千家信息网

s3tk是一款什么安全审计套件

发表于:2025-01-22 作者:千家信息网编辑
千家信息网最后更新 2025年01月22日,这篇文章主要介绍s3tk是一款什么安全审计套件,文中介绍的非常详细,具有一定的参考价值,感兴趣的小伙伴们一定要看完!s3tk是一款针对Amazon S3的安全审计套件,广大安全研究人员可以使用s3tk
千家信息网最后更新 2025年01月22日s3tk是一款什么安全审计套件

这篇文章主要介绍s3tk是一款什么安全审计套件,文中介绍的非常详细,具有一定的参考价值,感兴趣的小伙伴们一定要看完!

s3tk是一款针对Amazon S3的安全审计套件,广大安全研究人员可以使用s3tk来对Amazon S3 Bucket进行安全测试。

工具安装

广大研究人员可以使用pip来完成s3tk的安装:

pip install s3tk

研究人员可以使用AWS CLI命令行工具来配置AWS凭证:

pip install awscliaws configure

工具使用命令

安全扫描

可扫描的Bucket组件如下:

1、公开ACL

2、公开策略

3、屏蔽的公开访问

4、启用的登录

5、版本修改

6、默认加密

s3tk scan

针对特定Bucket运行扫描:

s3tk scan my-bucket my-bucket-2

支持通配符:

s3tk scan "my-bucket*"

跳过日志和默认加密:

s3tk scan --skip-logging --skip-versioning --skip-default-encryption

获取邮件通知(通过SNS):

s3tk scan --sns-topic arn:aws:sns:...

枚举策略

枚举Bucket策略:

s3tk list-policy

针对特定Bucket运行扫描:

s3tk list-policy my-bucket my-bucket-2

显示名称:

s3tk list-policy --named

设置策略:

s3tk set-policy my-bucket --no-object-acl

删除策略:

s3tk delete-policy my-bucket

屏蔽公开访问:

s3tk block-public-access my-bucket my-bucket-2

启用默认加密

针对所有Bucket启用默认加密:

s3tk enable-default-encryption

仅针对特定Bucket启用:

s3tk enable-default-encryption my-bucket my-bucket-2

扫描对象ACL

扫描目标Bucket中所有对象的ACL:

s3tk scan-object-acl my-bucket

扫描特定对象:

s3tk scan-object-acl my-bucket --only "*.pdf"

排除特定对象:

s3tk scan-object-acl my-bucket --except "*.jpg"

扫描DNS

s3tk scan-dns

凭证

用户凭证可以在"~/.aws/credentials"中或环境变量中设置,我们可以使用下列命令设置一个profile:

AWS_PROFILE=your-profile s3tk

IAM策略

下面给出的是每一条命令所需的权限,用户只需要将相应权限在下列代码中声明即可:

{"Version": "2012-10-17","Statement": [        {"Sid": "Scan","Effect": "Allow","Action": ["s3:ListAllMyBuckets","s3:GetBucketAcl","s3:GetBucketPolicy","s3:GetBucketPublicAccessBlock","s3:GetBucketLogging","s3:GetBucketVersioning","s3:GetEncryptionConfiguration"],"Resource": "*"},        {"Sid": "ScanDNS","Effect": "Allow","Action": ["s3:ListAllMyBuckets","route53:ListHostedZones","route53:ListResourceRecordSets"],"Resource": "*"},        {"Sid": "ListPolicy","Effect": "Allow","Action": ["s3:ListAllMyBuckets","s3:GetBucketPolicy"],"Resource": "*"},        {"Sid": "SetPolicy","Effect": "Allow","Action": ["s3:PutBucketPolicy"],"Resource": "*"},        {"Sid": "DeletePolicy","Effect": "Allow","Action": ["s3:DeleteBucketPolicy"],"Resource": "*"},        {"Sid": "BlockPublicAccess","Effect": "Allow","Action": ["s3:ListAllMyBuckets","s3:PutBucketPublicAccessBlock"],"Resource": "*"},        {"Sid": "EnableLogging","Effect": "Allow","Action": ["s3:ListAllMyBuckets","s3:PutBucketLogging"],"Resource": "*"},        {"Sid": "EnableVersioning","Effect": "Allow","Action": ["s3:ListAllMyBuckets","s3:PutBucketVersioning"],"Resource": "*"},        {"Sid": "EnableDefaultEncryption","Effect": "Allow","Action": ["s3:ListAllMyBuckets","s3:PutEncryptionConfiguration"],"Resource": "*"},        {"Sid": "ResetObjectAcl","Effect": "Allow","Action": ["s3:ListBucket","s3:GetObjectAcl","s3:PutObjectAcl"],"Resource": ["arn:aws:s3:::my-bucket","arn:aws:s3:::my-bucket/*"]        },        {"Sid": "Encrypt","Effect": "Allow","Action": ["s3:ListBucket","s3:GetObject","s3:PutObject"],"Resource": ["arn:aws:s3:::my-bucket","arn:aws:s3:::my-bucket/*"]        },        {"Sid": "DeleteUnencryptedVersions","Effect": "Allow","Action": ["s3:ListBucketVersions","s3:GetObjectVersion","s3:DeleteObjectVersion"],"Resource": ["arn:aws:s3:::my-bucket","arn:aws:s3:::my-bucket/*"]        }    ]}

