DEV Community

Cover image for Secure your cloud with Cloudsploit!
Paweł Piwosz for AWS Community Builders

Posted on

Secure your cloud with Cloudsploit!

It looks like I create some "mini series" about security tools :) I am not a fan of the DevSecOps term, I believe that security is an integral part of the DevOps framework. Anyway, this tools, Cloudsploit, is a DevSecOps tool which you should consider as your friend.

Prerequisities

The tool needs node.js. Well, nobody's perfect ;P If you do not have node on your platform, follow the instruction here.

Here we will go with Node 17.x which is the newest at the moment, and Ubuntu machine (Vagrant box, if you are curious).

To install Node.js, we need to run... two comands

curl -fsSL https://deb.nodesource.com/setup_17.x | sudo -E bash -
Enter fullscreen mode Exit fullscreen mode

to download and prepare the system for Node.js installation. Obviously, this one liner will run som "unknown" script, if you are crazy about it, use wget, check the script.

And actual installation of Node.js

sudo apt-get install -y nodejs
Enter fullscreen mode Exit fullscreen mode

Confirm your installation with

node --version
Enter fullscreen mode Exit fullscreen mode

AWS Linux 2

For AWS Linux there is a instruction on AWS page. The process is extremelly simple:

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.34.0/install.sh | bash
. ~/.nvm/nvm.sh
nvm install node
Enter fullscreen mode Exit fullscreen mode

And that's it.

Installation

Installation is quite easy, and first step is to clone the repo.

git clone https://github.com/aquasecurity/cloudsploit.git
Enter fullscreen mode Exit fullscreen mode

Obviously, we need to navigate to cloudsploit directory, and run

npm install
Enter fullscreen mode Exit fullscreen mode

It will take some time.

Waiting

Nah, it is not that bad :) Ok, done!

Docker

Yep, the very cool thing is that we can run Cloudsploit as Docker container!

First run

First things first. Aqua in their documentation missed one thing. They say:

$ npm install
$ ./index.js -h
Enter fullscreen mode Exit fullscreen mode

Obviously, you need to this

chmod +x index.js
Enter fullscreen mode Exit fullscreen mode

And then execute it as

./index.js -h
Enter fullscreen mode Exit fullscreen mode

Or run it with node

node index.js -h
Enter fullscreen mode Exit fullscreen mode

I put it here just for people who are new in Linux.

Cloud credentials

Cloudsploit can scan a few providers. I focus on AWS (what a spurprise ;) ). Aqua recommends to use read-only permissions (and they know what they say - they are security company!).

So, I used their tutorial, and I created an IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ses:DescribeActiveReceiptRuleSet",
                "athena:GetWorkGroup",
                "logs:DescribeLogGroups",
                "logs:DescribeMetricFilters",
                "elastictranscoder:ListPipelines",
                "elasticfilesystem:DescribeFileSystems",
                "servicequotas:ListServiceQuotas"
            ],
            "Resource": "*"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Which I attached to the IAM Group. And on the end I created the IAM User, which becomes a member of this group. Easy. After it, by using

aws configure --profile Cloudsploit
Enter fullscreen mode Exit fullscreen mode

I configured this credentials for my CLI.

The IAM Policy itself gives us a great visibility what is scanned with Cloudsploit.

First scan

Now I am ready to run my first scan.

And here is my first question, which I didn't answer yet (I didn't look at it, though). When your credentials file (standard one, in .aws folder) contains more than one profile, it seems that default is used. Therefore, the best option at this moment is to move your newly created credentials for Cloudsploit to config.js file, which is described by Aqua. Please remember, that syntax of the config file is different than for AWS CLI.

Cloudsploit is quite sensitive about proper path, etc.

So, I executed

./index.js --config ./config.js --cloud aws
Enter fullscreen mode Exit fullscreen mode

Scan in progress


I observed very high impact on my home network and what was worse, the scan wasn't finish for long time (I tried to use Vagrant, as I said, but... it wasn't a good idea), so I decided to move the execution to AWS EC2.


The execution was quick. The output is very rich. There is a lot of information and the format of the output is great. Well, in my first runn some columns were hard to read. But it is a minor drawback considering how much info I get.

The first check of the output reveals, that with proposed IAM Policy Cloudsploit doesn't have access to everything what it scans. But that is minor issue and can be fixed in minute or two.

What I miss, though, is possibility to run the scan for specific AWS Region. Also, the use of profiles (in case of AWS) will be very useful. There is an open issue for that, and Aqua explained it will be not easy for them to implement.


