Thursday, September 22, 2022
HomeCyber SecurityUtilizing AWS Programs Supervisor Parameter Retailer with AWS Lambda | by Teri...

Utilizing AWS Programs Supervisor Parameter Retailer with AWS Lambda | by Teri Radichel | Cloud Safety | Sep, 2022


It is a continuation of my collection on Automating Cybersecurity Metrics.

~~~~~~

PSA: Is somebody copying your content material and reposting it? Right here’s methods to discover out and report them:

~~~~~~

I printed the structure I’m working by some time again although I’m nonetheless including a number of the items on the time of this writing.

We’re engaged on a Lambda operate that begins the method to kick off a batch job. A part of that was to generate a cryptographically safe random ID for our batch jobs:

We integrated that right into a Lambda Operate:

Then we began engaged on a solution to textual content batch job operators however have to attend till we get our numbers or SMS on AWS:

So now we’re again to what else we have to with our Lambda operate. We’re going to retailer our batch job ID in an AWS SSM Parameter.

AWS Programs Supervisor

If you’re not aware of AWS Programs Supervisor it’s a assortment of performance that appears to be geared at IT directors who’re used to patching techniques and working scripts on them. I’m not a fan of that strategy as a result of I want immutable infrastructure as I’m and can be exhibiting you methods to construct on this weblog collection. As an alternative of patching, redeploy to get your updates.

As well as, I see a whole lot of safety challenges with securing AWS Programs Supervisor. In my safety courses I clarify how the performance in AWS Programs Supervisor might be used as a C2 channel. In reality, after that an organization I do know constructed an open supply device that does precisely that. Once I noticed the demo after inviting them to my AWS Meetup in Seattle (at the moment on maintain because of logistical challenges however hopefully coming once more quickly however hopefully extra on-line occasions coming quickly) I instantly requested the developer if he was utilizing AWS Programs Supervisor below the hood. Yep.

AWS Programs Supervisor Parameter Retailer vs. Secrets and techniques Supervisor

Though I don’t use a whole lot of what’s in AWS Programs Supervisor for safety causes, I do could use of 1 piece of AWS Programs Supervisor: Parameter Retailer. It’s much like AWS Secrets and techniques Supervisor with not fairly all of the performance, and it’s cheaper.

A number of the variations: AWS SSM doesn’t rotate credentials and it doesn’t have cross-account entry right now (which might be good if you wish to guarantee nobody exterior your account can see what you’re storing there by a misconfigured position.) You may retailer blobs of textual content nevertheless it doesn’t have the performance AWS Secrets and techniques supervisor has to retailer well-defined key-value pairs. That is all not good or unhealthy — it’s simply that you might want to take into account your use case and select the suitable resolution for the job.

Additionally, you may’t encrypt SSM parameter values created with CloudFormation. I already confirmed you ways to do that with AWS Secrets and techniques Supervisor:

As a result of I’m going to be probably creating a whole lot of classes I’m hoping this cheaper possibility will work in my case, however we’ll need to attempt it out to make certain.

You may safe AWS Programs Supervisor

Additionally — earlier than somebody will get too mad at me — you most likely can safe AWS Programs Supervisor decently sufficient for lots of use instances. It’s simply tougher to take action as a result of a number of the performance is a bit free-form and you might want to watch out what individuals can do with paperwork on techniques. I’ve averted the complexity myself thus far and keep on with immutable infrastructure. There are just a few instances the place you’ll want patching (databases, for instance) however you can too offload that accountability to AWS when you use a managed database service. Who is aware of, perhaps in some unspecified time in the future I’ll have a purpose to make use of one other function of AWS SSM.

In regards to the batch job ID because the parameter title…

I’m going to make use of the batch job ID for my parameter title. Now why am I not storing the worth of the batch job ID and utilizing the title of the batch job because the title of the parameter?

Contemplate our use case. What if we’ve got a number of of the identical batch jobs working on the identical time? We may have totally different batch job IDs however the batch job title would be the identical. I’ve already proven you simply now that we will’t add two parameters with the identical title to SSM Parameter retailer. We want a novel worth for the title of our parameter and one {that a} batch job can use later to retrieve the proper parameter. We’re utilizing a batch job ID for this goal.

The batch job ID is sort of a session for a specific occasion of that batch job working in our account. It is going to be related to a particular AWS session tied to that batch job ID and it’ll expire after a time period. As a result of this worth acts like a session ID, we are going to need to restrict the likelihood that somebody might get hold of it and kick off a batch job. In the meanwhile, and when you had been growing this, you would keep away from doing something dangerous with a batch job till that is sorted out.

Utilizing Boto3 to create a parameter and retailer it in SSM

I defined what Boto3 is within the final put up and we took a have a look at SSM documentation particularly.

We need to name the put_parameter operate and appears like we have to specify a reputation, worth, and kind. Further parameters exist however we’re skipping these for now.

Verify the documentation for limitations on parameter names however the naming conference we’ve outlined needs to be okay.

One of many issues we’ve got to specify is “kind”. What are our choices for kind?

String could be unencrypted textual content.

SecureString could be encrypted. We are able to use the default AWS encryption or present our personal KMS key id. I’ll clarify why the later is a greater possibility in a bit.

