Getting AWS IAM info via AWS CLI and Linux

Hi friends, I wrote a script that is useful for getting AWS IAM info: [ account number, users, list of groups to which each user belongs and any policies attached directly to the user ] in one place.  The script consists of a main.sh and a helper.sh. Place both scripts in your home directory. The scripts assume you already have the AWS CLI tools installed and your API key is configured.

Main.sh Script 

#!/bin/bash
touch aws_user_list
touch aws_iam_list
aws iam list-users | grep UserName | cut -d ':' -f 2 >temp; sed 's/\"//g' temp >temp1; sed 's/,//g' temp1 >aws_user_list;
printf "The AWS Account Number for this report is " >aws_iam_list
aws sts get-caller-identity --output text --query 'Account' >>aws_iam_list;
aws iam list-users --output table >> aws_iam_list;
cat aws_user_list | source ./helper.sh >> aws_iam_list;


 

helper.sh   Script

#!/bin/bash
while read LINE; do echo $LINE; aws iam list-groups-for-user --user-name $LINE; aws iam list-attached-user-policies --user-name $LINE; aws iam list-user-policies --user-name $LINE

done

 

# Script pieces

aws iam list-users --output table
aws iam list-groups-for-user --user-name
aws iam list-attached-user-policies --user-name
aws iam list-user-policies --user-name

#get your AWS account ID from CLI 
aws sts get-caller-identity --output text --query 'Account'

For future, next rev of script I need to iterate through a list of groups:

aws iam list-attached-group-policies --group-name 

aws iam list-group-policies --group-name
Advertisements
Posted in AWS, AWS Certified Solutions Architect, Uncategorized | Leave a comment

AWS: Find Private IP addresses attached to Security Groups

Hi friends. Ever wonder how to get  dynamic private IP addresses (say ones assigned to an internal ALB) associated with your Security Groups? Ok to start, this is crude, I’ll admit it – but it works – and when I find a better way I will share.

First, since we are using VPC and not classic  no more querying by Security Group name – we have to get the Security group ID ( also now dynamic in AWS ).  So for our first query you have to know what attribute you want search.

#The following will give Security group IDs for all SG's using 0.0.0.0/0

aws ec2 describe-security-groups --filters "Name=ip-permission.cidr,Values=0.0.0.0/0" --query "SecurityGroups[].[GroupId, GroupName]" --output text

#OR list your groups which groups use port 80

aws ec2 describe-security-groups --filters "Name=ip-permission.to-port,Values=80" --query "SecurityGroups[].[GroupId, GroupName]" --output text

# and then grab the security-group id from the output of the above command and place it in the values section below

aws ec2 describe-network-interfaces --filters Name=group-id,Values=sg-xxxxxx | grep PrivateIpAddress
Posted in Uncategorized | Leave a comment

PaloAlto VM Firewalls with AWS ELB/ALB

Hey friends – wanted to continue sharing my knowledge as I uncover how to use Palo Alto FW inside AWS. Here is some information about this Cloud Formation Template by Palo Alto.

Basically, the link above leads to a collection of scripts, CF templates that build configuration of Palo Alto Firewalls sitting behind an ELB, and in front of an ALB, like this:

All credit due to Palo Alto, the Cloud Formation Template works well. What is not so great however, is the technical documentation detailing the wizardry with which they pulled this off.  The tricky part about a design like this is that Firewalls are not a traditional LB target, meaning that they FORWARD traffic, rather than responding directly to the LoadBalancer itself like a server would. Further complicating matters, AWS ALB and ELB use DNS aliases. Keep-alives sourced from the external ELB pass through the Firewall – the firewall does not respond to keep-alives.

For this to work, Palo Alto has a NAT policy which basically takes external inbound LB traffic(untrust) and NATs the destination IP to the AWS ALB (internal load-balancer ) private IP(trust). That  last point is critical to understand if you ever hope to get something like this to work. Along with the Cloud Formation Template, Palo Alto basically has included 20+, (yes 20! ) python scripts that work in conjunction with CF and Lambda to automate this deployment. One / or more of those scripts figures out what the private IP is for the internal load-balancer and creates a NAT object for the internal load balancer in the FW configuration template prior to FW deployment and that is how they are getting around the fact that the ALB private IP is dynamic, built on-the-fly each time CF is run.  This little piece of info should be included in their documentation, presently, it is not.

