Skip to content

Introduce AWS CLI detonator#16

Merged
christophetd merged 2 commits intomainfrom
aws-cli-detonator
May 15, 2023
Merged

Introduce AWS CLI detonator#16
christophetd merged 2 commits intomainfrom
aws-cli-detonator

Conversation

@christophetd
Copy link
Copy Markdown
Contributor

@christophetd christophetd commented May 4, 2023
edited
Loading

What does this PR do?

Add a new AWS CLI detonator. It works by running the user-provided bash script, setting AWS_EXECUTION_ENV with the detonation UID so it shows up in the user agent of the resulting logs

image

Motivation

When we want to use Threatest from the CLI, for now we're limited to what Stratus Red Team supports. Being able to use the AWS CLI - while not ideal and more complex - allows to test anything.

Sample usage

scenarios:
  - name: opening a security group to the Internet
    detonate:
      awsCliDetonator:
        script: |
          set -e
          
          # Setup
          vpc=$(aws ec2 create-vpc --cidr-block 10.0.0.0/16 --query Vpc.VpcId --output text)
          sg=$(aws ec2 create-security-group --group-name sample-sg --description "Test security group" --vpc-id $vpc --query GroupId --output text)
          
          # Open security group
          aws ec2 authorize-security-group-ingress --group-id $sg --protocol tcp --port 22 --cidr 0.0.0.0/0
          
          # Cleanup
          aws ec2 delete-security-group --group-id $sg
          aws ec2 delete-vpc --vpc-id $vpc
    expectations:
      - timeout: 15m
        datadogSecuritySignal:
          name: "Potential administrative port open to the world via AWS security group"

Sample output:

$ go run ./cmd/threatest/*.go run test.threatest.yaml
INFO[0000] Running 1 scenarios with a parallelism of 1
Execution ID: 05465a6b-2696-4a52-8795-3b0a84963cf6
INFO[0289] opening a security group to the Internet: Confirmed that the expected signal (Datadog security signal 'Potential administrative port open to the world via AWS security group') was created in Datadog (took 281 seconds).
INFO[0289] opening a security group to the Internet: All assertions passed
INFO[0294] Scenario 'opening a security group to the Internet' passed in 294.60 seconds

Open questions

If we need to give the user arbitrary control over how the detonation is done, should we consider adding a "match only" mode to Threatest?

e.g.

# Manually detonate an attack
AWS_EXECUTION_ENV=threatest_1234
aws ec2 ...

# Verify
threatest check --type datadog-signal --name "My signal name" --execution-uid=threatest_1234

@christophetd christophetd merged commit fb37a9f into main May 15, 2023
@christophetd christophetd deleted the aws-cli-detonator branch May 15, 2023 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@juliendoutre juliendoutre juliendoutre approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@juliendoutre juliendoutre

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@christophetd @juliendoutre