All Projects β†’ tleyden β†’ Keynuker

tleyden / Keynuker

Licence: apache-2.0
πŸ”πŸ’₯ KeyNuker - nuke AWS keys accidentally leaked to Github

Programming Languages

go
31211 projects - #10 most used programming language
golang
3204 projects

Projects that are alternatives of or similar to Keynuker

Gitgot
Semi-automated, feedback-driven tool to rapidly search through troves of public data on GitHub for sensitive secrets.
Stars: ✭ 964 (+1075.61%)
Mutual labels:  github-api, security-scanner
Awesome Aws Workshops
(Unofficial) curated list of awesome workshops found around in the internet. As we all have been there, finding that workshop that you have just attended shouldn't be hard. The idea is to provide an easy central repository, in a collaborative way.
Stars: ✭ 302 (+268.29%)
Mutual labels:  serverless, aws-iam
Hook.io
Open-Source Microservice Hosting Platform
Stars: ✭ 1,201 (+1364.63%)
Mutual labels:  serverless
Pest
🐞 Primitive Erlang Security Tool
Stars: ✭ 79 (-3.66%)
Mutual labels:  security-scanner
Seoul Bike
μ„œμšΈμ‹œ μžμ „κ±° 따릉이λ₯Ό μœ„ν•œ λŒ€μ—¬μ†Œ μ°ΎκΈ° μ„œλΉ„μŠ€ μž…λ‹ˆλ‹€.
Stars: ✭ 78 (-4.88%)
Mutual labels:  serverless
Joe
Run a Java program without an operating system by building the OS into the Java program
Stars: ✭ 76 (-7.32%)
Mutual labels:  serverless
Mini Github
GitHub WeChat Mini Program
Stars: ✭ 1,216 (+1382.93%)
Mutual labels:  github-api
Serverless Plugin Git Variables
⚑️ Expose git variables to serverless
Stars: ✭ 75 (-8.54%)
Mutual labels:  serverless
Write With Me
Real-time Collaborative Markdown Editor
Stars: ✭ 81 (-1.22%)
Mutual labels:  serverless
Azure
Azure-related repository
Stars: ✭ 78 (-4.88%)
Mutual labels:  serverless
Pragmaticai
[Book-2019] Pragmatic AI: An Introduction to Cloud-based Machine Learning
Stars: ✭ 79 (-3.66%)
Mutual labels:  serverless
Projmgr
R-based project management tools
Stars: ✭ 78 (-4.88%)
Mutual labels:  github-api
Lambda Refarch Webapp
The Web Application reference architecture is a general-purpose, event-driven, web application back-end that uses AWS Lambda, Amazon API Gateway for its business logic. It also uses Amazon DynamoDB as its database and Amazon Cognito for user management. All static content is hosted using AWS Amplify Console.
Stars: ✭ 1,208 (+1373.17%)
Mutual labels:  serverless
Booster.js
The speed and performance optimizier for your website, delivering fast web experiences to users.
Stars: ✭ 1,215 (+1381.71%)
Mutual labels:  serverless
Github Rank
πŸ•·οΈGithub δΈ­ε›½ε’Œε…¨ηƒη”¨ζˆ·ζŽ’εοΌŒε…¨ηƒδ»“εΊ“ Star ζœ€ε€šζŽ’ε(θ‡ͺ动ζ—₯ζ›΄)。
Stars: ✭ 1,201 (+1364.63%)
Mutual labels:  github-api
Serverless Boilerplate
Serverless project template
Stars: ✭ 80 (-2.44%)
Mutual labels:  serverless
Discfg
A distributed, serverless, configuration tool using AWS services
Stars: ✭ 75 (-8.54%)
Mutual labels:  serverless
Gitmessenger
GitMessenger is github chat app built with socket.io , firebase, nodejs and bootstrap where developers can share code,images and much more 😊
Stars: ✭ 78 (-4.88%)
Mutual labels:  github-api
Labeler
Manage labels on GitHub as code
Stars: ✭ 78 (-4.88%)
Mutual labels:  github-api
Awesome Zeit
The best resources related to ZEIT
Stars: ✭ 1,242 (+1414.63%)
Mutual labels:  serverless

image:https://img.shields.io/badge/reddit%2Faws%20upvotes-49-ff69b4.svg[link="https://www.reddit.com/r/aws/comments/734lof/keynuker_nuke_aws_keys_accidentally_leaked_to/"] image:https://img.shields.io/badge/license-Apache%202-blue.svg[link=https://www.apache.org/licenses/LICENSE-2.0]

If you accidentally leak your AWS keys on GitHub, it won't be long before attackers scrape this information and https://web.archive.org/web/20160304044323/https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#41d040f67cf8:[hijack your account for nefarious purposes].