Although I give serious, ( and I mean SERIOUS props),  to the Engineer who figured how to automate that piece with python and coded it all  – this ultimately is another ‘shoehorn’ of making something that was not built or designed to run in AWS, run in AWS.  The maintenance of the 20 + python scripts is not scalable – nor does it fit nicely into Terraform.

Palo Alto needs to work harder to integrate more deeply into the AWS API. Really, for a Cloud enabled Firewall, this should just be a CF template where you specify the ALB ( internal ) and the AWS API builds the initial FW policy based on resource attributes AWS has spun up internally.

Posted in AWS, AWS Certified Solutions Architect, Palo Alto FW, Palo Alto Networks | Tagged | Leave a comment

PaloAlto’s “fix” for making VM Series FW work with AWS ELB

I want to share my experience using Palo Alto FW in AWS ( using Terraform ).

Palo Alto has some good examples out there of how their stuff works with Terraform and AWS, such as this github repo for thier two-tier implementation using Terraform. The two tier design here is a small starting point upon which to code out your platform. However, it does not take into account how the PA’s work with multiple AZs or Load Balancers, both of which will most likely be needed in your implementation.

Multiple AZ’s are not hard to do, but if you want Elastic Load Balancers in the mix, there is a Management Interface swap that needs to happen in order for the Palo Alto VM FW to work with AWS ELB.

This seemingly tiny, insignificant detail has been challenging to integrate into Terraform, and although PaloAlto does provide some documentation, it is not enough. Here is what I learned:

  • An EIP association is also needed for eth1 ( what will become mgmt. interface ) if you are not using a Bastion host to connect initially.
  • Another EIP association is also needed in Terraform for FW eth0 so device can read and get bootstrap from S3 Bucket. ( this EIP can later be torn down – but yes, you need TWO EIPs at boot time to make this work! ) [ UPDATE: a VPC endpoint w/ routing can replace the need for this second EIP ]
  • FW Initial Ruleset must permit ssh / web to the IP of Ethernet 1/1 new mgmt ( that’s obvious but included here so not be be over looked )
  • Ethernet 1/1 was not assigned to a Zone in PAN-OS initial config bootstrap when I got it working.
  • Terraform interface templates for Palo Alto need to have mgmt. interface associated to device_index = 1 ( instead of zero ) in initial config.  Configuring for Terraform, thus AWS, the actual interface assignments are abstracted, so you configure them as you will use them AFTER the swap.

Also of note, the PAN-OS does not “see” this change in the GUI. You will still implement your rules and zones as though there was not an interface change. Eth 1/1 shows up in Network interfaces…  The only place to see this is in the CLI with this lengthy command:

Fig 1. Normal boot:

admin@PA-VM> debug show vm-series interfaces all

Interface_name       Base-OS_port       Base-OS_MAC             PCI-ID         Driver
mgt                     eth0          06:82:4e:66:99:9a       0000:00:03.0      ixgbevf
Ethernet1/1             eth1          06:1a:e7:12:01:e0       0000:00:04.0      ixgbevf
Ethernet1/2             eth2          06:39:13:1b:e9:d4       0000:00:05.0      ixgbevf


Fig 2. Booting with the command ‘op-command-modes=mgmt-interface-swap’ in the init.cfg

admin@sample-cft-fw> debug show vm-series interfaces all

Interface_name       Base-OS_port       Base-OS_MAC             PCI-ID         Driver
mgt (interface-swap)    eth0          06:db:de:02:e5:22       0000:00:04.0      ixgbevf
Ethernet1/1             eth1          06:9f:0e:8b:de:ec       0000:00:03.0      ixgbevf
Ethernet1/2             eth2          06:5d:86:02:b1:4e       0000:00:05.0      ixgbevf
admin@sample-cft-fw>

It’s hard to notice a difference, but if it worked, you’ll see the (interface-swap) after mgt. ( above ) .  Palo Alto provides this graphic to explain it, but it does not really line up well with the output above since the VM interfaces are extracted into AWS.

