Scan and secure AWS Lambda credentials like a pro!

pawelpiwosz

Paweł Piwosz

Posted on February 10, 2022

Scan and secure AWS Lambda credentials like a pro!

I was reading my LikedIn wall, when I saw post from one of my friends about something scary. The most scary part of it was to see how easy one can "steal" sensitive information from AWS Lambda Variables.

It was like "WOOOOW...". But next thought... "Wait, really? People are doing this?". And then I realised how less efforts we put in proper design and architecture of our solutions. So, let me ask you this: Do you store sensitive data, credentials for containers in environment variables? Even in AWS ECS? Do you store credentials in evironment variables for AWS Lambda? If the answer is "yes", please, rethink your approach.

To be clear, the utility I am talking about needs some requirements. You need to have access to AWS environment. Well, yes, this make the tool not a hacker tool, but let's say security tool, DevSecOps tool, if you wish. But there are other tools, which are not created for tests ;P

So, what we will do, is play a little with AWS-Loot. You can find more about it here.

Installation

Installation is very simple. It is a Python package. So, the best will be to have it in virtualenv (or even better - in dedicated container), but here we will go wild.

First, we need to clone the repo

 git clone git@github.com:sebastian-mora/AWS-Loot.git
Enter fullscreen mode Exit fullscreen mode

Ok. Navigate to the cloned repo and simply run

 pip install -r requirements.txt
Enter fullscreen mode Exit fullscreen mode

Or, like in my case, pip3. But you already know the stuff.

Obviously, our nasty hacking soul needs... credentials. Make sure, you have it in .aws folder.

After installation we should have a file awsloot.py.

What can be scanned

The tool can scan three services at this moment.

  • EC2 UserData
  • CodeBuild
  • Lambda (all versions)

I am sure, there will be more, the design of this tool is clear, clean and easy to add more and more functions.

Execution

Let's run it then!

./awsloot.py
Enter fullscreen mode Exit fullscreen mode

Execution

Pass the profile name. Even if you have default one only, you need to give this name.

Select service, in our case we are curious about Lambdas. Navigate with arrows and select with space. more than one can be selected.

Service selection

Let's leave the entropy setting as it is. If you wish to learn more about it, kitploit page offers a document.

Select the Region., I selected only one, but you can select as many as you wish.

Region selection

And.... we done!

Moment of truth

Part of the output

So, as you can see, a lot is there. And you can notice, that the tool scanned not only the environment variables, but code as well. I have mixed feelings about this specific feature, though. Searching for secrets is good, anyway.

Output of the process is stored in output directory. IT is nicely organized and packed with zip.

Conclusion

I really like the tool. Good work from Sebastian Mora. This code has two years, but it ages well :) It can be used easily.

My conclusion from DevOps perspective is somehow ambiguous. As I said, I like the tool. I see it as powerfull enhancement for CI/CD pipelines. If I find the time, I'll try to make it usable.

Although, the need of manual selection (I didn't check the code inside, though) make it useless for automation. Also, the output need to be reworked, to print only valuable information. In my case, there were no secrets, no sensitive data in environment variables. But output was unexpectedly rich.

And lastly, the exit code must be set for proper handling in automation.

But yes, I know that this tool was created not for being part of CI/CD.

Take a look on AWSLoot. It may help you to make your work more secure.

And how to secure your Lambda? Ha! Search for the answer in my another article!

💖 💪 🙅 🚩
pawelpiwosz
Paweł Piwosz

Posted on February 10, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related