aws 排查

jam 2021/09/16
 留言
easy
Encrypt the data lake
題目:完成1.跟2.
1.you need to encrypting the existing objects in the Data lake using a scalable method
2. configuring the data lake S3 bucket so that new object are encrypted by default with the customer managed KMS key

資源:
#1 一個 data lake s3 bucket有上百個 objects,有些objects並沒有加密.
#2 一個 customer managed KMS key 用來 encrypt at rest 所有data lake的檔案以及未來上傳的檔案.
#3 一個 S3 Inventory file .再這個題目裡會有一個事先創建好的inventory CSV file.
#4 一個 IAM Role(FixEncryptionRole)用來處理 encryption error.

主要使用服務:s3 batch operations

解題:
#1 you need to encrypting the existing objects in the Data lake using a scalable method:
1.先到s3 console的batch operations服務選擇create job,確定好batch job是創建在跟data lake同一個AWS Region
2.使用CSV format而所需manifest file放在lake data s3 bucket的report資料夾,
Operation type選擇copy並選擇data lake s3 bucket為destination(目的地)prefix則不需要加東西因為我要override原有path(路徑)在manifest裡,
AcKnowledge the objects會被overwritten,
同樣在operation step,選擇server-side-encryption,SEE-KMS記得要選擇資源給的customer managed KMS key(只有一個),剩下的選項都依照默認
3.發送completion report到data lake s3 bucket的reports資料夾來debug,添加資源給的IAM Role(FixEncryptionRole),最後確認input然後create job。
4.在它prepared完後選擇並run job ,進去後滑到下面選run job。

#2 configuring the data lake S3 bucket so that new object are encrypted by default with the customer managed KMS key:
1.點擊data lake s3 bucket然後選擇properties
2.點擊默認encryption,選擇AWS-KMS選擇non-default KMS key
3.點擊save

medium
overly ambitious security controls
題目:
You have just spun up a new autoscaling application that runs over HTTP. in order for it to be secure, you made sure it was in a VPC and hostd using an autoscaling group.
步驟:

修復route table(The productionJAM) ，有一個連接到IGW的route錯的，他的Destination是10.0.0.0/8 要改成0.0.0.0/0。
修復NACL，inbound rules: 有多一個Rule number為10的，並且為deny，要把它刪掉。
outbound rules: 建立一個rule number為100，並且設定為all traffic、source設成0.0.0.0/0
修復security group，有一個名叫ELBSecurityGroup和一個名叫AsgSecurityGroup，它們的允許的port為8080，要改為80。
連進ELB裡面，裡面的那一行字為答案。
Privilege Separation - Got Root?
背景:
you are the security auditoor within your company.The AWS Team of your company justset up a new,more secure IAM concept. It is your job to evaluate the security level of the implementation.The core of the IAM concept is Privilege Separation via roles.following roles were create:

JamRole-EC2Admin(this role is used by you and your team perform all high Privilege EC2 actions)
JamRole-S3Access(this role will be used by authorized teams for full S3 access)
JamRole-ServerlessAdmin(this role gives the 3rd party serverless dev team acces to typeical serverless AWS Service,such as DynamoDB and Lambda)
JamRole-EmergencyAdministration(full administrative access role in the account taht might be assumed by the central CERT team)
Other misc JamRoles used for Cross-Account-Access
Please ignore any other roles,especially any AWSLabs role
You enter the account with the "AWSLabsUser" role.Following the role concept,you should ONLY be able to assume the role"JamRole-EC2Admin"and"JamRole-S3Access"
With those roles,you should NOT be able assume any other roles!
With those roles,you should NOT have full administrative access
題目:
1.you enter the account in the role "AWSLabsUser",Assume the role "JamRole-EC2Admin" or "JamRole-S3Access" Using the "Switch Rloe" feature!
2.Evaluate each role and policy with the perfix "JamRole" from perspective of the different roles you are allowed to assume.
3.Find the weakness in the IAM role concept that gives you full administrative access
4.Exploit the weakness. Excute the lambda function "getSecret" as a proof of concept. The return value of the lambda funtion is the secret key for the solution
解題:
確認你是否assumed(假設) the role "JamRole-EC2Admin" (or "JamRole-S3Access")using "Switch Role" 為你初次登入帳號的功能，執行所有following step in the context of the role "JamRole-EC2Admin" 除非另有說明
步驟1很重要要先執行，否則挑戰將無法繼續。
在詳細檢查 PermissionBoundary poilcy blacklist,你會注意到創建poilcy的人忘記了IAM action iam:UpdateAssumeRolePoilcy.這個action可以允許修改role裡的"Trust Entities"
利用這個action的漏洞來做點修改
在你的console打開 role "JamRole-EmergencyAdministration",選擇"Trust relationships",然後edit Policy添加自己的帳號為第二個"Trust Entity",然後更改poilcy像下面:
{
  "Version":"2012-10-17",
  "Statement": [
    {
       "Effect":"Allow",
       "Principal" :{
          "AWS":[
            "arn:aws:iam::339644790936:root",
            "arn:aws:iam::YOUR_ACCOUNT_NUMBER_HERE:root"
          ]
       },
       "Action":"sts:AssumeRole",
       "Condition":{}  
    }
  ]
}
執行"Role Switch" 到 role "JamRole-EmergencyAdministration".這樣一來就能有管理員權限了
到AWS console,到lambda尋找lambda function "getSecret" 然後invoke function.The return 默認是完成挑戰
My Pipeline is stuck!
背景:
AWS CodePipeline includes a number of actions that help you configure build, test,and deploy resources for your automated release process.AWS CodePipeline enables custom actions that can be leverage of integrations,in the current release process,the team is interested in creating a custom action that triggers a Lambda Function.
題目:
One of your team members started working on implementing it and has since left the organization.A new team member joined your team and deployed the infrastructure.However, the deployed infrastructure is not working.It turns out that the previous Engineer did not commit the latest code to the source code repository (all changes were locally stored).The CodePipeline execution keeps running for 1 hour before timing out. Your team needs you to help troubleshoo the issue and fix it.
資源:

