Overview of AWS Cloud Configuration Security Using Nuclei Templates
The new version v9.8.5 of Nuclei Templates has added templates for checking AWS Cloud configuration. In this post, we'll discuss automating bad configuration checks in the cloud, creating custom AWS checks, and sharing the results on the PDCP Cloud platform for further analysis.
AWS Cloud Configuration Security Review, also known as AWS Cloud Config Review or AWS Cloud Audit in pentesting circles, is an important procedure for assessing the security posture of Amazon Web Services (AWS). This means thoroughly examining AWS configurations to ensure they are optimal for protecting data and services. This comprehensive analysis covers various aspects of the AWS infrastructure, including storage, databases, and applications, to ensure compliance with established security protocols. By identifying potential vulnerabilities and areas for improvement, this review helps strengthen security while reducing the risk of unauthorized access and data leaks.
Basic Key Activities for AWS Cloud Security Configuration Review
Access and Identity Management (IAM) Validation: Assessing who has access to what resources in AWS. This ensures that only the right people have access to sensitive information or critical systems.
Checking service configurations: Analyzing the settings of AWS services, for example, checking the privacy of S3 storages and the inaccessibility of databases via the Internet, if this is not required.
Monitoring and logging: Ensure that systems monitor activity in the AWS environment. In the event of a security problem, the logs will allow you to restore the sequence of events.
Network configuration audit: Analyze network settings within AWS, such as security groups and access control lists, to ensure they are protected from unauthorized access.
Compliance check: Verifies that AWS configurations comply with specific regulations, data protection laws, or industry standards.
Vulnerability Assessment: Scanning the AWS environment for weak points that could allow attackers to gain access. This helps eliminate vulnerabilities before they are exploited.
Evaluation of the best results: Analyze configurations against recommended security practices to optimally protect AWS resources.
Troubleshooting and reporting: The review provides practical recommendations to address identified vulnerabilities or compliance violations. Detailed reports are generated that highlight security gaps, inconsistencies and provide recommendations for resolving them. This helps make informed decisions to improve safety.
We believe that the AWS cloud configuration review process is overly complex and causes many problems in practice. So we decided to simplify it by creating a security check for AWS Cloud using the simple YAML format used in Nuclei. These templates are designed to perform all the basic checks (configuration, logging, compliance, and best results). Using these templates, we can easily create a detailed report on our cloud platform with remediation measures. This simplified approach makes the review process more convenient for companies and penetration testers alike.
What are Code Protocol templates?
Nuclei allows users to execute external code on the host operating system, giving security researchers, pentesters and developers the ability to extend their capabilities beyond standard protocol-based testing. This feature allows you to interact with the underlying operating system, facilitating the execution of custom scripts or commands for a wide range of tasks, including system configuration, working with files, and interacting with the network. This control and adaptability allows users to customize security testing workflows to suit their specific needs.
Because code templates can execute commands on hosts, users must first sign the template with their keys, and such templates are not included in standard scanning methods. To use these templates, you must sign them using the -sign flag. Once signed, you can run the templates using the -code flag.
The following example shows how we can easily execute the aws-cli command directly in the template. However, unlike other templates that execute on target hosts, this one will execute the command on our own host.
id: aws-config-review
info:
name: AWS Cloud Config Review Example
author: princechaddha
severity: info
description: |
Checks if AWS CLI is set up on the environment.
reference:
- https://aws.amazon.com/cli/
tags: cloud,devops,aws,amazone,aws-cloud-config
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws sts get-caller-identity --output json
matchers:
- type: word
words:
- '"UserId"'
extractors:
- type: json
name: account
internal: true
json:
- '.Account'Example #1:
In this example, we'll create a template that detects publicly accessible S3 buckets, which is a common cause of data breaches.
We set the self-contained: true option because, unlike regular Nuclei templates which require a target host, code templates run independently of any host.
The code block starts by specifying the engine we want to use to execute the command, followed by the command itself in the source section.
After the info block, we added a flow block, which controls the execution sequence of the template. Initially the block is executed
code(1)which includes an extractor that extracts the names of all available S3 buckets and stores them in the buckets array. The for loop then loops through all the buckets and executes the second block of code, substituting the bucket variable into the second command.The second block of code executes the AWS CLI command aws s3api get-bucket-acl –bucket $bucket –query 'Grants[?(Grantee.URI==http://acs.amazonaws.com/groups/global/AllUsers)]', replacing the bucket name with the $bucket variable obtained in the first command.
The matcher is used to check whether the bucket has read permission (READ).