In Terraform, it lines up as so:

device_index = 0 will be eth0  in AWS, which is initial mgmt in Palo Alto (before swap), communication to the S3 bucket for bootstrap happens from this interface.

device_index = 1 will be  eth1 in AWS, (which would be new mgmt if swapped)

device_index = 2 will be eth2 in AWS, not affected by swap

Also, before getting it to work in Terraform, I tried the command to swap interfaces on a FW VM series running n AWS that had booted normally; using Palo’s CLI:

set system setting mgmt-interface-swap enable yes

It responded with:

Reboot system to take effect new changes. After reboot use IP address of eth1 (external to VM) for management

After it booted again, I had trouble getting back into the Firewall with  ssh. Got connection refused. Could have been various reasons, but at this stage, I think it was that I did not wait long enough. Another Engineer I am working with said that this worked for him but he had to wait a long time after boot.

This Management interface swap feels very much like the Palo Alto VM Firewall has been ‘shoe-horned’ to work in and with AWS.  I have always loved Palo Alto, but not really a fan of this fix.

I’ll be writing more as I learn. I hope this helps you! Oh, before I go, here are some handy PAN-OS CLI commands you will use if you are doing this same thing:

op-command-modes=mgmt-interface-swap # for bootstrap
set system setting mgmt-interface-swap enable yes # PA cli
debug show vm-series interfaces all # show your stuff
set mgt-config users admin password #you'll need this to get to the web GUI
save config
Posted in AWS, Palo Alto FW, Palo Alto Networks | Leave a comment

AWS CLI Cheet Sheet

S3

# list all S3 buckets
aws s3 ls

#Delete an S3 bucket and all its contents
aws s3 rb s3://bucket-name --force

# Recursively copy a directory and its subfolders from your PC to Amazon S3
aws s3 cp MyFolder s3://bucket-name -- recursive [--region us-west-2]

# List the sizes of an S3 bucket and its contents
aws s3api list-objects --bucket BUCKETNAME --output json --query "[sum(Contents[].Size), length(Contents[])]"

# Move S3 bucket to a new Region
aws s3 sync s3://oldbucket s3://newbucket --source-region us-west-1 --region us-west-2


CloudTrail 

# list all trails
aws cloudtrail describe-trails


# create a new trail
aws cloudtrail create-subscription \
 --name awslog \
 --s3-new-bucket awslog2016

# list the names of all trails
aws cloudtrail describe-trails --output text | cut -f 8

# get the status of a trail
aws cloudtrail get-trail-status \
 --name awslog

# delete a trail
aws cloudtrail delete-trail \
 --name awslog

# delete the S3 bucket of a trail
aws s3 rb s3://awslog2016 --force

# add tags to a trail, up to 10 tags
aws cloudtrail add-tags \
 --resource-id awslog \
 --tags-list "Key=log-type,Value=all"

# list the tags of a trail
aws cloudtrail list-tags \
 --resource-id-list

# remove a tag from a trail
aws cloudtrail remove-tags \
 --resource-id awslog \
 --tags-list "Key=log-type,Value=all"
 
IAM


# list all user's info
aws iam list-users

# list all user's usernames
aws iam list-users --output text | cut -f 6

# list current user's info
aws iam get-user

# list current user's access keys
aws iam list-access-keys

# crate new user
aws iam create-user \
 --user-name aws-admin2

# create multiple new users, from a file
allUsers=$(cat ./user-names.txt)
for userName in $allUsers; do
 aws iam create-user \
 --user-name $userName
done

# list all users
aws iam list-users --no-paginate

# get a specific user's info
aws iam get-user \
 --user-name aws-admin2

# delete one user
aws iam delete-user \
 --user-name aws-admin2

Password Policy

# list policy
# http://docs.aws.amazon.com/cli/latest/reference/iam/get-account-password-policy.html
aws iam get-account-password-policy

