Elastic Security

Icon

Security for the Cloud

December 15, 2011 • 18:24 0

AWS South America support in CloudyScripts

Yesterday, Amazon announced that they have deployed a new region in South America (to Sao Paulo, Brazil) on its blog (the full article could be found here)

Even if Amazon documentation did not contain all the required information (such as the Amazon Kernel Image IDs), we were able to retrieve them, thus allowing to fully support this New Region in CloudyScripts.

CloudyScripts gem

A new version has been released with all the AKIs mapping table up to date for this new region.
We managed to retrieve the AKIs list using AWS EC2 API Tools as follow:

[fred@secludit-debian]# /bin/ec2-describe-images -K pkey-XXX.pem -C cert-XXX.pem --region sa-east-1 -a | grep pv-grub | awk '{print $2" "$3" "$7}'
aki-863ce39b ec2-public-images-sa-east-1/pv-grub-hd0-V1.01-i386.gz.manifest.xml i386
aki-d63ce3cb ec2-public-images-sa-east-1/pv-grub-hd0-V1.01-x86_64.gz.manifest.xml x86_64
aki-803ce39d ec2-public-images-sa-east-1/pv-grub-hd00-V1.01-i386.gz.manifest.xml i386
aki-d03ce3cd ec2-public-images-sa-east-1/pv-grub-hd00-V1.01-x86_64.gz.manifest.xml x86_64
aki-823ce39f ec2-public-images-sa-east-1/pv-grub-hd00_1.02-i386.gz.manifest.xml i386
aki-d23ce3cf ec2-public-images-sa-east-1/pv-grub-hd00_1.02-x86_64.gz.manifest.xml x86_64
aki-bc3ce3a1 ec2-public-images-sa-east-1/pv-grub-hd0_1.02-i386.gz.manifest.xml i386
aki-cc3ce3d1 ec2-public-images-sa-east-1/pv-grub-hd0_1.02-x86_64.gz.manifest.xml x86_64

CloudyScripts WebSite

Our free of use online service has been updated as well to support this new region in each of its scripts.

As requested by users of CloudyScripts, we also have added support for auditing VPC SecurityGroups.

  • VPC Critical Ports Audit: This script scrutinizes for VPC SecurityGroups of your infrastructure if the SecurityGroups configuration allows public access to ports that are considered such sensitive that accessibility may cause critical damage to your machines – such as ports for administrating machines

/fred

Filed under: AWS, Cloud Computing, , , , , ,

November 17, 2011 • 19:08 0

Amazon US West Oregon Region Support in CloudyScripts

A few days ago Amazon announced that a new AWS Region in Oregon is supported (see AWS blogpost for more information).

Amazon’s documentation for PVGRUB AKI IDs (which can be found here) was not updated at the same time, that’s why fully supporting the NEW US-West Oregon region in CloudyScripts took some additional days (especially for Copy AMI To Different Region scripts).

NB: The importance of being able to map PVGRUB AKIs between different Amazon Regions has been explained in a previous post How-To: Copy an EBS-Backed AMI from one region to another one

CloudyScripts Ruby gem

SecludIT has released a new version of the Ruby library containing the last update on RUBYForge. The gem is also available on RubgyGems.org.

CloudyScripts WebSite

SecludIT has now added support for NEW US West Region in CloudyScripts.

As a reminder, here is some information on one of our most used scripts (more than 5 thousands executions until now):

  • Copy Ami to Different Region: Creates a copy of a given AMI and make it available in another region. Therefore, instances are created in both regions that perform copying (via rsync) of all files from a volume in the original region based on a snapshot created for the original AMI to a clean volume in the target region. After successful copying, a snapshot is performed in the target region and registered as AMI.

CloudyScripts DevPay AMI

SecludIT DevPay AMI has not been yet updated, but it should be available soon. This AMI runs in your own Amazon EC2 infrastructure and is available from our CloudyScripts WebSite.

As usual, any feedback is greatly appreciated, so do not hesitate to contact us or leave a comment.

/fred

Filed under: AWS, Cloud Computing, , , , , ,

September 19, 2011 • 21:22 0

CloudyScripts for vCloud

Starting from now, CloudyScripts – our popular open-source library (more than 10000 downloads up to now) that aims at relieving administrators from finicky scripting details to secure and manage cloud infrastructures - now supports the vCloud API in addition to Amazon EC2. vCloud is the cloud stack provided by VMWare and already adopted by around 30 hosting providers worldwide.

The first script we provide retrieves all open internet services for a given vCloud organization/account and checks if a service is actually running on that port. Unused open ports represent a means for attackers to deploy rogue publicly available services and may – in the case of providers like Terremark, who charges explicitly for every publicly available internet service – even be linked to additional costs.

As usual, the script can be executed locally by installing a gem from the open-source library, by using the CloudyScripts web-service, or by starting a DevPay AMI within Amazon EC2. We will be happy for any feedback and open to implement or customize scripts on demand!

