AWS CloudSaga - Simulate security events in AWS

Related tags

Third-party APIs Wrappersawssecuritysecurity-auditblue-teamred-teamingincident-response-toolingpurple-team
Overview

AWS CloudSaga - Simulate security events in AWS

AWS CloudSaga is for customers to test security controls and alerts within their Amazon Web Services (AWS) environment, using generated alerts based on security events seen by the AWS Customer Incident Response Team (CIRT).

Use Case

Security controls and best practices are published for securing AWS accounts, however, customers look for mechanisms to test security and incident response within their AWS environments, in order to protect themselves against known security events.

AWS CloudSaga is for customers who want to test their environment against documented security events from the AWS CIRT. Using AWS CloudSaga, simple scenarios that mimic actual security events can be run against a customer's environment, testing the customer's response plans and defenses when these events occur, and improve defenses of their AWS environment from the results.

Usage

cloudsaga



     ___   ____    __    ____   _______.          
    /   \  \   \  /  \  /   /  /       |         
   /  ^  \  \   \/    \/   /  |   (----`       
  /  /_\  \  \            /    \   \         
 /  _____  \  \    /\    / .----)   |      
/__/     \__\  \__/  \__/  |_______/       

  ______  __        ______    __    __   _______       _______.     ___       _______      ___
 /      ||  |      /  __  \  |  |  |  | |       \     /       |    /   \     /  _____|    /   \ 
|  ,----'|  |     |  |  |  | |  |  |  | |  .--.  |   |   (----`   /  ^  \   |  |  __     /  ^  \ 
|  |     |  |     |  |  |  | |  |  |  | |  |  |  |    \   \      /  /_\  \  |  | |_ |   /  /_\  \ 
|  `----.|  `----.|  `--'  | |  `--'  | |  '--'  |.----)   |    /  _____  \ |  |__| |  /  _____  \  
 \______||_______| \______/   \______/  |_______/ |_______/    /__/     \__\ \______| /__/     \__\ 
                                                                                                                                               


            Joshua "DozerCat" McKiddy - Team DragonCat - AWS
            Type -h for help.

    usage: cloudsaga [-h] [--scenario SCENARIO] [--chapters] [--about ABOUT]

    CloudSaga - Simulate security events based on previous Ziplines

    optional arguments:
    -h, --help           show this help message and exit
    --scenario SCENARIO  Perform the scenario you want to run against your AWS
                        environment.
    --chapters           List the available scenarios within CloudSaga. Use the
                        --about flag to read details about a specific scenario.
    --about ABOUT        Read about a specific scenario (e.g. --about
                        <scenario>. For a list of available scenarios, use the
                        --chapters flag.

Prerequesites

Permissions

The following permissions are needed within AWS IAM for CloudSaga to run:

  • For imds-reveal:
"ec2:DescribeInstances"
  • For network-changes:
"ec2:DescribeInstances",
"ec2:RunInstances",
"ec2:CreateVpc",
"ec2:DescribeVpcs",
"ec2:CreateSecurityGroup"
  • For mining-bitcoin:
"ec2:DescribeInstances",
"ec2:RunInstances"
  • For iam-credentials:
"iam:GenerateCredentialReport",
"iam:GetCredentialReport"
  • For public-resources:
"rds:DescribeDBInstances",
"rds:CreateDBInstance",
"rds:DeleteDBInstance",
"s3:ListBuckets",
"s3:CreateBucket",
"s3:PutPublicAccessBlock",
"s3:DeletePublicAccessBlock"

Specific Scenario Details

IMDS Reveal Scenario:
This scenario is based on a server-side request forgery attack. 
EC2 instances using IMDS version 1 are more likely to be subject to this 
kind of software flaw, and if EC2 Role credentials are present, those 
credentials can be used in AWS.

Bitcoin Mining Scenario:
This scenario simulates the creation of Bitcoin mining instances.
Attackers attempt to create Bitcoin mining instances using Amazon EC2,
in order to leverage legitimate AWS customer's resources for their own purposes.