I executed Cloudsploit again, but this time with modified IAM Policy (I just added a few things there):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ses:DescribeActiveReceiptRuleSet",
                "athena:GetWorkGroup",
                "logs:DescribeLogGroups",
                "logs:DescribeMetricFilters",
                "elastictranscoder:ListPipelines",
                "elasticfilesystem:DescribeFileSystems",
                "servicequotas:ListServiceQuotas",
                "sns:ListTopics",
                "sagemaker:ListNotebookInstances",
                "ses:ListIdentities",
                "ssm:DescribeParameters",
                "ssm:DescribeInstanceInformation",
                "ssm:GetServiceSetting",
                "lambda:ListFunctions",
                "rds:DescribeDBClusters",
                "cloudtrail:DescribeTrails",
                "kms:ListKeys",
                "secretsmanager:ListSecrets",
                "xray:GetEncryptionConfig",
                "codebuild:ListProjects",
                "codepipeline:ListPipelines"
            ],
            "Resource": "*"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Let's take a look on part of the output, I am particulary interested in Lambda ones:

CLI output

There are some OK (good), and UNKNOWN. This means that Cloudsploit cannot access these resources for some reason. What about fails? Yep, I have a few for Lambda:

CLI output

But... These might be the false-positives! Well, as usual, these scanners need to be adjusted for the case, it is not a mystery, I believe. Anyway, my opinion here: AWS Lambda was designed to be not run in VPC. Therefore I prefer to not see this specific entry as Fail, but Warning as highest level. Info could be the best.

Configure output

So, we have this table, but it is not very useful for CI/CD. Can me make it useful?

YES!

Let's go through a few elements of it.

Output again

This time I executed Cloudsploit with these arguments

./index.js --config ./config.js --cloud aws --csv report.csv --console none
Enter fullscreen mode Exit fullscreen mode

What I see on the screen is this:

INFO: Using CloudSploit config file: ./config.js
INFO: Skipping AWS pagination mode
INFO: Determining API calls to make...
INFO: Found 275 API calls to make for aws plugins
INFO: Collecting metadata. This may take several minutes...
[INFO][REGIONS] Could not load all regions from EC2: {"message":"Missing region in config","code":"ConfigError","time":"2022-02-13T12:48:56.566Z"}
INFO: Metadata collection complete. Analyzing...
INFO: Analysis complete. Scan report to follow...
Plugin Web-Tier Auto Scaling Group Associated ELB returned no results. There may be a problem with this plugin.
Plugin App-Tier ASG Launch Configurations Approved AMIs returned no results. There may be a problem with this plugin.
...
Plugin CodeBuild Valid Source Providers returned no results. There may be a problem with this plugin.
Plugin CodeStar Valid Repository Providers returned no results. There may be a problem with this plugin.
INFO: CSV file written to report.csv
INFO: Console output suppressed because "console" setting was "none"
INFO: Scan complete
Enter fullscreen mode Exit fullscreen mode

Great, no output on screen. And I have my output in the file:

[ec2-user@ip-172-31-18-42 cloudsploit]$ head scan.csv
category,title,description,resource,region,statusWord,message
IAM,Access Analyzer Enabled,Ensure that IAM Access analyzer is enabled for all regions.,N/A,us-east-1,UNKNOWN,Unable to list Access Analyzers: User: arn:aws:iam::1234567890:user/CloudSploitUser is not authorized to perform: access-analyzer:ListAnalyzers on resource: arn:aws:access-analyzer:us-east-1:1234567890:*
Enter fullscreen mode Exit fullscreen mode

This is just a fragment, all output is in the file.

But wait, better is comming :)

junit format

Yeah, we can export the output to junit format!

./index.js --config ./config.js --cloud aws --junit report.xml --console none
Enter fullscreen mode Exit fullscreen mode

With --junit <file> I created the export file. There is a possibility to run --csv and --json.

--console none is very useful, when we don't need output "on screen".

Exit code

Very important element of each CI/CD is possibility to fail the pipeline. Is there the possibility to "natively" fail the Cloudsploit? Well, there is!

./index.js --config ./config.js --cloud aws --junit report.xml --console none --exit-code
Enter fullscreen mode Exit fullscreen mode

And I received

INFO: Exiting with exit code: 3
INFO: Scan complete
[ec2-user@ip-172-31-18-42 cloudsploit]$ echo $?
3
Enter fullscreen mode Exit fullscreen mode

So, exit code is properly set, and the information was printed by Cloudsploit. Beautiful!

Conclusion

This really nice tool by Aqua. I love it. I would like to see a few modifications, but the tool is very useful already.

Cloudsploit is really configurable. Things I didn't tell before, like different types of compliance (hipaa, cis, cis1, cis2 and pci), different outputs, possibility to add own plugins and... remediations! All of it makes this tool very powerful.

Pros

  • One place to see all issues
  • Multicloud
  • Very configurable tool
  • Ability to use in pipelines
  • Open-source easy to use
  • Other options (not only open-source)

Cons

  • Better handling of AWS environments (it may be my personal only)
  • Better configurability of selected services
  • nodejs (it is my personal :) ) I do not say it is bad at all, but I preffer to see this as Python or even better - Go.

Cloudsploit is a tool, which allows you to combine the functionality of AWS CloudWatch, CloudTrail, TrustedAdvisor, to name a few. The biggest benefit of it is possibility to run in the pipelines (I know, I repeat myself).

Aqua

Please remember, presented version is open-source. Aqua provides more "enterprise" tool, if you are interested, take a look here


Waiting image by Shlomaster from Pixabay

Top comments (0)