GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → nccgroup → Sadcloud

nccgroup / Sadcloud

Licence: agpl-3.0
A tool for standing up (and tearing down!) purposefully insecure cloud infrastructure

Labels

hcl

Projects that are alternatives of or similar to Sadcloud

terraform-provider-minio
Terraform provider for managing minio S3 buckets and IAM Users
Stars: ✭ 123 (-52.51%)
Mutual labels:  hcl
refmt
Reformat HCL ⇄ JSON ⇄ YAML.
Stars: ✭ 19 (-92.66%)
Mutual labels:  hcl
Terraform Aws Eks Cluster
Terraform module for provisioning an EKS cluster
Stars: ✭ 256 (-1.16%)
Mutual labels:  hcl
terraform-vsphere-single-vm
Deploy single vSphere VM with Terraform - template.
Stars: ✭ 21 (-91.89%)
Mutual labels:  hcl
vim-hcl
Syntax highlighting for HashiCorp Configuration Language (HCL)
Stars: ✭ 83 (-67.95%)
Mutual labels:  hcl
terraform-aws-elasticache
Terraform module to create Elasticache Cluster and replica for Redis and Memcache.
Stars: ✭ 19 (-92.66%)
Mutual labels:  hcl
transfer
Converts from one encoding to another. Supported formats HCL ⇄ JSON ⇄ YAML⇄TOML⇄XML⇄plist⇄pickle⇄properties ...
Stars: ✭ 70 (-72.97%)
Mutual labels:  hcl
Terraform Google Gke
Terraform code and scripts for deploying a Google Kubernetes Engine (GKE) cluster.
Stars: ✭ 257 (-0.77%)
Mutual labels:  hcl
hcl-to-json
HCL to JSON converter in CoffeeScript
Stars: ✭ 15 (-94.21%)
Mutual labels:  hcl
vim-hclfmt
Vim plugin for hclfmt
Stars: ✭ 68 (-73.75%)
Mutual labels:  hcl
azure-vdc
Automated VDC on Azure
Stars: ✭ 16 (-93.82%)
Mutual labels:  hcl
rust-hcl
A Rust library for working with the HashiCorp Configuration Language (HCL).
Stars: ✭ 14 (-94.59%)
Mutual labels:  hcl
terraform-aws-resource-naming
Terraform module to generate resource name with random_id added as suffix.
Stars: ✭ 18 (-93.05%)
Mutual labels:  hcl
parse it
A python library for parsing multiple types of config files, envvars & command line arguments that takes the headache out of setting app configurations.
Stars: ✭ 86 (-66.8%)
Mutual labels:  hcl
Cloudblock
Cloudblock automates deployment of secure ad-blocking for all of your devices - even when mobile. Step-by-step text and video guides included! Compatible clouds include AWS, Azure, Google Cloud, and Oracle Cloud. Cloudblock deploys Wireguard VPN, Pi-Hole DNS Ad-blocking, and DNS over HTTPS in a cloud provider - or locally - using Terraform and Ansible.
Stars: ✭ 257 (-0.77%)
Mutual labels:  hcl
terraform-github-actions-demo
HashiCorp Terraform Github Actions Demo for Github Satellite 2020.
Stars: ✭ 40 (-84.56%)
Mutual labels:  hcl
hwt
VHDL/Verilog/SystemC code generator, simulator API written in python/c++
Stars: ✭ 145 (-44.02%)
Mutual labels:  hcl
Citrix K8s Ingress Controller
Citrix ADC (NetScaler) Ingress Controller for Kubernetes:
Stars: ✭ 256 (-1.16%)
Mutual labels:  hcl
Terraform Examples
Terraform samples for all the major clouds you can copy and paste. The future, co-created.
Stars: ✭ 256 (-1.16%)
Mutual labels:  hcl
terraform-linode-k8s
Kubernetes installer for Linode
Stars: ✭ 63 (-75.68%)
Mutual labels:  hcl
View All Similar Projects ➔

Sadcloud

sadcloud is a tool for spinning up insecure AWS infrastructure with Terraform.

It supports approx. 84 misconfigurations across 22 AWS Services. The inital set of misconfigurations were drawn from ScoutSuite, NCCGroup's Multi-cloud auditing tool.

sadcloud was created to easily allow security researchers to misconfigure AWS for training purposes, or to use to asses AWS security tools - including built-ins and third-party.

