AWS 會在 Internet 上掃 credentials

2017-07-05 AWS

這陣子對 AWS 做了一個測試,因為環境下有很多人擁有 AWS account 的 IAM 權限,加上錯綜複雜的使用方式以及觀念不正確有可能會造成 credentials 外洩的狀況發生,針對這樣的事情必須要有所防範。

 

這樣的防範除了在有限範圍內可以寫程式去掃以外「awslabs/git-secrets」,但如果外流到 Public 的話範圍太廣就很難監控到

 

測試情境:

假設有一個 Github 專案,在 .travis.yml 加上 CodeDeploy 要用的 IAM User credentials,一般狀況下必須加密 secure key,但先假設忘記加密(懶)就推上 Github Public repository。

 

過一段時間後(不一定),你會收到來自 AWS 的通知:

 

第一次 AWS 會在 Dashboard 上出現「鈴鐺通知」你的 Key 已經外流了

 

實際上 AWS 不只是通知你以外,還會用這個 credentials 測試登入,所以你在 IAM User 那邊可以看到 Last used 的 login 記錄 …

 2017-06-22 17:28 UTC+0800 with AWSFraudWorkflowsService in us-east-1

 

如果你還是一直無視他,你就會收到 AWS 客服的來信,這封信會直接寄給 root account 像這樣:

Hello,

Thank you for taking quick action to delete your exposed access key (AKIAIXXXXXXXXXXZXXQ).

We also encourage you to visit the AWS Security Center for additional information and resources related to AWS security best practices:
http://aws.amazon.com/security/?nc1=h_l3_cc

To further protect yourself from access key exposures, please consider using the “Git Secrets” tool from AWS Labs. This service will scan merges, commits, and commit messages for secrets. It will automatically reject any commits that include information matching your configured prohibited regular expression patterns. This package offers the following features:

1. System-wide and user-wide patterns – blocked from all git projects on the machine
2. Repo-specific patterns – blocked from the specific git project
3. Override whitelist patterns let you skip false positives
4. AWS-specific handler – this explicitly blocks all AWS credentials the local user has stored in their ~/.aws/credentials file
5. Manual scanning – you can run ad hoc scans on a file or recursively on a directory
6. Linux/Mac/Windows support (Windows support works in git-bash)

For a more detailed description and installation instructions, please visit: https://github.com/awslabs/git-secrets

I will be resolving this case in favor of case : 224678621, where we will take a look at the unauthorized charges once your exposed Access key (AKIAIXXXXXXXXXXZXXQ) has been removed.

We hope you find this information useful. Please do not hesitate to contact AWS Support if you have any questions.

Best regards,

Chris D.
Amazon Web Services

Check out the AWS Support Knowledge Center, a knowledge base of articles and videos that answer customer questions about AWS services: https://aws.amazon.com/premiumsupport/knowledge-center/?icmpid=support_email_category

We value your feedback. Please rate my response using the link below.
===================================================

 

這篇想講的其實是 AWS 會替你在 Internet 做一些保護措施,避免你的 Key 外流,但這都是事後的通知而已,網路上有許多 hacker 在掃 Cloud account credentials 用來挖礦,所以在用 Cloud 相對必須小心,不然就只好乖乖付錢給 AWS (破產XD)

 

 

 

 

 

發表迴響

你的電子郵件位址並不會被公開。 必要欄位標記為 *

彙整

分類

open all | close all

License

訂閱 Mr. 沙先生 的文章

輸入你的 email 用於訂閱