CodePipeline
Lambda function:Added as a Custom Action step in CodePipeline-BrokenPipelineLambdaFunction
IAM role-CodePipeline-Lambda Function
S3 buckets for CodePipeline
使用服務:CodePipeline,S3 Bucket,Lambda Function,API Gateway
解題:
Updateing IAM permissions
There are 2 ways to update the Lambda Function IAM role:
Adding an inline poilcy
Select the IAM role and click on add inline poilcy
select the JSON tab and replace the contents with the following
{
    "Version": "2012-10-17",
    "Statement": [{ initin
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "codepipeline:PutJobFailureResult",
            "codepipeline:PutJobSuccessResult"
        ],
        "Resource": "*"
    }]
}
Click on "Review poilcy" button at the botton of the page
Add a name for the poilcy and click on"Create poilcy".

Attach an existing managed IAM policy:AWSCodePipelineCustomActionAccess.Steps are listed below:
Select the IAM role and click on "Attach policies" button
Search for AWSCodePipelineCustomActionAccess in the search bar.
Select the resulting IAM policy and click on"Attach policy" button at the bottom right.
Updating Lambda function source code
Replace Lambda code with the following. Lambda Function name is BrokenPipelineLambdafunction
import ssl
import os
import json
import boto3
from urllib.request import urlopen

cp_client = boto3.client('codepipeline')
ssl._create_default_https_context = ssl._create_unverified_context

def lambda_handler(event, context):
    url = os.getenv('API_URL')
    try:
        status_code = urlopen(url).getcode()
        print(status_code)
        cp_client.put_job_success_result(jobId=event['CodePipeline.job']['id'])
        return {
            'statusCode': status_code,
            'body': "Completed Lambda execution successfully"
        }
    except Exception as e:
        print(f'Error occurred - {str(e)}')
        cp_client.put_job_failure_result(
            jobId=event['CodePipeline.job']['id'],
            failureDetails={'message': str(e), 'type': 'JobFailed'})
        return {
            'statusCode': 500,
            'body': "Lambda execution completed. Internal error occurred"
        }
Trigger the pipeline
After making both the changes,retrigger the pipeline.If it is already running ,stop it first.Steps for starting(and stopping) a CodePipeline are detailed in the Challenge details section.

memory loss
task 1
題目:
Summary
No memory? No problem! Your task is to get the memory in use by the EC2 instance to display in the AWS console. You want to view, graph, and monitor the memory used by the EC2 instance moving forward.
要求:
The task will be complete once the memory used by the EC2 instance is available in the AWS console.
步驟:

右鍵EC2 點進modify綁上他給你的IAM ROLE(裡面有CloudWatchAgentAdminPolicy、AmazonSSMManagedInstanceCore)

進入SSM 選取Distributor 你會看到AmazonCloudWatchAgent 點進去按Install one time 會跳到runcommand裡面 要記得選instances manually 然後選要的那一台 取消S3 bucket 就可以run了

進入SSM 選取Documents 在搜尋欄裡找AmazonCloudWatch 然後選取AmazonCloudWatch-ManageAgent 按下且設定run command
Action: configure
Mode: ec2
Optional Configuration Source: default
Optional Restart: yes
然後一樣要選取自己的EC2 關掉s3bucket

進入 SSM 選擇 RunCommand 並在 Documents 中搜尋 AWS-RunShellScript，接著在 Commands 裡面輸入以下指令

#!/bin/bash
sudo yum install amazon-cloudwatch-agent
cd /opt/aws/amazon-cloudwatch-agent/bin
sudo ./amazon-cloudwatch-agent-ctl -a start -m ec2 -c default -s
task 2
題目:
Now that the memory is available in the AWS console, you need to know when memory runs low on the EC2 instance. In this task, you will need to automatically send an email notification to an email address of your choice when the memory used by the EC2 instance exceeds 75%.