访问日志

Amazon Athena适用于查询S3日志,创建下列表:

CREATE EXTERNAL TABLE my_bucket (    bucket_owner string,    bucket string,time string,    remote_ip string,    requester string,    request_id string,    operation string,    key string,    request_verb string,    request_url string,    request_proto string,    status_code string,    error_code string,    bytes_sent string,    object_size string,    total_time string,    turn_around_time string,    referrer string,    user_agent string,    version_id string)ROW FORMAT SERDE 'org.apache.hadoop.hive.serde2.RegexSerDe'WITH SERDEPROPERTIES ('serialization.format' = '1','input.regex' = '([^ ]*) ([^ ]*) \\[(.*?)\\] ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) \\\"([^ ]*) ([^ ]*) (- |[^ ]*)\\\" (-|[0-9]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) (\"[^\"]*\\") ([^ ]*)$') LOCATION 's3://my-s3-logs/my-bucket/';

修改最后一行代码,并指向你的日志Bucket:

SELECTdate_parse(time, '%d/%b/%Y:%H:%i:%S +0000') AS time,    request_url,    remote_ip,    user_agentFROMmy_bucketWHERErequester = '-'AND status_code LIKE '2%'AND request_url LIKE '/some-keys%'ORDER BY 1

CloudTrail日志

Amazon Athena同样可以用于查询CloudTrail日志,创建一个表:

CREATE EXTERNAL TABLE cloudtrail_logs (    eventversion STRING,    userIdentity STRUCT,            sessionIssuer:STRUCT>>,    eventTime STRING,    eventSource STRING,    eventName STRING,    awsRegion STRING,    sourceIpAddress STRING,    userAgent STRING,    errorCode STRING,    errorMessage STRING,    requestId  STRING,    eventId  STRING,    resources ARRAY>,    eventType STRING,    apiVersion  STRING,    readOnly BOOLEAN,    recipientAccountId STRING,    sharedEventID STRING,    vpcEndpointId STRING,    requestParameters STRING,    responseElements STRING,    additionalEventData STRING,    serviceEventDetails STRING)ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde'STORED  AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'LOCATION  's3://my-cloudtrail-logs/'

修改最后一行代码,并指向你的CloudTrail日志Bucket:

SELECTeventTime,    eventName,userIdentity.userName,    requestParametersFROMcloudtrail_logsWHEREeventName LIKE '%Bucket%'ORDER BY 1

Bucket策略

{"Version": "2012-10-17","Statement": [        {"Effect": "Deny","Principal": "*","Action": "s3:PutObjectAcl","Resource": "arn:aws:s3:::my-bucket/*"}    ]}

工具更新

运行下列命令:

pip install s3tk --upgrade

使用Master,可运行下列命令:

pip install git+https://github.com/ankane/s3tk.git --upgrade

Docker运行

运行下列命令:

docker run -it ankane/s3tk aws configure

提交你的凭证:

docker commit $(docker ps -l -q) my-s3tk

接下来,运行下列命令:

docker run -it my-s3tk s3tk scan

工具运行截图

以上是"s3tk是一款什么安全审计套件"这篇文章的所有内容,感谢各位的阅读!希望分享的内容对大家有帮助,更多相关知识,欢迎关注行业资讯频道!

0