# set policy
# http://docs.aws.amazon.com/cli/latest/reference/iam/update-account-password-policy.html
aws iam update-account-password-policy \
 --minimum-password-length 12 \
 --require-symbols \
 --require-numbers \
 --require-uppercase-characters \
 --require-lowercase-characters \
 --allow-users-to-change-password

# delete policy
# http://docs.aws.amazon.com/cli/latest/reference/iam/delete-account-password-policy.html
aws iam delete-account-password-policy

## *** access keys
# list all access keys
aws iam list-access-keys

# list access keys of a specific user
aws iam list-access-keys \
 --user-name aws-admin2

# create a new access key
aws iam create-access-key \
 --user-name aws-admin2 \
 --output text | tee aws-admin2.txt

# list last access time of an access key
aws iam get-access-key-last-used \
 --access-key-id AKIAINA6AJZY4EXAMPLE

# deactivate an acccss key
aws iam update-access-key \
 --access-key-id AKIAI44QH8DHBEXAMPLE \
 --status Inactive \
 --user-name aws-admin2

# delete an access key
aws iam delete-access-key \
 --access-key-id AKIAI44QH8DHBEXAMPLE \
 --user-name aws-admin2
 
 
Groups, Policies, Managed Policies

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html http://docs.aws.amazon.com/cli/latest/reference/iam/

# list all groups
aws iam list-groups

# create a group
aws iam create-group --group-name FullAdmins

# delete a group
aws iam delete-group \
 --group-name FullAdmins

# list all policies
aws iam list-policies

# get a specific policy
aws iam get-policy \
 --policy-arn <value>

# list all users, groups, and roles, for a given policy
aws iam list-entities-for-policy \
 --policy-arn <value>

# list policies, for a given group
aws iam list-attached-group-policies \
 --group-name FullAdmins

# add a policy to a group
aws iam attach-group-policy \
 --group-name FullAdmins \
 --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

# add a user to a group
aws iam add-user-to-group \
 --group-name FullAdmins \
 --user-name aws-admin2

# list users, for a given group
aws iam get-group \
 --group-name FullAdmins

# list groups, for a given user
aws iam list-groups-for-user \
 --user-name aws-admin2

# remove a user from a group
aws iam remove-user-from-group \
 --group-name FullAdmins \
 --user-name aws-admin2

# remove a policy from a group
aws iam detach-group-policy \
 --group-name FullAdmins \
 --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

# delete a group
aws iam delete-group \
 --group-name FullAdmins


EC2

keypairs

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html

# list all keypairs
# http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-key-pairs.html
aws ec2 describe-key-pairs

# create a keypair
# http://docs.aws.amazon.com/cli/latest/reference/ec2/create-key-pair.html
aws ec2 create-key-pair \
 --key-name <value>

# create a new private / public keypair, using RSA 2048-bit
ssh-keygen -t rsa -b 2048

# import an existing keypair
# http://docs.aws.amazon.com/cli/latest/reference/ec2/import-key-pair.html
aws ec2 import-key-pair \
 --key-name keyname_test \
 --public-key-material file:///home/apollo/id_rsa.pub

# delete a keypair
# http://docs.aws.amazon.com/cli/latest/reference/ec2/delete-key-pair.html
aws ec2 delete-key-pair \
 --key-name <value>
Security Groups

http://docs.aws.amazon.com/cli/latest/reference/ec2/index.html

# list all security groups
aws ec2 describe-security-groups

# create a security group
aws ec2 create-security-group \
 --vpc-id vpc-1a2b3c4d \
 --group-name web-access \
 --description "web access"

# list details about a securty group
aws ec2 describe-security-groups \
 --group-id sg-0000000

# open port 80, for everyone
aws ec2 authorize-security-group-ingress \
 --group-id sg-0000000 \
 --protocol tcp \
 --port 80 \
 --cidr 0.0.0.0/24

# get my public ip
my_ip=$(dig +short myip.opendns.com @resolver1.opendns.com);
echo $my_ip

# open port 22, just for my ip
aws ec2 authorize-security-group-ingress \
 --group-id sg-0000000 \
 --protocol tcp \
 --port 80 \
 --cidr $my_ip/24

