Automatic information enumeration - AWS
Need
Minimization of exposed resources in AWS
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of AWS SDK for interacting with Amazon Web Services
Description
Non compliant code
provider "aws" {
region = "us-west-2"
}
resource "aws_instance" "example" {
ami = "ami-0c94855ba95c574c8"
instance_type = "t2.micro"
tags = {
Name = "example-instance"
}
}
resource "aws_s3_bucket" "example" {
bucket = "example"
acl = "public-read"
tags = {
Name = "example-bucket"
}
}
resource "aws_db_instance" "example" {
allocated_storage = 5
storage_type = "gp2"
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t2.micro"
name = "mydb"
username = "foo"
password = "foobarbaz"
parameter_group_name = "default.mysql5.7"
publicly_accessible = true
}
The above Terraform code is provisioning three AWS resources: an EC2 instance, an S3 bucket, and an RDS database instance.
The vulnerability lies in the configuration of the S3 bucket and the RDS database instance.
-
For the S3 bucket, the
aclattribute is set topublic-read. This means that anyone on the internet can read the content of this bucket, which might not be necessary for the operation of the application and could expose sensitive data. -
For the RDS database instance, the
publicly_accessibleattribute is set totrue. This means that the database can be accessed from the internet, which expands the attack surface if it's not necessary for the operation of the application.
This code does not follow the principle of least privilege, i.e., only the minimum required access should be granted for the operation of the application. Other unnecessary resources and permissions should not be exposed as they could be potential vectors for attacks.
Steps
- Identify the necessary resources for the operation of the application.
- Remove or disable any unnecessary resources that are exposed.
- Review the AWS configuration and ensure that only necessary resources are provisioned.
- Regularly audit the AWS infrastructure to identify and remove any unnecessary resources.
- Implement least privilege access control to restrict access to necessary resources.
- Regularly update and patch the AWS infrastructure to mitigate any potential vulnerabilities.
Compliant code
provider "aws" {
region = "us-west-2"
}
resource "aws_instance" "example" {
ami = "ami-0c94855ba95c574c8"
instance_type = "t2.micro"
tags = {
Name = "example-instance"
}
}
resource "aws_s3_bucket" "example" {
bucket = "example"
acl = "private"
tags = {
Name = "example-bucket"
}
}
resource "aws_db_instance" "example" {
allocated_storage = 5
storage_type = "gp2"
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t2.micro"
name = "mydb"
username = "foo"
password = "foobarbaz"
parameter_group_name = "default.mysql5.7"
publicly_accessible = false
}
The original code had two main vulnerabilities:
-
The S3 bucket was publicly readable. This is a potential security risk as it allows anyone to read the data in the bucket. The ACL for the bucket has been changed to "private" to prevent public access.
-
The database instance was publicly accessible. This is a potential security risk as it allows anyone to access the database. The
publicly_accessibleattribute has been set tofalseto prevent public access.
These changes ensure that only necessary resources are exposed, reducing the attack surface and improving the security of the application. It's also recommended to regularly audit the AWS infrastructure to identify and remove any unnecessary resources, implement least privilege access control to restrict access to necessary resources, and regularly update and patch the AWS infrastructure to mitigate any potential vulnerabilities.