Network Changes Scenario:
This scenario simulates the creation and modification of network resources within
AWS. This includes creating Amazon VPCs, as well as modifications to Security Groups,
for the purposes of compromising resources within the AWS account.

IAM Credentials Scenario:
This scenario attempts to grab the IAM credential report within the AWS account.

Publicly Accessible Resources Scenario:
This scenario is for creating then checking for publicly accessible resources within an AWS account.

Running the Code

The code in it's current form can be ran inside the following:

  • AWS CloudShell (preferred)
  • Locally (with IAM credentials, not preferred)

Prerequisites

The following prerequisites are required to use AWS CloudSaga

  • Python 3.7 or later
  • boto3 1.21.7 or later
  • pip3 (for installation of AWS CloudSaga)

Installing the code

Installation of the code is done via pip3:

pip3 install cloudsaga

Step-by-Step Instructions (for running in AWS CloudShell)

  1. Log into the AWS Console of the account you want to run AWS CloudSaga.
  2. Click on the icon for AWS Cloudshell next to the search bar.
    • Ensure that you're in a region where AWS CloudShell is currently available.
  3. Once the session begins, install AWS CloudSaga via pip3:
pip3 install cloudsaga
  1. Once installed, run the following command to review the help page for AWS CloudSaga.
cloudsaga -h
  1. Review the scenarios, select the one that you want to run for generating your security event for testing.

Logging

A log file containing the detailed output of actions will be placed in the root directory of AWS CloudSaga. The format of the file will be cloudsaga_timestamp_here.log

Sample output within the log file:

2022-02-22 01:20:47,826 - INFO - --Checking instances in AWS region me-south-1--
2022-02-22 01:20:47,826 - INFO - DescribeInstances API Call in AWS region me-south-1--
2022-02-22 01:20:48,712 - INFO - You cannot perform lookup of IMDS versions in this region. Error message below:
2022-02-22 01:20:48,712 - ERROR - An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials
2022-02-22 01:20:48,713 - INFO - --Checking instances in AWS region sa-east-1--
2022-02-22 01:20:48,713 - INFO - DescribeInstances API Call in AWS region sa-east-1--
2022-02-22 01:20:49,525 - INFO - --Checking instances in AWS region us-east-1--
2022-02-22 01:20:49,525 - INFO - DescribeInstances API Call in AWS region us-east-1--
2022-02-22 01:20:49,876 - INFO - --Checking instances in AWS region us-east-2--
2022-02-22 01:20:49,876 - INFO - DescribeInstances API Call in AWS region us-east-2--
2022-02-22 01:20:50,192 - INFO - --Checking instances in AWS region us-west-1--
2022-02-22 01:20:50,192 - INFO - DescribeInstances API Call in AWS region us-west-1--
2022-02-22 01:20:50,444 - INFO - --Checking instances in AWS region us-west-2--
2022-02-22 01:20:50,445 - INFO - DescribeInstances API Call in AWS region us-west-2--
2022-02-22 01:20:50,610 - INFO - Instance ID i-99999999999999999 is using IMDSv1, where no authentication header is required to access the IMDS service.

Cleaning Up

Once the logs have been enabled, you can safely remove any of the downloaded files from AWS CloudShell.

  • Note: The log file containing the detailed output of actions will be in the root directory of AWS CloudSaga. If you want to retain this, please download this to a safe place, either locally or to an Amazon S3 bucket, for your records. For information on how to download files from AWS CloudShell sessions, refer to the following link.

Feedback

Please use the Issues section to submit any feedback, such as features or recommendations, as well as any bugs that are encountered.

Security

See CONTRIBUTING for more information.

License

This project is licensed under the Apache-2.0 License.

Comments
  • Feature request: formal package and entrypoint

    Feature request: formal package and entrypoint

    The current workflow dictates that a user clone this repository and interact with the cloudsaga.py directly.

