Paweł Piwosz
Posted on February 10, 2022
I was reading my LikedIn wall, when I saw post from one of my friends about something scary. The most scary part of it was to see how easy one can "steal" sensitive information from AWS Lambda Variables.
It was like "WOOOOW...". But next thought... "Wait, really? People are doing this?". And then I realised how less efforts we put in proper design and architecture of our solutions. So, let me ask you this: Do you store sensitive data, credentials for containers in environment variables? Even in AWS ECS? Do you store credentials in evironment variables for AWS Lambda? If the answer is "yes", please, rethink your approach.
To be clear, the utility I am talking about needs some requirements. You need to have access to AWS environment. Well, yes, this make the tool not a hacker tool, but let's say security tool, DevSecOps tool, if you wish. But there are other tools, which are not created for tests ;P
So, what we will do, is play a little with AWS-Loot. You can find more about it here.
Installation
Installation is very simple. It is a Python package. So, the best will be to have it in virtualenv (or even better - in dedicated container), but here we will go wild.
First, we need to clone the repo
git clone git@github.com:sebastian-mora/AWS-Loot.git
Ok. Navigate to the cloned repo and simply run
pip install -r requirements.txt
Or, like in my case, pip3
. But you already know the stuff.
Obviously, our nasty hacking soul needs... credentials. Make sure, you have it in .aws
folder.
After installation we should have a file awsloot.py
.
What can be scanned
The tool can scan three services at this moment.
- EC2 UserData
- CodeBuild
- Lambda (all versions)
I am sure, there will be more, the design of this tool is clear, clean and easy to add more and more functions.
Execution
Let's run it then!
./awsloot.py
Pass the profile name. Even if you have default
one only, you need to give this name.
Select service, in our case we are curious about Lambdas. Navigate with arrows and select with space. more than one can be selected.
Let's leave the entropy setting as it is. If you wish to learn more about it, kitploit page offers a document.
Select the Region., I selected only one, but you can select as many as you wish.
And.... we done!
Moment of truth
So, as you can see, a lot is there. And you can notice, that the tool scanned not only the environment variables, but code as well. I have mixed feelings about this specific feature, though. Searching for secrets is good, anyway.
Output of the process is stored in output
directory. IT is nicely organized and packed with zip.
Conclusion
I really like the tool. Good work from Sebastian Mora. This code has two years, but it ages well :) It can be used easily.
My conclusion from DevOps perspective is somehow ambiguous. As I said, I like the tool. I see it as powerfull enhancement for CI/CD pipelines. If I find the time, I'll try to make it usable.
Although, the need of manual selection (I didn't check the code inside, though) make it useless for automation. Also, the output need to be reworked, to print only valuable information. In my case, there were no secrets, no sensitive data in environment variables. But output was unexpectedly rich.
And lastly, the exit code must be set for proper handling in automation.
But yes, I know that this tool was created not for being part of CI/CD.
Take a look on AWSLoot. It may help you to make your work more secure.
And how to secure your Lambda? Ha! Search for the answer in my another article!
Posted on February 10, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.