StringList is a comma separated record. We are able to discover out extra concerning the StringList kind within the AWS API Reference documentation for SSM PutParameter:

Again to the Boto3 documentation. There’s one be aware right here I’d such as you to note within the Warning beneath:

You may’t use SecureString with CloudFormation. That’s why every time I need to use CloudFormation to retailer any kind of worth I need to be encrypted and never seen within the AWS console, logs, and many others., I by no means use Parameter Retailer. I take advantage of AWS Secrets and techniques Supervisor.

Storing a worth in AWS Programs Supervisor

Let’s first check our code in an area Python file and execute it to check the code we’ll add to our Lambda operate.

We are able to create a test-ssm-put-param.py file and add the next code. We’re going to begin with a SecureString that makes use of the default AWS encryption.

#!/bin/python3import boto3
ssm = boto3.shopper('ssm')
param_name="TestParameter"
param_value="TestValue"
param_type="SecureString"
#utilizing AWS default encrypt (kind=SecureString)
ssm.put_parameter(Title=param_name,Worth=param_value,Kind=param_type
val = ssm.get_parameter(Title=param_name, WithDecryption=True)
print(val)

Double-click the file and it ought to add a parameter to SSM Parameter Retailer. Then it’s going to retrieve and print the parameter.

You can too test the AWS Programs Supervisor Parameter Retailer console to verify that your parameter exists.

Word that when you run the check once more you’ll get an error as a result of the parameter already exists.

You may delete the parameter or add further code to the script to delete the parameter after retrieving it.

Add the batch job title as a parameter handed to our Lambda operate

Now let’s add this to our lambda operate. First, we need to move in a batch job title. Configure the Lambda operate check occasion the best way I wrote about within the lat put up. The title of the operate we’re engaged on is called: GenerateBatchJobIDLambda. You may simply change the present check occasion.

Put it aside:

Alter our Lambda code to learn the worth of the BatchJobName parameter

Replace the Lambda code in our CloudFormation template to learn the parameter as defined within the final put up.

batch_job_name=occasion['BatchJobName']

Word that this at the moment has a gaping safety downside. Appear my final put up on Lambda operate parameters, XSS, and injection assaults. We’ll repair that in an an upcoming put up.

Retailer the SSM Parameter

Add the code to retailer the SSM parameter after producing the ID. Use the ID for the title of the parameter and the batch job title for the worth.

Deploy the CloudFormation to replace the operate utilizing the deploy.sh file within the operate folder that we created within the prior put up:

./deploy.sh

Now you may check your operate from the console utilizing the brand new check occasion.

Add SSM Permission to our Lambda Function

Aha. I forgot to replace the position related to this Lambda operate to permit it to name ssm::PutParameter.

Now take into consideration the permissions we have to give the Lambda operate for a minute. Can this Lambda operate add any parameter to SSM Parameter Retailer? We solely need it so as to add this batch job ID parameter. We additionally don’t need anybody else to have the ability to edit our batch job ID parameters.

Let’s begin by modifying the worth we retailer in our code to the next for the parameter title to the next format:

param_name="batch-job-" + batch_job_id

That may even make it simpler for us to seek for and discover the parameters associated to our batch jobs in SSM Parameter Retailer.

Recall that we had a deny all assertion in our Lambda operate coverage:

Add the permission for the Lambda operate to name AWS SSM PutParameter however just for sources that begin with “batch-job-”.

Run the deploy script once more to deploy the coverage change.

Word that I obtained this error because of the coverage above. Oops. When you’ve ever seen this error, don’t overlook !Sub when including pseudo parameters. The error message might be a tad much less obscure. I simply obtained this just a few days in the past and I already had forgotten what brought about it. That’s why I’m writing issues down on posts in my bug weblog:

Wait a couple of minutes for the IAM permissions to kick in an then re-test your operate. Yippee!

Now test to see if the parameter exists in Parameter Retailer. Woot!

Discover that we didn’t want to present our Lambda operate permissions to learn or retrieve parameters, solely to write down parameters.

SSM Parameter Retailer Insurance policies

Now how would we cease anybody else from studying or modifying these insurance policies? Does an SSM Parameter have a coverage like an AWS KMS Key that we will use to limit entry to solely the individuals who ought to entry that parameter? No.

AWS Parameter Retailer does have one thing that they sadly named a “Coverage” however it isn’t a useful resource coverage that can be utilized to stop entry to a specific parameter. Maintain that thought.

Though I obtained this to “work” we’re not executed with this implementation. Are you aware what safety gaps exist while you have a look at this implementation? What enhancements might we add to make it more durable for an attacker to retrieve our parameters or the values in them?

Keep tuned….observe for updates.

Teri Radichel

When you favored this story please clap and observe:

Medium: Teri Radichel or E mail Record: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests companies through LinkedIn: Teri Radichel or IANS Analysis

© 2nd Sight Lab 2022

All of the posts on this collection:

____________________________________________

Writer:

Cybersecurity for Executives within the Age of Cloud on Amazon

Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching

Is your cloud safe? Rent 2nd Sight Lab for a penetration check or safety evaluation.

Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.

Cybersecurity & Cloud Safety Sources by Teri Radichel: Cybersecurity and Cloud safety courses, articles, white papers, shows, and podcasts



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments