a more full-featured, proprietary tool and a comprehensive methodology that allows us to perform a thorough security assessment of your cloud environment.
The example scripts are publicly available on our Github page at https://github.com/AppSecConsulting/Pentest-Tools/blob/master/export_ec2_users.py. All of the scripts require Python3 and the Boto3 library.
The export_ec2_users.py script, for example, will use the AWS API to export a list of Identity and Access Management (IAM) user accounts, creation dates, last login dates, and any API keys associated with the account. To use the script, you must have Python3 and the Boto3 library installed.
Before running the script, modify it to add your AWS API key and secret. (For security purposes, use a dedicated API key with the built-in Read Only role.) Run the script using the following command:
Once the script is run, it will output a file called “iam_user_accounts.txt” whose content will be similar to the following:
IAM User Accounts ================= Username: api-readonly Created: 2017-01-23 Last Login: Never Groups: APIReadOnly Keys: AKIAJXOMAL4A26IKWN6Q (2017-01-27)
Contact AppSec Consulting today to learn about how we can help assess your cloud environment with our comprehensive Cloud Architecture Security Assessment or Penetration Testing services.