Security Note - must read

This tool spins up intentionally vulnerable AWS configured resources. Please do not run it in your production cloud, or anywhere that is meant to be secure. Consider standing up a new AWS account in which to run this tool. As this tool spins up cloud resources, it will result in charges to your AWS account. Efforts have been made to minimize the costs incurred, but NCC Group and this tool's maintainers are not responsible for any charges or security issues that may result from usage of this tool. Make sure to tear down all - Terraform resources when not using them!

Costs

A 24 hour test run of sadcloud generated a bill of approximately $10. The majority of that cost is from the Redshift module (25c/hour = $6/day) and EKS module (10c/hour = $2.40/day).

Sample Audits using sadcloud

We periodically use sadcloud to demonstrate various AWS and terraform auditing tooling. All audits are against the full corpus of possible misconfigurations.

Tool Sample Report
ScoutSuite https://ramimac.github.io/sadcloud-reports/scoutsuite-reports/scoutsuite-report_03_2020/aws.html
prowler https://ramimac.github.io/sadcloud-reports/prowler-report/report.html
cloudmapper https://ramimac.github.io/sadcloud-reports/cloudmapper-reports/web_03_2020/account-data/report.html
cloudsploit https://ramimac.github.io/sadcloud-reports/cloudsploit-scans-reports/scans.04_2020.txt
tfsec https://ramimac.github.io/sadcloud-reports/tfsec/tfsec.03_27_2020.txt

Setup

Required software: Terraform

Ensure that your SSH keys are written to data/ssh_keys/terraform_rsa{,.pub}.

ssh-keygen -t rsa -b 4096 -f data/ssh_keys/terraform_rsa
  1. git clone https://github.com/nccgroup/sadcloud.git
  2. cd sadcloud/sadcloud

Environment Setup

Set up the AWS provider (see the "Using Providers Instead of Environment Variables" section below for instructions on avoiding this step):

export AWS_ACCESS_KEY_ID="accesskey"
export AWS_SECRET_ACCESS_KEY="secretkey"
export AWS_DEFAULT_REGION="us-east-1"

Get Terraform ready:

terraform init

Configure sadcloud

Configure sadcloud with your desired misconfigurations:

  • To enable all findings (... excluding those that are in conflict with other findings):

    1. Uncomment all modules in sadcloud/main.tf
    2. Either edit the all_findings flag in sadcloud/terraform.tfvars to true, or call terraform apply with the flag --var="all_findings=true"

  • To enable all findings in one or more services:

    1. Uncomment the relevant service(s) in sadcloud/main.tf
    2. For a single service, either edit the relevant all_{service}_findings flag in sadcloud/terraform.tfvars to true, or call terraform apply with the flag --var="all_{service}_findings=true"
    3. For multiple services, either edit the all_findings flag in sadcloud/terraform.tfvars to true, or call terraform apply with the flag --var="all_findings=true" NOTE: There is currently a Terraform bug with the Cloudformation service. To generate Cloudformation findings, you will need to run Terraform apply twice

  • To enable specific findings granularly:

    1. Uncomment the relevant service in sadcloud/main.tf
    2. Edit the variables of interest directly in sadcloud/main.tf, flipping them to true where desired.
    3. For services that require a VPC, make sure you set needs_network to true in sadcloud/main.tf

Note: All misconfigurations in sadcloud are disabled by default. All services are disabled by default to prevent spinning up unnecessary resources. Setting the variable for a misconfiguration to true always results in misconfiguration. Running all_findings can take 10-15 minutes.

Check it:

terraform plan

Deploy it:

terraform apply

Tear it down:

terraform destroy

Note: terraform apply will spin up services in AWS. These cost money. Don't forget to terraform destroy after you're done. Make sure you terraform plan before running all_findings so you understand what you're getting yourself into!

Extras

Using Providers Instead of Environment Variables

It's possible to set up an AWS provider so you won't have to set environment variables each time.

Create a file called sadcloud/providers.tf with the following contents:

provider "aws" {
  access_key = "YOUR_AWS_ACCESS_KEY"
  secret_key = "YOUR_AWS_SECRET_KEY"
  region     = "us-east-1"
}
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].