Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce AWS CLI detonator #16

Merged
merged 2 commits into from
May 15, 2023
Merged

Introduce AWS CLI detonator #16

merged 2 commits into from
May 15, 2023

Conversation

christophetd
Copy link
Contributor

@christophetd christophetd commented May 4, 2023
edited
Loading

What does this PR do?

Add a new AWS CLI detonator. It works by running the user-provided bash script, setting AWS_EXECUTION_ENV with the detonation UID so it shows up in the user agent of the resulting logs

image

Motivation

When we want to use Threatest from the CLI, for now we're limited to what Stratus Red Team supports. Being able to use the AWS CLI - while not ideal and more complex - allows to test anything.

Sample usage

scenarios:
  - name: opening a security group to the Internet
    detonate:
      awsCliDetonator:
        script: |
          set -e
          
          # Setup
          vpc=$(aws ec2 create-vpc --cidr-block 10.0.0.0/16 --query Vpc.VpcId --output text)
          sg=$(aws ec2 create-security-group --group-name sample-sg --description "Test security group" --vpc-id $vpc --query GroupId --output text)
          
          # Open security group
          aws ec2 authorize-security-group-ingress --group-id $sg --protocol tcp --port 22 --cidr 0.0.0.0/0
          
          # Cleanup
          aws ec2 delete-security-group --group-id $sg
          aws ec2 delete-vpc --vpc-id $vpc
    expectations:
      - timeout: 15m
        datadogSecuritySignal:
          name: "Potential administrative port open to the world via AWS security group"

Sample output:

$ go run ./cmd/threatest/*.go run test.threatest.yaml
INFO[0000] Running 1 scenarios with a parallelism of 1
Execution ID: 05465a6b-2696-4a52-8795-3b0a84963cf6
INFO[0289] opening a security group to the Internet: Confirmed that the expected signal (Datadog security signal 'Potential administrative port open to the world via AWS security group') was created in Datadog (took 281 seconds).
INFO[0289] opening a security group to the Internet: All assertions passed
INFO[0294] Scenario 'opening a security group to the Internet' passed in 294.60 seconds

Open questions

If we need to give the user arbitrary control over how the detonation is done, should we consider adding a "match only" mode to Threatest?

e.g.

# Manually detonate an attack
AWS_EXECUTION_ENV=threatest_1234
aws ec2 ...

# Verify
threatest check --type datadog-signal --name "My signal name" --execution-uid=threatest_1234

@christophetd christophetd merged commit fb37a9f into main May 15, 2023
@christophetd christophetd deleted the aws-cli-detonator branch May 15, 2023 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juliendoutre juliendoutre juliendoutre approved these changes

Assignees

@juliendoutre juliendoutre

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@christophetd @juliendoutre