    I propose transitioning to a pyproject.toml driven workflow using poetry to handle virtual environments, package management, and publishing activities (to pypi). This pyproject.toml will define an entrypoint cloudsaga.cloudsaga:main and restructure the repo to conform to a python package layout.

    enhancement 
    opened by mbeacom 2
  • 1.0.1

    1.0.1

    Issue #, if available: https://github.com/awslabs/aws-cloudsaga/issues/2 Description of changes:

    • Changed
      • Converted to a Python package downloadable by pip3

    By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

    documentation enhancement 
    opened by hackersifu 1
  • Update iam_credentials.py

    Update iam_credentials.py

    Issue #, if available:

    Description of changes:

    By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

    opened by cydneystude 0
  • Update the readme to reflect new entrypoint usage

    Update the readme to reflect new entrypoint usage

    Issue #, if available: N/A

    Description of changes: The goal of this PR is to update the README.md to reflect the updated entrypoint usage (cloudsaga vs cloudsaga.py)

    By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

    documentation 
    opened by mbeacom 0
  • Enable automatic release to PyPi on tag

    Enable automatic release to PyPi on tag

    Issue #, if available: N/A

    Description of changes: The purpose of this PR is to introduce a new GitHub Action to publish f.reshly tagged packages to PyPi

    By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

    documentation enhancement 
    opened by mbeacom 0
  • Adjust project structure and introduce pyproject.toml

    Adjust project structure and introduce pyproject.toml

    Issue #, if available: #2

    Description of changes: The goal of this PR is to format the project to conform to a standard python package and add a toplevel pyproject.toml to handle package/dep management, venv management, and publishing while also conforming to a versioning python package structure.

    By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

    enhancement 
    opened by mbeacom 0
  • Update README.md

    Update README.md

    Recommending language change associated with IMDSv1.

    Issue #, if available:

    Description of changes:

    By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

    opened by kihakuni 0
  • Issue executing CloudSaga

    Issue executing CloudSaga

    Hi,

    I have a problem executing CloudSaga.

    I executed it in CloudShell and I have administrator access to the AWS account.

    I am getting this error:

    2022-09-23 07:49:50,878 - INFO - CreateVpc API Call 2022-09-23 07:49:51,775 - ERROR - An error occurred (DryRunOperation) when calling the CreateVpc operation: Request would have succeeded, but DryRun flag is set. 2022-09-23 07:49:51,785 - INFO - Creating rogue Amazon VPC in region ap-southeast-2... 2022-09-23 07:49:51,785 - INFO - CreateVpc API Call 2022-09-23 07:49:52,844 - ERROR - An error occurred (DryRunOperation) when calling the CreateVpc operation: Request would have succeeded, but DryRun flag is set. 2022-09-23 07:49:52,854 - INFO - Creating rogue Amazon VPC in region us-west-2... 2022-09-23 07:49:52,855 - INFO - CreateVpc API Call 2022-09-23 07:49:53,576 - ERROR - An error occurred (DryRunOperation) when calling the CreateVpc operation: Request would have succeeded, but DryRun flag is set. 2022-09-23 07:49:53,620 - INFO - Creating rogue Amazon VPC in region ca-central-1... 2022-09-23 07:49:53,620 - INFO - CreateVpc API Call 2022-09-23 07:49:54,050 - ERROR - An error occurred (DryRunOperation) when calling the CreateVpc operation: Request would have succeeded, but DryRun flag is set. 2022-09-23 07:49:54,058 - INFO - Looking for existing VPCs to run DryRun security events in region eu-central-1... 2022-09-23 07:49:54,059 - INFO - DescribeVpcs API Call 2022-09-23 07:49:54,211 - INFO - Creating Security Group in existing VPC (DryRun)... 2022-09-23 07:49:54,353 - ERROR - An error occurred (DryRunOperation) when calling the CreateSecurityGroup operation: Request would have succeeded, but DryRun flag is set. 2022-09-23 07:49:54,362 - INFO - Looking for existing VPCs to run DryRun security events in region eu-central-1... 2022-09-23 07:49:54,362 - INFO - DescribeVpcs API Call 2022-09-23 07:49:54,423 - INFO - Creating Security Group in existing VPC (DryRun)... 2022-09-23 07:49:54,558 - ERROR - An error occurred (DryRunOperation) when calling the CreateSecurityGroup operation: Request would have succeeded, but DryRun flag is set.