要求:
This task will be complete once an email address you have chosen is configured to receive notifications whenever the memory exceeds 75%.

步驟:
先用那個metrics建一個alarm 在Define the threshold value 那邊輸入75 最後在Notification的地方 建立一個SNS 讓他在數據觸發的時候 傳email給你

hard
wHo hAs mY cReDs?
task 1
題目:
The employee was unable to provide you with the credentials that were exposed and you must find out which credentials are deviating from the baseline of activity. As an incident responder you must be able to look at the logs and follow the activity back to a specific IAM user.

要求:
The task will complete once you input the correct username ad a response value.

步驟:
進到IAM的user，可以看到一個名為Toby_account的人，一看就很奇怪，所以要去CloudTrail裡，找到誰是內奸，建立了這個user。

進到cloudTrail裡在搜尋欄裡鎖定eventname輸入CreateUser，有一個與眾不同的Resource name叫usercreation
之後再到搜尋欄裡鎖定Resource name輸入usercreation，看到CreateFunction20150331 看一下是誰做的，輸入答案。
task 2
題目:
Now that we have figured out the compromised keys, we need to take away the attackers access to the environment.

要求:
The task will be automatically complete once you find the solution, in addition you can always check your progress by pressing the "Check my progress" button in the challenge details screen.

步驟:
現在要把發佈到github的鑰匙從那個廢物身上拔掉。

到IAM裡面左邊的目錄裡找到IAM Resources底下的user
找到建立帳戶的那個白癡，點選Security Credentials，把access key刪掉
去任務表按確認進度
task 3
題目:
We know what user was compromised and now need to clean up any activity that the attacker may have done to ensure they are from our environment.

要求:
The task will be automatically complete once you find the solution, in addition you can always check your progress by the Check my progress" button in the challenge details screen.

步驟:
現在要刪除那個廢物。

到IAM裡面的Users，找到Tobys_account
選取它，然後把它刪了。
task 4
題目:
Now that the attack has been pushed out of the environment completely of activity is left within the environment.

要求:
The task will be automatically complete once you find the solution, in addition you can always check your progress by the Check my progress" button in the challenge details screen.

步驟:
再來要刪除它所做過的事情，要把lambda刪掉。

到lambda，找到由Tobys_account所建立的lambda。
選取它，然後按下那該死了delete。
Tag You're It
題目:
you are the IAM Administrator for your AWS Accounts you have two Projects: Red and Green that are launching and managing EC2 Instance in the same AWS Account.

Your AWS Account has the following resoures:
Two IAM Roles:

ProjectRedRole tagged with Project = Red
ProjectGreeRole tagged with Project = Green
Two EC2 Instances:

Red instance tagged with Project = Red
Green instance tagged with Project = Green
A Managed Policy:
'ManageEC2InstancesWithProjectTag' that is attached to the ProjectRedRole and ProjectGreenRole.
This is overly permissive to start with and does not have any IAM Conditions for the Actions.

要求:
your job is to edit this poilcy document to meet the following three requirements:

Restrict EC2 StartInstances & StopInstance actions to EC2 Instance with Project tag values corresponding to the Role ProjectGreenRole and ProjectRedRole
Allow EC2 RunInstance only if the EC2 Instance and Volumes are tagged on creation with Project tag values corresponding to the Roles ProjectGreenRole and ProjectRedRole. Ensure that the only tag key allowed on creation is "Project" with an exact case match.
Ensure that tags cannot be changes on EC2 Instance and Volumes after creation.
解題:
note that both the IAM Roles and the EC2 Instance are tagged with the key Project with values Red or Green
Review the IAM Policy document named "ManageEC2InstanceWithProjectTag" and see that it has multiple could
ALL your MateData Belong us
題目:
Zerus Inc. just launched their new service: The Metabrowser! A nice little web application which allows the user to see what lies behind the flashy and funky websites. Who would have thought that people would be so much interested in looking at HTML code! Unfortunately, something goes not the way as expected since the last marketing campaign: You can observe that EC2 instances are spinning up and shutting down arbitrarily for some reason. Everybody in the team swears that it’s not them. And since you are the security engineer of Zerus Inc., it is up to you to find out what is going on and to fix this issue.
要求: You need to protect user visit metadata from Meta Browser, so you can use AWS CLI, use the command like below to disabled the metadata on EC2.
解法:
到cmd輸入aws configure 登入後 輸入aws ec2 modify-instance-metadata-options --instance-id <Instance-ID> --http-endpoint disalbed

169.254.169.254

文章原出处jam 2021/09/16 - HackMD