freebuf
本文来源:Alpha_h4ck
s3tk是一款针对Amazon S3的安全审计套件,广大安全研究人员可以使用s3tk来对Amazon S3 Bucket进行安全测试。
工具安装
广大研究人员可以使用pip来完成s3tk的安装:
pip install s3tk研究人员可以使用AWS CLI命令行工具来配置AWS凭证:
pip install awscli
aws configure
工具使用命令
安全扫描
可扫描的Bucket组件如下:
1、公开ACL
2、公开策略
3、屏蔽的公开访问
4、启用的登录
5、版本修改
6、默认加密
s3tk scan针对特定Bucket运行扫描:
s3tk scan my-bucket my-bucket-2支持通配符:
s3tk scan "my-bucket*"跳过日志和默认加密:
s3tk scan --skip-logging --skip-versioning --skip-default-encryption获取邮件通知(通过SNS):
s3tk scan --sns-topic arn:aws:sns:...枚举策略
枚举Bucket策略:
s3tk list-policy针对特定Bucket运行扫描:
s3tk list-policy my-bucket my-bucket-2显示名称:
s3tk list-policy --named设置策略:
s3tk set-policy my-bucket --no-object-acl删除策略:
s3tk delete-policy my-bucket屏蔽公开访问:
s3tk block-public-access my-bucket my-bucket-2启用默认加密
针对所有Bucket启用默认加密:
s3tk enable-default-encryption仅针对特定Bucket启用:
s3tk enable-default-encryption my-bucket my-bucket-2扫描对象ACL
扫描目标Bucket中所有对象的ACL:
s3tk scan-object-acl my-bucket扫描特定对象:
s3tk scan-object-acl my-bucket --only "*.pdf"排除特定对象:
s3tk scan-object-acl my-bucket --except "*.jpg"扫描DNS
s3tk scan-dns凭证
用户凭证可以在“~/.aws/credentials”中或环境变量中设置,我们可以使用下列命令设置一个profile:
AWS_PROFILE=your-profile s3tkIAM策略
下面给出的是每一条命令所需的权限,用户只需要将相应权限在下列代码中声明即可:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Scan", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketAcl", "s3:GetBucketPolicy", "s3:GetBucketPublicAccessBlock", "s3:GetBucketLogging", "s3:GetBucketVersioning", "s3:GetEncryptionConfiguration" ], "Resource": "*" }, { "Sid": "ScanDNS", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "route53:ListHostedZones", "route53:ListResourceRecordSets" ], "Resource": "*" }, { "Sid": "ListPolicy", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketPolicy" ], "Resource": "*" }, { "Sid": "SetPolicy", "Effect": "Allow", "Action": [ "s3:PutBucketPolicy" ], "Resource": "*" }, { "Sid": "DeletePolicy", "Effect": "Allow", "Action": [ "s3:DeleteBucketPolicy" ], "Resource": "*" }, { "Sid": "BlockPublicAccess", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:PutBucketPublicAccessBlock" ], "Resource": "*" }, { "Sid": "EnableLogging", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:PutBucketLogging" ], "Resource": "*" }, { "Sid": "EnableVersioning", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:PutBucketVersioning" ], "Resource": "*" }, { "Sid": "EnableDefaultEncryption", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:PutEncryptionConfiguration" ], "Resource": "*" }, { "Sid": "ResetObjectAcl", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObjectAcl", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] }, { "Sid": "Encrypt", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] }, { "Sid": "DeleteUnencryptedVersions", "Effect": "Allow", "Action": [ "s3:ListBucketVersions", "s3:GetObjectVersion", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] } ] }访问日志
Amazon Athena适用于查询S3日志,创建下列表:
CREATE EXTERNAL TABLE my_bucket ( bucket_owner string, bucket string, time string, remote_ip string, requester string, request_id string, operation string, key string, request_verb string, request_url string, request_proto string, status_code string, error_code string, bytes_sent string, object_size string, total_time string, turn_around_time string, referrer string, user_agent string, version_id string ) ROW FORMAT SERDE 'org.apache.hadoop.hive.serde2.RegexSerDe' WITH SERDEPROPERTIES ( 'serialization.format' = '1', 'input.regex' = '([^ ]*) ([^ ]*) \\[(.*?)\\] ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) \\\"([^ ]*) ([^ ]*) (- |[^ ]*)\\\" (-|[0-9]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) (\"[^\"]*\\") ([^ ]*)$' ) LOCATION 's3://my-s3-logs/my-bucket/';修改最后一行代码,并指向你的日志Bucket:
SELECT date_parse(time, '%d/%b/%Y:%H:%i:%S +0000') AS time, request_url, remote_ip, user_agent FROM my_bucket WHERE requester = '-' AND status_code LIKE '2%' AND request_url LIKE '/some-keys%' ORDER BY 1CloudTrail日志
Amazon Athena同样可以用于查询CloudTrail日志,创建一个表:
CREATE EXTERNAL TABLE cloudtrail_logs ( eventversion STRING, userIdentity STRUCT type:STRING, principalid:STRING, arn:STRING, accountid:STRING, invokedby:STRING, accesskeyid:STRING, userName:String, sessioncontext:STRUCT attributes:STRUCT mfaauthenticated:STRING, creationdate:STRING>, sessionIssuer:STRUCT type:STRING, principalId:STRING, arn:STRING, accountId:STRING, userName:STRING>>>, eventTime STRING, eventSource STRING, eventName STRING, awsRegion STRING, sourceIpAddress STRING, userAgent STRING, errorCode STRING, errorMessage STRING, requestId STRING, eventId STRING, resources ARRAYSTRUCT ARN:STRING, accountId:STRING, type:STRING>>, eventType STRING, apiVersion STRING, readOnly BOOLEAN, recipientAccountId STRING, sharedEventID STRING, vpcEndpointId STRING, requestParameters STRING, responseElements STRING, additionalEventData STRING, serviceEventDetails STRING ) ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde' STORED AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat' OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat' LOCATION 's3://my-cloudtrail-logs/'修改最后一行代码,并指向你的CloudTrail日志Bucket:
SELECT eventTime, eventName, userIdentity.userName, requestParameters FROM cloudtrail_logs WHERE eventName LIKE '%Bucket%' ORDER BY 1Bucket策略
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:PutObjectAcl", "Resource": "arn:aws:s3:::my-bucket/*" } ] }工具更新
运行下列命令:
pip install s3tk --upgrade使用Master,可运行下列命令:
pip install git+https://github.com/ankane/s3tk.git --upgradeDocker运行
运行下列命令:
docker run -it ankane/s3tk aws configure提交你的凭证:
docker commit $(docker ps -l -q) my-s3tk接下来,运行下列命令:
docker run -it my-s3tk s3tk scan工具运行截图
项目地址
s3tk:【GitHub传送门】
* 参考来源:ankane,FB小编Alpha_h4ck编译,转载请注明来自FreeBuf.COM
转载请注明来自网盾网络安全培训,本文标题:《s3tk:一款针对Amazon S3的安全审计套件》