    2022-09-23 07:22:29,268 - INFO - Spinning up Bitcoin Miners (DryRun) in region ap-northeast-3... 2022-09-23 07:22:29,268 - INFO - RunInstances API Call 2022-09-23 07:22:30,334 - ERROR - An error occurred (UnsupportedOperation) when calling the RunInstances operation: Tagging an elastic gpu on create is not yet supported in this region. 2022-09-23 07:22:30,344 - INFO - Spinning up Bitcoin Miners (DryRun) in region us-west-2... 2022-09-23 07:22:30,344 - INFO - RunInstances API Call 2022-09-23 07:22:31,635 - ERROR - An error occurred (DryRunOperation) when calling the RunInstances operation: Request would have succeeded, but DryRun flag is set.

    An error occurred (DryRunOperation) when calling the RunInstances operation: Request would have succeeded, but DryRun flag is set An error occurred (UnsupportedOperation) when calling the RunInstances operation: Tagging an elastic gpu on create is not yet supported in this region An error occurred (DryRunOperation) when calling the CreateSecurityGroup operation: Request would have succeeded, but DryRun flag is set

    opened by Ameurdx 2
Releases(v1.0.1)

  • v1.0.1(Feb 25, 2022)

    Changed

    • README file to reflect new installation instructions
      • AWS CloudSaga is used via pip3 installer

    Credit to Mark Beacom @mbeacom for this release.

    Source code(tar.gz)
    Source code(zip)

  • v1.0.0(Feb 22, 2022)

    Introducing AWS CloudSaga, an open source tool for simulating security events in AWS.

    AWS CloudSaga is for customers to test security controls and alerts within their Amazon Web Services (AWS) environment, using generated alerts based on security events seen by the AWS Customer Incident Response Team (CIRT).

    Security controls and best practices are published for securing AWS accounts, however, customers look for mechanisms to test security and incident response within their AWS environments, in order to protect themselves against known security events.

    AWS CloudSaga is for customers who want to test their environment against documented security events from the AWS CIRT. Using AWS CloudSaga, simple scenarios that mimic actual security events can be run against a customer's environment, testing the customer's response plans and defenses when these events occur, and improve defenses of their AWS environment from the results.

    Source code(tar.gz)
    Source code(zip)
Owner
Amazon Web Services - Labs
AWS Labs
Amazon Web Services - Labs
GitHub Repository
Bot Realm of the Mad God Exalt (ROTMG). (Auto_nexus, Auto_HP, Auto_Loot)

Bot_ROTMG Bot Realm of the Mad God Exalt (ROTMG). (Auto_nexus, Auto_HP, Auto_Loot) *Este projeto visa apenas o aprendizado, quem faz mal uso é o único

Guilherme Silva Uchoa 1 Oct 30, 2021
8300-account-nuker - A simple accoutn nuker or can use it full closing dm and leaving server

8300 ACCOUNT NUKER VERISON: its just simple accoutn nuker or can use it full clo

†† 5 Jan 26, 2022
The Python SDK for the Rackspace Cloud

pyrax Python SDK for OpenStack/Rackspace APIs DEPRECATED: Pyrax is no longer being developed or supported. See openstacksdk and the rackspacesdk plugi

PyContribs 238 Sep 21, 2022
GBSLocalLauncher - A script to compose ENV file for Local Compose

GBSLocalLauncher This is a script to compose ENV file for Local Compose. It crea

2 Jan 27, 2022
🤖 Fast and simple bot to transform links from Amazon into a nice post with your referral link in Telegram 🛒

AmazonBot 🤖 Fast and simple bot to transform links from Amazon into a nice post with your referral link in Telegram 🛒 Prerequisites You need Python

Alternative Profit 3 Dec 25, 2022
A small bot to interact with the reddit API. Get top viewers and update the sidebar widget.