KeyNuker scans public activity across all Github users in your Github organization(s) and proactively deletes any AWS keys that are accidentally leaked. It gets the list of AWS keys to scan by directly connecting to the AWS API.

== 🚁 System Overview

  • Polling loop to monitor all AWS keys for users of the AWS account
  • Polling loop to monitor Github activity of all users in your github organization(s)
  • Reactively nuke any AWS keys detected to have leaked to Github via the AWS API

image::docs/diagrams/architecture.png[Architecture]

== ⏱ System Interaction w/ Timeline

image::docs/diagrams/dataflow.png[Data Flow]

== πŸ›  Installing KeyNuker πŸ”πŸ’₯

KeyNuker is packaged as a series of https://github.com/apache/incubator-openwhisk[Apache OpenWhisk] actions, and can run anywhere that OpenWhisk can run.

Get the code:

$ go get -u -v -t github.com/tleyden/keynuker

Follow the steps in the link:docs/install.adoc[Installation Instructions] to setup OpenWhisk and set the required environment variables, and then run the installation script.

$ cd $GOPATH/src/github.com/tleyden/keynuker/
$ python install.py

After the installation script completes, you will have several OpenWhisk actions:

$ wsk action list
/yourusername_dev/github-user-events-scanner-nuker                     private sequence
/yourusername_dev/fetch-aws-keys-write-doc                             private sequence
etc ...

== βœ… Features

. Never has access to AWS Secret Access Keys, only to AWS Access Key IDs. . Noise-free because it scans actual AWS keys rather than taking a pattern matching approach that produces false positives . Takes actions rather than sending alerts, since depending on people to respond to alerts might introduce a costly delay in reaction time . Covers all public github activity of users in your github org(s), since they might leak AWS keys on their personal repos or even 3rd party repos . Requires minimal IAM Permissions: iam:DeleteAccessKey, iam:ListAccessKeys, iam:ListUsers . Ultra-low baseline running cost due to serverless architecture . Lowest common denominator and requires zero effort or workflow change for users

== βšͺ️ Roadmap / Goals

. Low-latency round trip between AWS keys leaking and being nuked. Currently uses polling approach, but the goal is to layer a webhook approach on top in order to lower the latency. . Scale up to monitoring hundreds of AWS accounts and thousands of github organizations/repos/users. . Cove as much of the Github API surface area as possible (gists, issue comments, etc) . Pluggable architecture so that other cloud key providers (Google Cloud Platform, Azure, etc) and other leak sources (BitBucket, Jira, etc) can be added later.

== 🏁 Project status: Early alpha stage

The basic end-to-end functionality is working, except for notifications, but there are still a lot of places where AWS keys can leak to Github and go undetected:

  • Github Gists
  • Other Github API surface area that isn't covered yet

== πŸ““ Documentation

.Documentation |=== |Doc |Link

|README (this document) |link:README.adoc[README]

|Installation guide |link:docs/install.adoc[Installation Instructions]

|Post-installation verification |link:docs/verify.adoc[Verify Installation]

|Developer guide |link:docs/developers.adoc[Developer guide]

|AWS Security Resources |link:docs/aws_security_resources.adoc[AWS Security Resources]

|===

== πŸ“° Articles on malicious key scraping

== πŸ“ Related Projects

== βš™ Related Services

== πŸ‘€ Related Reddit Discussions

== πŸ”’ Security At Depth

Taking a security-at-depth approach, in addition to running KeyNuker you should also consider the following precautions:

  • Limit ec2 actions to only the regions that you use, eg ("StringEquals": {"ec2:Region": "us-east-1"})
  • Limit ec2 actions to only the instance types that you use, eg ("StringLikeIfExists": {"ec2:InstanceType": ["t1.*"]})
  • Use temporary AWS keys that require MFA
  • Minimize chance of AWS keys from ever leaking in the first place using tools such as https://github.com/awslabs/git-secrets[Git Secrets] which can be configured as a pre-commit hook.
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].