It looks like I create some "mini series" about security tools :) I am not a fan of the DevSecOps term, I believe that security is an integral part of the DevOps framework. Anyway, this tools, Cloudsploit, is a DevSecOps tool which you should consider as your friend.
Prerequisities
The tool needs node.js. Well, nobody's perfect ;P If you do not have node on your platform, follow the instruction here.
Here we will go with Node 17.x which is the newest at the moment, and Ubuntu machine (Vagrant box, if you are curious).
To install Node.js, we need to run... two comands
curl -fsSL https://deb.nodesource.com/setup_17.x | sudo -E bash -
to download and prepare the system for Node.js installation. Obviously, this one liner will run som "unknown" script, if you are crazy about it, use wget, check the script.
And actual installation of Node.js
sudo apt-get install -y nodejs
Confirm your installation with
node --version
AWS Linux 2
For AWS Linux there is a instruction on AWS page. The process is extremelly simple:
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.34.0/install.sh | bash
. ~/.nvm/nvm.sh
nvm install node
And that's it.
Installation
Installation is quite easy, and first step is to clone the repo.
git clone https://github.com/aquasecurity/cloudsploit.git
Obviously, we need to navigate to cloudsploit directory, and run
npm install
It will take some time.
Nah, it is not that bad :) Ok, done!
Docker
Yep, the very cool thing is that we can run Cloudsploit as Docker container!
First run
First things first. Aqua in their documentation missed one thing. They say:
$ npm install
$ ./index.js -h
Obviously, you need to this
chmod +x index.js
And then execute it as
./index.js -h
Or run it with node
node index.js -h
I put it here just for people who are new in Linux.
Cloud credentials
Cloudsploit can scan a few providers. I focus on AWS (what a spurprise ;) ). Aqua recommends to use read-only permissions (and they know what they say - they are security company!).
So, I used their tutorial, and I created an IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:DescribeActiveReceiptRuleSet",
"athena:GetWorkGroup",
"logs:DescribeLogGroups",
"logs:DescribeMetricFilters",
"elastictranscoder:ListPipelines",
"elasticfilesystem:DescribeFileSystems",
"servicequotas:ListServiceQuotas"
],
"Resource": "*"
}
]
}
Which I attached to the IAM Group. And on the end I created the IAM User, which becomes a member of this group. Easy. After it, by using
aws configure --profile Cloudsploit
I configured this credentials for my CLI.
The IAM Policy itself gives us a great visibility what is scanned with Cloudsploit.
First scan
Now I am ready to run my first scan.
And here is my first question, which I didn't answer yet (I didn't look at it, though). When your credentials file (standard one, in .aws folder) contains more than one profile, it seems that default is used. Therefore, the best option at this moment is to move your newly created credentials for Cloudsploit to config.js file, which is described by Aqua. Please remember, that syntax of the config file is different than for AWS CLI.
Cloudsploit is quite sensitive about proper path, etc.
So, I executed
./index.js --config ./config.js --cloud aws
I observed very high impact on my home network and what was worse, the scan wasn't finish for long time (I tried to use Vagrant, as I said, but... it wasn't a good idea), so I decided to move the execution to AWS EC2.
The execution was quick. The output is very rich. There is a lot of information and the format of the output is great. Well, in my first runn some columns were hard to read. But it is a minor drawback considering how much info I get.
The first check of the output reveals, that with proposed IAM Policy Cloudsploit doesn't have access to everything what it scans. But that is minor issue and can be fixed in minute or two.
What I miss, though, is possibility to run the scan for specific AWS Region. Also, the use of profiles (in case of AWS) will be very useful. There is an open issue for that, and Aqua explained it will be not easy for them to implement.
I executed Cloudsploit again, but this time with modified IAM Policy (I just added a few things there):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:DescribeActiveReceiptRuleSet",
"athena:GetWorkGroup",
"logs:DescribeLogGroups",
"logs:DescribeMetricFilters",
"elastictranscoder:ListPipelines",
"elasticfilesystem:DescribeFileSystems",
"servicequotas:ListServiceQuotas",
"sns:ListTopics",
"sagemaker:ListNotebookInstances",
"ses:ListIdentities",
"ssm:DescribeParameters",
"ssm:DescribeInstanceInformation",
"ssm:GetServiceSetting",
"lambda:ListFunctions",
"rds:DescribeDBClusters",
"cloudtrail:DescribeTrails",
"kms:ListKeys",
"secretsmanager:ListSecrets",
"xray:GetEncryptionConfig",
"codebuild:ListProjects",
"codepipeline:ListPipelines"
],
"Resource": "*"
}
]
}
Let's take a look on part of the output, I am particulary interested in Lambda ones:
There are some OK (good), and UNKNOWN. This means that Cloudsploit cannot access these resources for some reason. What about fails? Yep, I have a few for Lambda:
But... These might be the false-positives! Well, as usual, these scanners need to be adjusted for the case, it is not a mystery, I believe. Anyway, my opinion here: AWS Lambda was designed to be not run in VPC. Therefore I prefer to not see this specific entry as Fail, but Warning as highest level. Info could be the best.