LiveStream_Reddit_Bot Get top twitch and facebook stream viewers for a game and update the sidebar widget and old reddit sidebar to show your communit

Tristan Wise 1 Nov 21, 2021
AKShare is an elegant and simple financial data interface library for Python, built for human beings

AKShare is an elegant and simple financial data interface library for Python, built for human beings

AKFamily 5.8k Dec 30, 2022
Slack->DynamDB->Some applications

slack-event-subscriptions About The Project Do you want to get simple attendance checks? If you are using Slack, participants can just react on a spec

UpstageAI 26 May 28, 2022
Python client for Vektonn

Python client for Vektonn Installation Install the latest version: $ pip install vektonn Install specific version: $ pip install vektonn==1.2.3 Upgrad

Vektonn 16 Dec 09, 2022
WebCash is an experimental new electronic cash ("e-cash") that enables decentralized and instant payments to anyone

Webcash WebCash is an experimental new electronic cash ("e-cash") that enables decentralized and instant payments to anyone, anywhere in the world. Us

Bryan Bishop 24 Dec 11, 2022
Discord bot to administer IITD Study Servers (unofficial)

IITD-Bot Discord bot to administer IITD'20 Acad Server Commands hello to check if bot is online ?help to display this message ?set kerberos to set y

Aditya Singh 47 Dec 19, 2022
⚡ PoC: Hide a c&c botnet in the discord client. (Proof Of Concept)

👨‍💻 Discord Self Bot 👨‍💻 A Discord Self-Bot in Python by natrix Installation Run: selfbot.bat Python: version : 3.8 Modules

0хVιcнy#1337 37 Oct 21, 2022
Volt is yet another discord api wrapper for Python. It supports python 3.8 +

Volt Volt is yet another discord api wrapper for Python. It supports python 3.8 + How to install [Currently Not Supported.] pip install volt.py Speed

Minjun Kim (Lapis0875) 11 Nov 21, 2022
Bot interpretation of the carbon.now.sh site

📒 Source code of the @PicodeBot 🧸 Developer: @hoosnick Run $ git clone https://github.com/hoosnick/picodebot.git $ pip install -r requirements.txt P

Husniddin Murodov 13 Oct 02, 2022
Muzan-Discord-Nuker - A simple discord server nuker in python

Muzan-Discord-Nuker This is Just a simple discord server nuker in python. ✨ Feat

Afnan 3 May 14, 2022
List of twitch bots n bigots

This is a collection of bot account names NamelistMASTER contains all the names we reccomend you ban in your channel Sometimes people get on that list

62 Sep 05, 2021
Find people to play tennis with.

40Love 40Love is a full-stack web application that helps tennis players find hits at public tennis courts. Players can select public courts on the map

Tanner Schmutte 27 Jun 08, 2022
pokemon-colorscripts compatible for mac

Pokemon colorscripts some scripts to print out images of pokemons to terminal. Inspired by DT's colorscripts compilation Description Prints out colore

43 Jan 06, 2023
This Python script will automate the process of uploading your project to GitHub.

ProjectToGithub This Python script will help you to upload your project to Github without having to type in any commands !!! Quick Start guide First C

Imira Randeniya 1 Sep 11, 2022
um simples script para localizar IP

um simples script para localizar IP pkg install git (apt-get install git) pkg install python (apt-get install python) git clone https://github.com/byd

bydeathlxncer 4 Nov 29, 2021