# remove a firewall rule from a group
aws ec2 revoke-security-group-ingress \
 --group-id sg-0000000 \
 --protocol tcp \
 --port 80 \
 --cidr 0.0.0.0/24

# delete a security group
aws ec2 delete-security-group \
 --group-id sg-00000000
 
EC2

#http://docs.aws.amazon.com/cli/latest/reference/ec2/index.html

# list all instances (running, and not running)
# http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html
aws ec2 describe-instances

# list all instances running
aws ec2 describe-instances --filters Name=instance-state-name,Values=running

# create a new instance
# http://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html
aws ec2 run-instances \
 --image-id ami-f0e7d19a \ 
 --instance-type t2.micro \
 --security-group-ids sg-00000000 \
 --dry-run

# stop an instance
# http://docs.aws.amazon.com/cli/latest/reference/ec2/terminate-instances.html
aws ec2 terminate-instances \
 --instance-ids <instance_id>

# list status of all instances
# http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instance-status.html
aws ec2 describe-instance-status

# list status of a specific instance
aws ec2 describe-instance-status \
 --instance-ids <instance_id>
 
# list instance IP addresses
aws ec2 describe-instances \
 --query "Reservations[*].Instances[*].PublicIpAddress" \
 --output=text
Tags

# list the tags of an instance
# http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-tags.html
aws ec2 describe-tags

# add a tag to an instance
# http://docs.aws.amazon.com/cli/latest/reference/ec2/create-tags.html
aws ec2 create-tags \
 --resources "ami-1a2b3c4d" \
 --tags Key=name,Value=debian

# delete a tag on an instance
# http://docs.aws.amazon.com/cli/latest/reference/ec2/delete-tags.html
aws ec2 delete-tags \
 --resources "ami-1a2b3c4d" \
 --tags Key=Name,Value=


Cloudwatch

#Log Groups
#http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudWatchLogs.html http://docs.aws.amazon.com/cli/latest/reference/logs/index.html#cli-aws-logs
#create a group
#http://docs.aws.amazon.com/cli/latest/reference/logs/create-log-group.html

aws logs create-log-group \
 --log-group-name "DefaultGroup"
 
 
#list all log groups
#http://docs.aws.amazon.com/cli/latest/reference/logs/describe-log-groups.html

aws logs describe-log-groups

aws logs describe-log-groups \
 --log-group-name-prefix "Default"


#delete a group
#http://docs.aws.amazon.com/cli/latest/reference/logs/delete-log-group.html

aws logs delete-log-group \
 --log-group-name "DefaultGroup"
Log Streams

# Log group names can be between 1 and 512 characters long. Allowed
# characters include a-z, A-Z, 0-9, '_' (underscore), '-' (hyphen),
# '/' (forward slash), and '.' (period).

# create a log stream
# http://docs.aws.amazon.com/cli/latest/reference/logs/create-log-stream.html
aws logs create-log-stream \
 --log-group-name "DefaultGroup" \
 --log-stream-name "syslog"

# list details on a log stream
# http://docs.aws.amazon.com/cli/latest/reference/logs/describe-log-streams.html
aws logs describe-log-streams \
 --log-group-name "syslog"

aws logs describe-log-streams \
 --log-stream-name-prefix "syslog"

# delete a log stream
# http://docs.aws.amazon.com/cli/latest/reference/logs/delete-log-stream.html
aws logs delete-log-stream \
 --log-group-name "DefaultGroup" \
 --log-stream-name "Default Stream"


### From ReInvent
#create vpc
aws ec2 create-vpc -cider-block 10.0.0/16

sources: ( some of my own tinkering, but these guys contributed largely ) 
https://cloudacademy.com/blog/aws-cli-10-useful-commands/

http://lockboxx.blogspot.com/2015/02/aws-api-security-auditing-cheat-sheet.html
Posted in AWS, AWS Certified Solutions Architect | Tagged | Leave a comment

Front row perspective from Brian Krebs’ 2017 Keynote!