Finally, the last extractor outputs a list of publicly accessible buckets.
id: s3-public-read
info:
name: S3 Bucket with Public READ Access
author: princechaddha
severity: critical
description: |
Verifies that Amazon S3 buckets do not permit public 'READ' (LIST) access to anonymous users, protecting against unauthorized data exposure
reference:
- https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-acl.html
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
flow: |
code(1)
for(let bucketName of iterate(template.buckets)){
set("bucket", bucketName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws s3api list-buckets --query 'Buckets[*].Name'
extractors:
- type: json # type of the extractor
internal: true
name: buckets
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws s3api get-bucket-acl --bucket $bucket --query 'Grants[?(Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`)]'
matchers:
- type: word
words:
- '"Permission": "READ"'
extractors:
- type: dsl
dsl:
- '"The S3 bucket " + bucket +" have public READ access"'Example #2:
Similarly, in the following template we check for public RDS snapshots.
id: rds-public-snapshot
info:
name: RDS Public Snapshot Exposure
author: princechaddha
severity: high
description: |
Checks if AWS RDS database snapshots are publicly accessible, risking exposure of sensitive data.
impact: |
Public snapshots can expose sensitive data to unauthorized users, leading to potential data breaches.
remediation: |
Modify the snapshot's visibility settings to ensure it is not public, only shared with specific AWS accounts.
reference:
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "ap-northeast-1"
flow: |
code(1)
for(let RDPsnaps of iterate(template.snapshots)){
set("snapshot", RDPsnaps)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-db-snapshots --region $region --snapshot-type manual --output json --query 'DBSnapshots[*].DBSnapshotIdentifier'
extractors:
- type: json
name: snapshots
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-db-snapshot-attributes --region $region --db-snapshot-identifier $snapshot --query 'DBSnapshotAttributesResult.DBSnapshotAttributes'
matchers:
- type: word
words:
- '"all"'
extractors:
- type: dsl
dsl:
- '"RDS snapshot " + snapshot + " is public"'Create custom templates for specific tasks
Similar to the examples above, users can create their own templates to test AWS cloud services in their environments.
Examples of using Nuclei templates for AWS:
Cloud resource optimization: Nuclei templates can help you verify that your AWS resources are being used optimally. For example, a template might check to see if caching is enabled in CloudFront or if DNS records in Route 53 are configured correctly.
Verifying the Deployment: Templates can check whether the deployment was successful and whether the deployed version is as expected. This can be done, for example, using the pipeline in CodePipeline.
Recovery from failures: Templates can verify that disaster recovery resources are configured correctly. For example, you can check whether your RDS instances are configured to use Multi-AZ deployment.
Security Compliance: Templates can help ensure compliance with security requirements. For example, a template could check if all S3 buckets are encrypted.
Cost optimization: Templates can check for underutilized EC2 instances, which can be terminated or downgraded to a smaller instance type to reduce costs.
Running AWS Cloud Configuration Validation Templates
To use templates to test your cloud configuration, you first need to set up your environment. This setup is similar to using aws-cli, where you either add aws_access_key_id and aws_secret_access_key to the ~/.aws/credentials file or export them as environment variables.
In Nuclei-Templates, we introduced the concept of profiles, which allow users to run a specific set of templates designed for a specific use case. To run AWS templates we have a profile called aws-cloud-config.
Once the environment is set up correctly, users can run the following template to ensure everything is configured correctly before running the profile.
nuclei -t /path/to/aws-template.yamlIf the pattern matches, it means that the environment has all the necessary tools installed and the command line interface configured. Users can then run the following command to run all AWS configuration templates.
The region is currently hardcoded to us-east-1 in templates for regional services. Users can pass a different region variable through the CLI when running the template, or update the region directly in the profile file.
Uploading results to the ProjectDiscovery cloud platform
We will now run the scan using our AWS config scan profile. Before we begin, it will be very useful for penetration testers or companies to save the scan results for reporting or making corrections. To make this easier, you can use the -cloud-upload flag to upload the results to the PDCP.
To upload results to the cloud, you need to obtain an authentication token. Here are the steps you need to follow:
Go to page PDCP Cloud and login to your account.
Click on your profile photo in the top right corner and select your API key.
Copy your API key and enter nuclei -auth
in your terminal.
Now everything is ready to start templates!
nuclei -config ~/nuclei-templates/profiles/aws-cloud-config.yml -cloud-upload
Now that we have a lot of results, it would be very convenient to view them in the cloud. Simply log into PDCP Cloud and you will see the scan generated with the results.
We've added over 95 templates for services such as ACM, CloudTrail, EC2, RDS, VPC, CloudWatch, IAM, and S3, and invite the community to share their feedback. We expect this number to grow as the security community continues to contribute and collaborate.
Conclusion
Cloud Configuration Review with Nuclei is a powerful way to automate security and configuration checks across AWS environments. With the ability to create and execute command templates through the AWS CLI, you can tailor checks based on your organization's specific requirements.
Templates can be used to test various aspects of a cloud configuration, including security, cost optimization, and compliance.