Filed under: Solutions, ,

August 26, 2011 • 16:08 0

Detect useless Snapshots and Volumes in the Amazon EC2 Cloud

Do you know that problem? You started and stopped server instances on the Amazon Cloud, performed snapshots of instances or EBS volumes, and after some weeks or months you find the EC2 console totally cluttered. There are lots of unattached volumes with completely meaningless IDs and dozens of nameless snapshots, for which you even don’t know what they actually contain. Having all that data lying around does not only compromise your usage experience in the web-console, but also increments the probability of data leakage and accidental loss. And even worse, you need to pay for that mess and invest some time to regularly clean it up – manually and carefully to avoid the deletion of unique data or backups that might actually be needed for recovery purposes in the future.

We at SecludIT wrote an open-source script to address this problem and published it in on our CloudyScripts site. The script identifies two types of resources that might be considered for cleanup:

  • Snapshots: when the number of snapshots that exist for the same EBS volume exceed a certain configurable number, you can safely delete the oldest ones
  • Volumes: when a volume is not linked to any instance and is not used since more than a day, it is probably useless

We are aware that there are very complete AWS cost control and optimization solutions on the market (e.g. Cloudyn or Cloudrows). However, in case you simply want to clean up your account from time to time without registering for a new service, the script should be quite helpful. I run it every week now!

Let us know if you consider this useful and if you have propositions to improve it!

Filed under: AWS, Solutions, , , ,

August 4, 2011 • 17:39 2

Amazon EC2 Copy AMI and Snapshot: CloudyScripts updated

The SecludIT Team is proud to announce that CloudyScripts collection of tools to manage and automate Clouds Infrastructure Copy AMI and Copy Snapshot for Amazon EC2 have been improved.

Copy AMI from one region to another

After our users’ request in order to support Amazon EC2 Linux AMIs (pre-configured, templated image to get up and running immediately) using the EXT4 filesystem for their root partition and their own kernel through Amazon PV-Grub loader, we decided to add these features to CloudyScripts. While adding support for new kernel, we also add the detection of /dev/xvdX device node while mapping to /dev/sdX block device in Amazon EC2 Console.

New features:

  • Support of EXT4 and XFS linux filesystems
  • Amazon Kernel Image (AKI) mapping between regions

As a results of this, we have fully automated the HowTo we wrote a few time ago on Copy EBS-basked AMI between Amazon EC2 regions.
Using CloudyScripts Copy AMI scripts, you can now move the vast majority of Amazon EC2 Linux AMIs to any Amazon EC2 Region.

Graphical User Interface

CloudyScripts GUI for Amazon EC2 Copy AMI

NB: CloudyScripts does not yet support BTRFS which is, at this time, under heavy development.

Copy Snapshot from one region to another

As a result of the our users choosing AMIs with EXT4 and XFS filesystems, the support of EXT4 and XFS filesystem has been added to the Snapshot Cloudyscript. As well, we added the detection of /dev/xvdX device node while mapping to /dev/sdX block device in Amazon EC2 Console.

New feature:

  • Support of the EXT4 and XFS linux filesystems

Using CloudyScripts Copy Snapshot, you can now move the vast majority of Amazon EC2 Linux Snapshot among any Amazon EC2 Regions.

Graphical User Interface

CloudyScripts GUI for Amazon EC2 Copy Snapshot

NB: I was wondering, what do you think of creating a CloudyScripts for automatically registering an Amazon EC2 Snapshot? Does it seem helpful to you?

Security

In terms of security we strongly recommend to create temporary Amazon EC2 Credentials trough AWS Identity and Access Management (IAM) and to delete them once the task is done. We have explained how to do so, using Amazon command line tools in a precedent article: ReadOnly credentials for Amazon EC2.

Another things that must not be forgotten, is to close the specific SSH (TCP port 22). Except, if you are not using your default Amazon EC2 SecurityGroups, you must restrict administrative access to your Amazon EC2 infrastructure. Read more on Risk of publicly opened port.

References

AWS Blog: Enabling your own Linux Kernels
AWS Documentation: Use your own kernel with Amazon EC2

/fred

Filed under: AWS, Cloud Computing, , , , , , ,

July 8, 2011 • 12:05 0

CloudyScripts: Ruby code for command line Security Audit via SSH

As requested by our users, we have just added a sample code for creating ruby script on top of cloudyscripts gems that can be found on RubyGems or on RubyForge.

The first script allows to run a Security Audit via SSH using a command line. In addition, we extended the scope of usage: the Security Audit can be run against a running instance (in addition to AMIs), thus allowing:

  • to test running instances, therefore no need to wait for a new instance to start
  • to make a Security Audit of a production server with full control of the Security Audit process

For any information on how to retrieve the source code of this openSource project that is published under Apache v2.0 Licence, please go to cloudyscripts SCM on RubyForge

We would like to thank Jonas Zaddach (Master Computer Science Student at Eurecom) who wrote the “Security Audit via SSH” part of the cloudyscripts library during his internship at SecludIT.

