Need

Minimization of exposed resources in AWS

Context

• Usage of Terraform for Infrastructure as Code (IaC)
• Usage of AWS SDK for interacting with Amazon Web Services

Description

Non compliant code

        provider "aws" {
  region = "us-west-2"
}

resource "aws_instance" "example" {
  ami           = "ami-0c94855ba95c574c8"
  instance_type = "t2.micro"

  tags = {
    Name = "example-instance"
  }
}

resource "aws_s3_bucket" "example" {
  bucket = "example"
  acl    = "public-read"

  tags = {
    Name = "example-bucket"
  }
}

resource "aws_db_instance" "example" {
  allocated_storage    = 5
  storage_type         = "gp2"
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.micro"
  name                 = "mydb"
  username             = "foo"
  password             = "foobarbaz"
  parameter_group_name = "default.mysql5.7"
  publicly_accessible  = true
}
        
        

The above Terraform code is provisioning three AWS resources: an EC2 instance, an S3 bucket, and an RDS database instance.

The vulnerability lies in the configuration of the S3 bucket and the RDS database instance.

1. For the S3 bucket, the acl attribute is set to public-read. This means that anyone on the internet can read the content of this bucket, which might not be necessary for the operation of the application and could expose sensitive data.

2. For the RDS database instance, the publicly_accessible attribute is set to true. This means that the database can be accessed from the internet, which expands the attack surface if it's not necessary for the operation of the application.

This code does not follow the principle of least privilege, i.e., only the minimum required access should be granted for the operation of the application. Other unnecessary resources and permissions should not be exposed as they could be potential vectors for attacks.

Steps

• Identify the necessary resources for the operation of the application.
• Remove or disable any unnecessary resources that are exposed.
• Review the AWS configuration and ensure that only necessary resources are provisioned.
• Regularly audit the AWS infrastructure to identify and remove any unnecessary resources.
• Implement least privilege access control to restrict access to necessary resources.
• Regularly update and patch the AWS infrastructure to mitigate any potential vulnerabilities.

Compliant code

        provider "aws" {
  region = "us-west-2"
}

resource "aws_instance" "example" {
  ami           = "ami-0c94855ba95c574c8"
  instance_type = "t2.micro"

  tags = {
    Name = "example-instance"
  }
}

resource "aws_s3_bucket" "example" {
  bucket = "example"
  acl    = "private"

  tags = {
    Name = "example-bucket"
  }
}

resource "aws_db_instance" "example" {
  allocated_storage    = 5
  storage_type         = "gp2"
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.micro"
  name                 = "mydb"
  username             = "foo"
  password             = "foobarbaz"
  parameter_group_name = "default.mysql5.7"
  publicly_accessible  = false
}
        
        

The original code had two main vulnerabilities:

1. The S3 bucket was publicly readable. This is a potential security risk as it allows anyone to read the data in the bucket. The ACL for the bucket has been changed to "private" to prevent public access.

2. The database instance was publicly accessible. This is a potential security risk as it allows anyone to access the database. The publicly_accessible attribute has been set to false to prevent public access.

These changes ensure that only necessary resources are exposed, reducing the attack surface and improving the security of the application. It's also recommended to regularly audit the AWS infrastructure to identify and remove any unnecessary resources, implement least privilege access control to restrict access to necessary resources, and regularly update and patch the AWS infrastructure to mitigate any potential vulnerabilities.

References

• 253. Automatic information enumeration - AWS