Many companies are moving to Infrastructure-as-a-Service (IaaS) offerings such as Amazon Web Services (AWS), Azure, and others. There are many benefits to moving to services like this, including cost management, a centralized management console, and APIs that allow automated infrastructure management. Unfortunately, IaaS has many of the same drawbacks as onsite infrastructure. The onus is still on the network owner to secure the infrastructure and to perform regular auditing and penetration testing of the infrastructure.
While auditing the machines operating inside the IaaS system, don’t forget to audit your IaaS control panel as well. Here is an example of some questions that should be answered:
- What user accounts have access to the IaaS Control Panel?
- What user accounts have privileged access?
- Are there any user accounts that are no longer needed?
- Are there any user accounts that have not accessed the Control Panel in the last 90 days?
- Are there any shared user accounts?
- Are there any shared API keys?
- Are there users with API keys that have not used those keys in the last 90 days?
- How many machines are running in the IaaS environment?
- Are they all needed?
Many of these questions are the same as would be asked when auditing an on-premise network. Fortunately, many IaaS providers offer APIs that can provide the data needed to answer many of these questions in a programmatic fashion. AppSec Consulting has developed an example script to pull basic user information from Amazon Web Services to help answer some of these questions in your environment. In addition, AppSec Consulting has a more full-featured, proprietary tool and a comprehensive methodology that allows us to perform a thorough security assessment of your cloud environment.
The example scripts are publicly available on our Github page at https://github.com/AppSecConsulting/Pentest-Tools/blob/master/export_ec2_users.py. All of the scripts require Python3 and the Boto3 library.
The export_ec2_users.py script, for example, will use the AWS API to export a list of Identity and Access Management (IAM) user accounts, creation dates, last login dates, and any API keys associated with the account. To use the script, you must have Python3 and the Boto3 library installed.
Before running the script, modify it to add your AWS API key and secret. (For security purposes, use a dedicated API key with the built-in Read Only role.) Run the script using the following command:
./export_ec2_users.py
Once the script is run, it will output a file called “iam_user_accounts.txt” whose content will be similar to the following:
IAM User Accounts
=================
Username: api-readonly
Created: 2017-01-23
Last Login: Never
Groups: APIReadOnly
Keys: AKIAJXOMAL4A26IKWN6Q (2017-01-27)
Contact us today to learn about how we can help assess your cloud environment with our comprehensive Cloud Architecture Security Assessment or Penetration Testing services.
