ScoutSuite icon indicating copy to clipboard operation
ScoutSuite copied to clipboard

Published 20 hours ago verified publisher icon nccgroup

ec2-instance-with-user-data-secrets.json too noisy

Open chris-codaio opened this issue 4 years ago • 9 comments

The EC2 sensitive/secret rule is too noisy - specifically, the search for the word "secret" is causing too many false positives with the use of AWS secrets manager to hide secrets from user-data.

As an example, an EC2 instance with user data containing the following causes the rule to fire:

aws secretsmanager get-secret-value --secret-id $SECRET_ID --region $AWS_REGION | jq -r .SecretString

Preference would be to remove the term 'secret' from here: https://github.com/nccgroup/ScoutSuite/blob/74d469992937cb6463ae17bb40d6c3853e6d8adc/ScoutSuite/providers/aws/resources/ec2/instances.py#L67

Alternatively, make the sensitive term list a parameter that can be altered via ruleset.

chris-codaio avatar Feb 11 '21 17:02 chris-codaio

I agree, we also have similar functionality implemented in a few places (Lambda environment variables, SSM Parameter Store, etc.). The implementation should be generalized.

x4v13r64 avatar Feb 11 '21 19:02 x4v13r64

I'll work on this. Can you please assign this issue to me

shivamkumar001 avatar Apr 06 '21 20:04 shivamkumar001

I run this project using "scout aws --profile basc -f" then it shows scout is not installed then I install scout via command provided by ubuntu. then it shows this (image). can you please tell me if I press enter then will this create a problem in my system? also can you please help me with how to approach this enhancement?

In case if link not work properly " Configuring Secure Boot

Your system has UEFI Secure Boot enabled.

UEFI Secure Boot requires additional configuration to work with third-party drivers.

The system will assist you in configuring UEFI Secure Boot. To permit the use of third-party drivers, a new Machine-Owner Key (MOK) has been generated. This key how needs to be enrolled in your system's firmware.

To ensure that this change is being made by you as an authorized user, and not by an attacker, you must choose a password now and then confirm the change after reboot using the same password, in both the "Enroll MOK" and "Change Secure Boot state" menus that will be presented to you when this system reboots.

If you proceed but do not confirm the password upon reboot, Ubuntu will still be able to boot on your system but any hardware that requires third-party drivers to work correctly may not be usable."

https://drive.google.com/file/d/14PS_YOr2bW99P6zYpjk2KX47EZtmGT-F/view?usp=sharing

shivamkumar001 avatar May 06 '21 12:05 shivamkumar001

Hi @chris-codaio , I removed the word 'secret' from ScoutSuite/ScoutSuite/providers/aws/resources/ec2/instances.py . And i create secret manager and run the following command 'aws secretsmanager get-secret-value --secret-id $SECRET_ID --region $AWS_REGION | jq -r .SecretString' . After running this command I got my username and password which I have entered in the secret manager. I am stuck at this point. can you please more elaborate your issue ?

shivamkumar001 avatar May 23 '21 22:05 shivamkumar001

The issue occurs when an EC2 instance contains the aws secretsmanager command line in its user-data initialization script. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html for more information.

chris-codaio avatar May 24 '21 17:05 chris-codaio

Hi @chris-codaio can you please attach the file where I can see the problem with secret manager . Because , I add
aws secretsmanager in the user-data . But there is not problem while running ec2 instance . my user data :- #!/bin/bash aws secretsmanager

shivamkumar001 avatar May 24 '21 22:05 shivamkumar001

I can't include our report file for security reasons :). However, I can include a redacted version of the script that is causing this rule to fire if that's helpful. I just reproduced this today to verify it still happens.

#!/bin/bash
set -o xtrace

echo "Startup Script" > /tmp/startup.log

AWS_REGION=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)
INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
if [ "true" == "true" ]; then
MY_KEY=$(aws secretsmanager get-secret-value --secret-id my_key --region $AWS_REGION | jq -r .SecretString)
MY_KEY=$MY_KEY bash -c "$(curl -L https://raw.githubusercontent.com/Something/scripts/master/install-linux.sh)"
MY_EXIT_CODE=$?
echo "Completed My setup with $MY_EXIT_CODE" >> /tmp/startup.log
fi

/etc/eks/bootstrap.sh 'prod' --kubelet-extra-args '--kube-reserved=memory=0.3Gi --node-labels=fleet-type=spot,coda-type=memory --register-with-taints=fleet-type=spot:NoSchedule'
EXIT_CODE=$?
echo "Completed bootstrap with $EXIT_CODE" >> /tmp/startup.log

# describe-tags filtering by tags is broken - pick it out via. jq
CFN_STACK_NAME=$(
aws ec2 describe-tags --region=$AWS_REGION --filters "Name=resource-id,Values=$INSTANCE_ID" | \
jq -r '.Tags[] | select (.Key == "aws:cloudformation:stack-name") | .Value'
)

/opt/aws/bin/cfn-signal --exit-code "$EXIT_CODE" --stack "$CFN_STACK_NAME" --resource ASG --region "$AWS_REGION" || true

echo "Sent CFN Signal" >> /tmp/startup.log

chris-codaio avatar May 26 '21 16:05 chris-codaio

Hi @x4v13r64 , @chris-codaio I created user data that contain aws secret manager . when i run the project without removing the word 'secret', and then I observe HTML report. And then I opened Computer/EC2/instances/user-data . Here I can see Flagged Words : secret in the Potential Secrets. But when I removed the word secret from ScoutSuite/ScoutSuite/providers/aws/resources/ec2/instances.py then there is no flag. I think this enhancement is solved. Can you please give me some feedback regarding this?

shivamkumar001 avatar May 28 '21 12:05 shivamkumar001

I think this enhancement is solved

No. What's raised here is a specific case where secret being in user data is a FP. The regex should be updated to catch secret but not secretsmanager.

x4v13r64 avatar Jun 08 '21 07:06 x4v13r64