Configure output
So, we have this table, but it is not very useful for CI/CD. Can me make it useful?
YES!
Let's go through a few elements of it.
Output again
This time I executed Cloudsploit with these arguments
./index.js --config ./config.js --cloud aws --csv report.csv --console none
What I see on the screen is this:
INFO: Using CloudSploit config file: ./config.js
INFO: Skipping AWS pagination mode
INFO: Determining API calls to make...
INFO: Found 275 API calls to make for aws plugins
INFO: Collecting metadata. This may take several minutes...
[INFO][REGIONS] Could not load all regions from EC2: {"message":"Missing region in config","code":"ConfigError","time":"2022-02-13T12:48:56.566Z"}
INFO: Metadata collection complete. Analyzing...
INFO: Analysis complete. Scan report to follow...
Plugin Web-Tier Auto Scaling Group Associated ELB returned no results. There may be a problem with this plugin.
Plugin App-Tier ASG Launch Configurations Approved AMIs returned no results. There may be a problem with this plugin.
...
Plugin CodeBuild Valid Source Providers returned no results. There may be a problem with this plugin.
Plugin CodeStar Valid Repository Providers returned no results. There may be a problem with this plugin.
INFO: CSV file written to report.csv
INFO: Console output suppressed because "console" setting was "none"
INFO: Scan complete
Great, no output on screen. And I have my output in the file:
[ec2-user@ip-172-31-18-42 cloudsploit]$ head scan.csv
category,title,description,resource,region,statusWord,message
IAM,Access Analyzer Enabled,Ensure that IAM Access analyzer is enabled for all regions.,N/A,us-east-1,UNKNOWN,Unable to list Access Analyzers: User: arn:aws:iam::1234567890:user/CloudSploitUser is not authorized to perform: access-analyzer:ListAnalyzers on resource: arn:aws:access-analyzer:us-east-1:1234567890:*
This is just a fragment, all output is in the file.
But wait, better is comming :)
junit format
Yeah, we can export the output to junit format!
./index.js --config ./config.js --cloud aws --junit report.xml --console none
With --junit <file> I created the export file. There is a possibility to run --csv and --json.
--console none is very useful, when we don't need output "on screen".
Exit code
Very important element of each CI/CD is possibility to fail the pipeline. Is there the possibility to "natively" fail the Cloudsploit? Well, there is!
./index.js --config ./config.js --cloud aws --junit report.xml --console none --exit-code
And I received
INFO: Exiting with exit code: 3
INFO: Scan complete
[ec2-user@ip-172-31-18-42 cloudsploit]$ echo $?
3
So, exit code is properly set, and the information was printed by Cloudsploit. Beautiful!
Conclusion
This really nice tool by Aqua. I love it. I would like to see a few modifications, but the tool is very useful already.
Cloudsploit is really configurable. Things I didn't tell before, like different types of compliance (hipaa, cis, cis1, cis2 and pci), different outputs, possibility to add own plugins and... remediations! All of it makes this tool very powerful.
Pros
- One place to see all issues
- Multicloud
- Very configurable tool
- Ability to use in pipelines
- Open-source easy to use
- Other options (not only open-source)
Cons
- Better handling of AWS environments (it may be my personal only)
- Better configurability of selected services
- nodejs (it is my personal :) ) I do not say it is bad at all, but I preffer to see this as Python or even better - Go.
Cloudsploit is a tool, which allows you to combine the functionality of AWS CloudWatch, CloudTrail, TrustedAdvisor, to name a few. The biggest benefit of it is possibility to run in the pipelines (I know, I repeat myself).
Aqua
Please remember, presented version is open-source. Aqua provides more "enterprise" tool, if you are interested, take a look here
Waiting image by Shlomaster from Pixabay
Top comments (0)