Shulou(Shulou.com)05/31 Report--

This article mainly introduces what s3tk is a security audit suite, the article introduces in great detail, has a certain reference value, interested friends must read it!

S3tk is a security audit suite for Amazon S3, and a large number of security researchers can use s3tk to test the security of Amazon S3 Bucket.

Tool installation

Most researchers can use pip to complete the installation of s3tk:

Pip install s3tk

Researchers can use the AWS CLI command line tool to configure AWS credentials:

Pip install awscliaws configure tool uses command security scan

The scannable Bucket components are as follows:

1. Open ACL

2. Disclosure strategy

3. Blocked public access

4. Enabled login

5. Version modification

6. Default encryption

S3tk scan

Run the scan for a specific Bucket:

S3tk scan my-bucket my-bucket-2

Wildcards are supported:

S3tk scan "my-bucket*"

Skip logging and default encryption:

S3tk scan-skip-logging-skip-versioning-skip-default-encryption

Get email notifications (via SNS):

S3tk scan-sns-topic arn:aws:sns:... Enumerate policies

Enumerate Bucket policies:

S3tk list-policy

Run the scan for a specific Bucket:

S3tk list-policy my-bucket my-bucket-2

Display name:

S3tk list-policy-named

Set the policy:

S3tk set-policy my-bucket-no-object-acl

Delete Policy:

S3tk delete-policy my-bucket

Block public access:

S3tk block-public-access my-bucket my-bucket-2 enables default encryption

Enable default encryption for all Bucket:

S3tk enable-default-encryption

Enable only for a specific Bucket:

S3tk enable-default-encryption my-bucket my-bucket-2 scan object ACL

Scan the ACL of all objects in the target Bucket:

S3tk scan-object-acl my-bucket

Scan specific objects:

S3tk scan-object-acl my-bucket-- only "* .pdf"

Exclude specific objects:

S3tk scan-object-acl my-bucket-- except "* .jpg" scan DNSs3tk scan-dns credentials

User credentials can be set in "~ / .aws / credentials" or in the environment variable, and we can set a profile using the following command:

AWS_PROFILE=your-profile s3tkIAM strategy

The permissions required for each command are given below, and users only need to declare the corresponding permissions in the following code:

{"Version": "2012-10-17", "Statement": [{"Sid": "Scan", "Effect": "Allow", "Action": ["s3:ListAllMyBuckets", "s3:GetBucketAcl", "s3:GetBucketPolicy", "s3:GetBucketPublicAccessBlock", "s3:GetBucketLogging", "s3:GetBucketVersioning", "s3:GetEncryptionConfiguration"], "Resource": "*"}, {"Sid": "ScanDNS", "Effect": "Allow" "Action": ["s3:ListAllMyBuckets", "route53:ListHostedZones", "route53:ListResourceRecordSets"], "Resource": "*"}, {"Sid": "ListPolicy", "Effect": "Allow", "Action": ["s3:ListAllMyBuckets", "s3:GetBucketPolicy"], "Resource": "*"}, {"Sid": "SetPolicy", "Effect": "Allow", "Action": ["s3:PutBucketPolicy"] "Resource": "*"}, {"Sid": "DeletePolicy", "Effect": "Allow", "Action": ["s3:DeleteBucketPolicy"], "Resource": "*"}, {"Sid": "BlockPublicAccess", "Effect": "Allow", "Action": ["s3:ListAllMyBuckets", "s3:PutBucketPublicAccessBlock"], "Resource": "*"}, {"Sid": "EnableLogging", "Effect": "Allow" "Action": ["s3:ListAllMyBuckets", "s3:PutBucketLogging"], "Resource": "*"}, {"Sid": "EnableVersioning", "Effect": "Allow", "Action": ["s3:ListAllMyBuckets", "s3:PutBucketVersioning"], "Resource": "*"}, {"Sid": "EnableDefaultEncryption", "Effect": "Allow", "Action": ["s3:ListAllMyBuckets", "s3:PutEncryptionConfiguration"] "Resource": "*"}, {"Sid": "ResetObjectAcl", "Effect": "Allow", "Action": ["s3:ListBucket", "s3:GetObjectAcl", "s3:PutObjectAcl"], "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"]}, {"Sid": "Encrypt", "Effect": "Allow" "Action": ["s3:ListBucket", "s3:GetObject", "s3:PutObject"], "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"]}, {"Sid": "DeleteUnencryptedVersions", "Effect": "Allow", "Action": ["s3:ListBucketVersions", "s3:GetObjectVersion", "s3:DeleteObjectVersion"] "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"]}} access log

Amazon Athena is suitable for querying S3 log and creating the following list:

CREATE EXTERNAL TABLE my_bucket (bucket_owner string, bucket string,time string, remote_ip string, requester string, request_id string, operation string, key string, request_verb string, request_url string, request_proto string, status_code string, error_code string, bytes_sent string, object_size string, total_time string, turn_around_time string, referrer string, user_agent string Version_id string) ROW FORMAT SERDE 'org.apache.hadoop.hive.serde2.RegexSerDe'WITH SERDEPROPERTIES (' serialization.format' ='1' 'input.regex' =' ([^] *) ([^] *)\\ [(. *)\] ([^] *)\\ "([^] *) ([^] *) (- | [^] *)\" (- | [0-9] *) ([^] *) ([^] *) ] *) ([^] *) (\ "[^\"] *\ ") ([^] *) $') LOCATION's 3mov

Modify the last line of code and point to your log Bucket:

SELECTdate_parse (time,'% d/%b/%Y:%H:%i:%S + 0000') AS time, request_url, remote_ip, user_agentFROMmy_bucketWHERErequester ='- 'AND status_code LIKE' 2%'AND request_url LIKE'/ some-keys%'ORDER BY 1CloudTrail log

Amazon Athena can also be used to query the CloudTrail log and create a table:

CREATE EXTERNAL TABLE cloudtrail_logs (eventversion STRING, userIdentity STRUCT, eventTime STRING, eventSource STRING, eventName STRING, awsRegion STRING, sourceIpAddress STRING, userAgent STRING, errorCode STRING, errorMessage STRING, requestId STRING, eventId STRING, resources ARRAY, eventType STRING, apiVersion STRING, readOnly BOOLEAN, recipientAccountId STRING, sharedEventID STRING, vpcEndpointId STRING, requestParameters STRING, responseElements STRING, additionalEventData STRING ServiceEventDetails STRING) ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde'STORED AS INPUTFORMAT' com.amazon.emr.cloudtrail.CloudTrailInputFormat'OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'LOCATION' s 3JUR Unix Unix MyMurray cloudTrail logs'

Modify the last line of code and point to your CloudTrail log Bucket:

SELECTeventTime, eventName,userIdentity.userName, requestParametersFROMcloudtrail_logsWHEREeventName LIKE'% Bucket%'ORDER BY 1Bucket policy {"Version": "2012-10-17", "Statement": [{"Effect": "Deny", "Principal": "*", "Action": "s3:PutObjectAcl", "Resource": "arn:aws:s3:::my-bucket/*"}]} tool update

Run the following command:

Pip install s3tk-upgrade

Using Master, you can run the following commands:

Pip install git+ https://github.com/ankane/s3tk.git-- upgradeDocker runs

Run the following command:

Docker run-it ankane/s3tk aws configure

Submit your vouchers:

Docker commit $(docker ps-l-Q) my-s3tk

Next, run the following command:

Screenshot of docker run-it my-s3tk s3tk scan tool running

The above is all the content of the article "what is s3tk? security audit suite". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.