kmcquade

--- # OWASP ZAP automation configuration file, for more details see https://www.zaproxy.com/docs/(TBA)
env:                                      # The environment, mandatory
  contexts:                               # List of 1 or more contexts, mandatory
    - name: context 1                     # Name to be used to refer to this context in other jobs, mandatory
      url: http://demo.testfire.net/             # The top level url, mandatory, everything under this will be included
      includePaths:  # TBA: An optional list of regexes to include
      excludePaths:  # TBA: An optional list of regexes to exclude
      authentication:                     # TBA: In time to cover all auth configs
  parameters:
    failOnError: true                  # If set exit on an error

kmcquade

# zap-full-scan rule configuration file
# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
# Active scan rules set to IGNORE will not be run which will speed up the scan
# Only the rule identifiers are used - the names are just for info
# You can add your own messages to each rule by appending them after a tab on each line.
0	WARN	(Directory Browsing - Active/release)
10003	WARN	(Vulnerable JS Library - Passive/release)
10010	WARN	(Cookie No HttpOnly Flag - Passive/release)
10011	WARN	(Cookie Without Secure Flag - Passive/release)
10015	WARN	(Incomplete or No Cache-control Header Set - Passive/release)

kmcquade

resource "null_resource" "nuke" {
  # Because we set this to timestamp, it *always* runs :D
  triggers = {
    party_like_its_jan_1_1970 = timestamp()
  }

  provisioner "local-exec" {
    command = <<EOF
for sub in `az account list | jq -r '.[].id'`; do \
    for rg in `az group list --subscription $sub | jq -r '.[].name'`; do \

kmcquade

#!/usr/bin/env bash

for sub in `az account list | jq -r '.[].id'`; do \
    for rg in `az group list --subscription $sub | jq -r '.[].name'`; do \
        az group delete --name ${rg} --subscription $sub --no-wait --yes; \
    done; done;

kmcquade

{
  "Statement": [
    {
      "Action": [
        "appsync:ListApiKeys",
        "chatbot:*",
        "codecommit:GetFile",
        "codecommit:GetCommit",
        "codecommit:GetDifferences",
        "codepipeline:PollForJobs",

kmcquade

{
  "Statement": [
    {
      "Action": [
        "appsync:ListApiKeys",
        "chatbot:*",
        "codecommit:GetFile",
        "codecommit:GetCommit",
        "codecommit:GetDifferences",
        "cognito-idp:*",

kmcquade

from jira import JIRA
import click
import getpass

ISSUE_SUMMARY = "Overly permissive AWS IAM Policies in use"
ISSUE_DESCRIPTION = """As part of our security assessment, our team ran Cloudsplaining on your AWS account.

Cloudsplaining maps out the IAM risk landscape in a report, identifies where resource ARN constraints are not used, and
identifies other risks in IAM policies like Privilege Escalation, Data Exfiltration, and Resource Exposure.

kmcquade

{
  "basics": {
    "email": "[email protected]",
    "image": "https://avatars.githubusercontent.com/u/3422255?s=400\u0026u=3aa6c1944134c93d3eb1500028e54826ce561f7f\u0026v=4",
    "label": "Lead Security Engineer",
    "location": {
      "city": "San Francisco",
      "countryCode": "US",
      "region": "California"
    },

kmcquade

This only works when you have the victim account ID. For this example, let's say that the victim account ID is 999988887777.

Create a test role

First, create a role that we can use for this demo. This role is in your own account.

aws iam create-role --role-name test-enumeration \
    --assume-role-policy-document '{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": "ec2.amazonaws.com"},"Action": "sts:AssumeRole"}]}'

kmcquade