 

I had the amazing honor of getting front row for Brian Krebs’ KeyNote speech at the SailPoint Navigate Conference Last week in Austin, TX! Brian is an exceptional a Public Speaker, just as he is an exceptional writer. Krebs has been my teacher for a few years now (extensive reading and studying of his blog: https://krebsonsecurity.com ) During the Keynote, he captivated the audience by highlighting what he has learned in his experiences. I wrote as fast as I could by hand in my notebook, tried to capture as much of it as I could; and put it all together here:

Opening thoughts: 

  • Authentication and Identity Compromises are why there are so many Security breaches; the attacker essentially becomes the user with stolen, compromised credentials
  • Weakest part of the organization is the farthest point out – the users
  • “Everyone gets pen-tested whether or not they pay for it” < that is so true! 
  • Most breaches in the last decade, the org has had no clue the attacker was on their Network.
  • Security Awareness Training is still an effective method to help mitigate breaches.
  • We have no business using “static identifiers” in 2017! How do we get better?
  • Two Factor can blunt many attacks!  Industry relies on tools too much, need to rely more on human to interpret the tools. Target had tools, but people could not make sense of what they were getting.
  • Trained, Sec Ops to do basic ‘block and tackle’ , curious human beings to look at tool output needed to find the bad guys.
  • Build a solid SecOps team (  If orgs cut back on Security people, their visibility decreases.)
  • Mitigate Account Take-over [ e.g., using your same creds across multiple web services ]; credential replay can be done by bots at a slow rate to avoid SecTool detection; need a human eye on the screen.

Krebs then changed up topics to predictions:

  • Ransomware attacks may become more targeted and attackers will better understand the data ( and the value of that data ) which they are encrypt so they can ask a proper ransom for it.
  • IoT – will be a major challenge.  Shodan lists all kinds of targets. Krebs’ site was DDoS’d [ 620 Gbps ] by a massive Botnet consisting of IoT devices; expect this trend to continue.
  • Potentially more disruptive attacks [ WannaCry ]

More Solutions outlined:

  • Get beyond Compliance; don’t just meet the audit; go further
  • Invest in 2FA everywhere!
  • Do your back-ups correctly, don’t leave them open, or exposed!
  • Drills exercises; red team vs.  blue team so your team will be ready and can run the playbook!
  • Secure what you have
  • Watch out for vendor ‘kool-aid’ that their tools can replace people, simply not true!
  • Strengthen and invest in current employees
  • Assume you are compromised
  • Watch out for your business partners

After the speech was over; he wanted to stay up and answer questions for the audience; unfortunately, the vendor rushed him off stage so some c-level person could speak, ( but not before I got to shake his hand and thank him for all his work and how much he has helped me professionally )! thank you, Brian ! It was great to finally meet you!

Posted in Cyber Security, Ransomware | Leave a comment

Who is talking to Alexa?

It seems like only a week after I wrote about the need for Voice Authentication on Alexa, Engadget published this article about how Siri and Alexa are Vulnerable to nefarious commands.  Basically researchers were sending commands in ultra high frequencies and getting the Electronic Personal assistants to respond.

In perhaps a related mystery, often times during a movie or a TV show, I will observe where Alexa will wake up and respond to the movie, usually with “I don’t know about that” when none of the dialog said anything that resembled ‘Alexa’. Makes me wonder about how long people have known about the vulnerability that Engadget found, and have been exploiting it in front of our very ears.

Hmmm. Let’s take it a step further… what if there were a special Alexa skill, where it was coded such that Alexa did not verbally respond, but could kick off a function in the background. . . it is possible. You then could secretly tell an Alexa to execute a task with your recorded ultra high frequency command, and then Alexa ‘could’ quietly execute the task, all without knowledge of the Alexa owner.

Until I can get voice authentication for my Echo – Alexa won’t be hooked up to anything that can cause too much havoc. I don’t want to be watching ‘Ghost in the Shell’ and have a case of canned unicorn meat from Amazon show up on my front porch the next day.

Posted in Uncategorized | Leave a comment