/fred

Filed under: AWS, Cloud Computing, Secure Cloud, , , , , , , , , ,

July 8, 2011 • 12:04 0

New CloudyScript: Security Audit via SSH

We are glad to announce a new CloudyScript Security Audit via SSH which makes a Security Audit of an Amazon EC2 AMI. It requires a privileged user that can perform sudo.

Security Auditing is very important in cloud computing infrastructures where virtual machine images (AMI in the case of Amazon) could be shared among users. In order to avoid backdoors or vulnerable machines in your own Amazon EC2 infrastructure, you MUST evaluate the public AMI you are using. Security Audit via SSH CloudyScripts automates that task.

Here is a sample output of an SSH Audit:

Moreover, we designed it as a library of security audits, that for now contains audits for SSH and Apache2 servers, but we will continue to extend it with other security audits

/fred

NB: This Security Audit does not check your IP restrictions for accessing the SSH server. In order to check that your SSH server is not publicly exposed you could use Public Port Checker CloudyScript.

Filed under: AWS, Cloud Computing, Secure Cloud, , , , , , , , ,

July 5, 2011 • 10:01 1

The Risk of Unused Public Ports

Services with public access must be kept only to public services. Public services are the most exposed to external attacks and should be minimized. Furthermore, public access requires a running public service in order to prevent an attacker or insider (with no access to the security groups firewall) from deploying a rogue publicly available service within your infrastructure.

We therefore wrote a script as part of the CloudyScripts project that detects open public ports that run no service for all instances in your EC2 infrastructure. Note: the same feature is also part of Elastic Detector and described in more detail here.

Filed under: AWS, ,

July 1, 2011 • 10:24 0

New CloudyScript: Detect Port Ranges

Amazon EC2 uses the notion of Security Groups to let users define inbound firewall rules (called permissions) that are dynamically applied to all server instances that are part of the group. This concept is easy and very powerful at the same time, since permissions must be configured once only and are then applied like a template to all future server instances – contrarily to traditional firewalls, where rules are defined for every server.  At the other hand, wrong configurations have a higher impact since all server instances of a misconfigured group are affected.

Thus, the configuration of security groups and attribution to launched instances should be done very carefully. One very frequent misconfiguration is to open complete port-ranges for public IP addresses. It may also happen that third party EC2 tools use the API to create security groups with open port ranges to facilitate their own access and thereby exposing your infrastructure.

Open port ranges allow attackers to scan all ports that are actually used, retrieve information about the services running on a particular machine, and focus on attacking particularly critical ports like port 22 for SSH. We added a script to our CloudyScripts library that allows you to identify all security groups with open port ranges in a given EC2 region. You can find the script here. An additional contribution to make the cloud more secure. Your feedback is always welcomed!

Filed under: AWS, ,

March 9, 2011 • 16:49 0

CloudyScripts Supports New Amazon EC2 Region: Asia Pacific (Tokyo)

Amazon announces that a new AWS Region in Tokyo is supported (see AWS blogpost for more information).

CloudyScripts WebSite

CloudyScripts has been updated in order to support this new AWS Region.

This AWS Region is available in all the following CloudyScripts:

  • Convert Instance-store AMI To EBS-booted AMI: Takes an instance-store AMI, instantiates it, copies the boot-data to a temporary EBS volume, takes a snapshot of this EBS volume and registers the snapshot as EBS-booted AMI. As a result, the new AMI behaves exactly as the original AMI, but boots from an EBS volume.
  • Copy Ami to Different Region: Creates a copy of a given AMI and make it available in another region. Therefore, instances are created in both regions that perform copying (via rsync) of all files from a volume in the original region based on a snapshot created for the original AMI to a clean volume in the target region. After successful copying, a snapshot is performed in the target region and registered as AMI.
  • Download a Snapshot: Allows to download a snapshot as zip-file. Therefore, the script starts up an instance with a web-server, creates and attaches an EBS volume from the specified snapshot, zips the snapshot data, and makes it available as download link for 5 minutes.
  • Copy Snapshot To Different Region: Creates a copy of a given snapshot and make it available in another region. Therefore, instances are created in both regions that perform copying (via rsync) of all files from a volume in the original region based on the specified snapshot to a clean volume in the target region. After successful copying, a snapshot is performed in the target region.
  • Encrypt Storage Using dm-crypt: Allows you to encrypt an EBS storage using the dmcrypt tool. The script transforms an EBS volume (which must already be attached to an instance) into a dm-encrypted volume, creates a file-system (ext3), and mounts it to the specified path.

CloudyScripts Community AMI

The CloudyScripts Community AMI has also been updated in order to support this new AWS Region. This AMI can be found in EU East (Northern Virginia) Region with the current AMI ID ami-f291639b.

Any feedback is greatly appreciated, so do not hesitate to contact us.

/fred

Filed under: AWS, Cloud Computing, , , , ,

Twitter Updates

Follow

Get every new post delivered to your Inbox.