adam's notes

Lab - Analyzing Cloud Vulnerabilities

Scenario

As a security analyst working for a tech company that has recently migrated some of its operations to the public cloud, you are responsible for helping the company ensure its cloud infrastructure is secure and compliant with regulations.

Yesterday, you received an email from your team supervisor asking you to help identify non-compliant AWS infrastructure configurations. To do this, you decide to schedule an overnight scan of the cloud infrastructure using ScoutSuite, a tool some of your team members have used for similar projects.

Now that the scan has finished, it is time to review the results.

Understand your environment

You will be working from a virtual machine named Lab-VM that contains the vulnerability scan results.

Overview of ScoutSuite

ScoutSuite is a tool used for auditing the security of a company’s cloud environment and generating a detailed report outlining the infrastructure’s compliance with security standards and best practices.

The report provides a thorough inventory of all resources in the infrastructure, including virtual machines, databases, storage buckets, and networking components, and an evaluation of the infrastructure’s compliance with various security standards. The report also provides a risk assessment of the infrastructure, identifying vulnerabilities and misconfigurations that pose a risk and recommending how to mitigate them. Additionally, the report highlights any misconfigurations, security incidents, and other security issues detected in the infrastructure.

ScoutSuite helps security analysts and IT teams to identify and address potential vulnerabilities and threats in their cloud environments.

Review the Security Policy

Info

The following is a summary of important policy requirements identified by your supervisor.

Policy ItemRequirements
Account UseRoot and Administrator accounts should not be used by administrative staff
All accounts must comply with established length, complexity, expiration, and reuse requirements
Privileged accounts must have multifactor authentication enabled
Root account must not be configured to use access keys
MonitoringAccount activity must be monitored using CloudTrail
All VPCs must have Flow Logging enabled
Configuration changes must be tracked using Config Recorder
OtherAll VPCs must use ACLs to allow essential traffic only
Only RDP originating from JumpBoxes is allowed to EC2 instances

Identify Non-Compliant Account Management Items

  1. Sign in as Admin using Pa$$w0rd as the password.

  2. Launch the desktop shortcut labeled ScoutSuite Scan to review the scan results

    • Microsoft Edge should open displaying the ScoutSuite Report.

Note that several services are marked with red and yellow status icons. Red represents “Danger” and orange represents “Warning” impacts. Issues labeled Danger should receive priority attention and be addressed as quickly as possible as they represent severe security vulnerabilities.

  1. Click on the Service items labeled IAM.

Focus on the requirement from the organization’s Security Policy: “Root and Administrator accounts should not be used by administrative staff.” Use of default accounts with unlimited privileges for ordinary management activity is a serious risk.

  1. Is there a report item that indicates a violation of the policy requirement “Root and Administrator accounts should not be used by administrative staff”?

    • Answer: ||Root Account Used Recently||

  2. For the policy item “Privileged accounts must have multifactor authentication enabled,” what is the scan report item that indicates non-compliance in this area?

    • Answer ||Root Account without Hardware MFA||

Identify Non-Compliant Monitoring Items

Review the danger items listed under the VPC and Config Dashboards to identify the name of the check that indicates non-compliance with the company’s security policy.

  1. For the policy item “All VPCs must have Flow Logging enabled,” what is the scan report item that indicates non-compliance in this area?

    • Answer: ||Subnet without a Flow Log||

  2. For the policy item “Configuration changes must be tracked using Config Recorder,” what is the scan report item that indicates non-compliance in this area?

    • Answer: ||AWS Config Not Enabled||

Identify Other Non-Compliant Items

Review the danger items listed under the EC2 and IAM Dashboards to identify the name of the check that indicates non-compliance with the company’s security policy.

  1. For the policy item “Only RDP originating from JumpBoxes is allowed to EC2 instances,” what is the scan report item that indicates non-compliance in this area?

    • Answer: ||Security Group Opens RDP Port to All||

  2. How many danger items in the IAM section directly reference password issues?

    • Answer: ||4||

Scenario

After many years of continued growth, the leadership team of your company has decided to acquire a company that operates a large call center in order to expand and improve its customer service operations.

The call center relies heavily on public cloud infrastructure. You have been selected to participate on the integration team and help risk managers identify potential problems. The leadership team want to streamline IT operations and integrate the IT resources of the call center as soon as possible.

Your supervisor asked the call center manager to provide a copy of a vulnerability scan of their cloud resources and the manager provided a copy of a recent prowler scan.

Overview of Prowler

Prowler is a command-line cloud security auditing tool that generates a report summarizing the security posture of a company’s cloud infrastructure. The report includes an inventory of all resources in the infrastructure, such as virtual machines, databases, and storage buckets, and assesses their compliance with various security standards and best practices.

The report also highlights any identified vulnerabilities, misconfigurations, or policy violations and provides recommendations for remediating them. Additionally, the report includes a risk assessment of the infrastructure that considers potential attack scenarios and the likelihood of a successful attack.

Open the Prowler Report

  1. Launch the desktop shortcut labeled Prowler Report to review the scan results
    • Microsoft Edge should open displaying the Prowler Report.

Review the Prowler Report

Similarly as ScoutSuite, Prowler performs various security checks and display the results using colors to highlight potential issues. Prowler is a command-line tool and the report is test based and organized into different service groups.

Use the information contained within the Prowler report to answer the following questions.

  1. Many accounts in the report fail MFA checks. What is the common word used in most of the accounts?

    • Answer: ||student||

  2. Does it generally appear that AWS Config is enabled?

    • Answer: ||No||

  3. What language is used in the report to identify that Flow Logs are disabled for VPCs?

    • Answer: ||FAIL! No VPCFlowLog has been found in Region||

  4. What is the name of the first S3 bucket listed in section 7.18?

    • Answer ||basc2019-prebuiltdemo||

Comprehensive Questions

  1. Should you recommend that your company proceed with integrating IT operations with the call center company?

    • Answer: ||No||

  2. Why is MFA an important requirement for Cloud accounts? Choose all that apply.

    • Answer:
      • ||Mitigates password attacks||
      • ||Often required by policy and regulation||
      • ||Cloud credentials represent powerful privileged accounts.||

  3. After reviewing the ScoutSuite Report, what is your best course of action?

    • Answer: ||Provide a summary of findings to your supervisor||

Graph View