Custom Signatures - Cloudnosys

Custom Signatures is one of the premium features of Cloudnosys which we have enabled for the users who would want to write their own security rules

Why do you need custom signatures ?

If you want to create your custom security rules based on your specific requirements then this feature answers the purpose

Creating custom signature:

Let’s suppose you want to check MFA (Multi factor authentication) is enabled for all IAM users that have a passwords:

Navigate to Custom Signatures dashboard

Objective: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a password

Click on the “Add New” button & add Custom Signature

Custom signature is divided in three sections

Signature Metadata: here you need to put signature metadata such as signature description,page detail and so on. In description you need to provide what you are checking such as “Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a password”.
Code editor: is a JavaScript code editor, where there is a function in which we have two parameters, one is an API caller(sends network & API calls to cloud provider e.g AWS) and second is resource(checks each resource against response)
Response

Response is generated when signature is tested, it has two tabs

i) Console: it shows the status of signature whether it ran successfully or failed

ii) Resource checker: lists all resources with their service,region,VPC & status

Signature ID is auto-generated, add description,page detail then select Cloud provider.

Description: Here you define your main objective of creating signature such as “Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a password”

Page detail: is the detailed demonstration of your objective, in our case it would go like this “Having MFA-protected IAM users is the best way to protect your AWS resources and services against attackers. An MFA device signature adds an extra layer of protection on top of your existing IAM user credentials (username and password), making your AWS account virtually impossible to penetrate without the MFA generated passcode.”

Cloud provider: here you’ll select the cloud provider, in our case we’ll select AWS

Service: Select the service, since we are creating a signature for IAM then we’’ select “IAM”

Risk level: is the severity of a signature, we get risk notification according to different severities such as High(The issue must be addressed as a priority),Medium(The issue must be addressed but not urgently) & Low(The issue does not require action on its own). Since IAM password protection involves high risk, then we’ll select “High”.

Category: is related to Cloud Services( IAM, EC2, S3) of a Signature.

Function: is related to Action or what defines the Signature description.In our case we’ll select “Access Control”

Group: is how we would like to pair various signatures together, so we will select “IAM”

Write down pass/fail messages and add remediation steps:

Pass: Multi-factor authentication (MFA) is enabled for all IAM users that have a password

Fail: Multi-factor authentication (MFA) is not enabled for all IAM users that have a password

Remediation steps: When the signature shows errors/fails to run the command in the output, write steps that should be followed to fix that bug.

You can find remediate steps in signature menu, signatures >> View Risks >> move to remediation tab

Perform the following to enable MFA:

i. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

ii. In the navigation pane, choose Users.

iii. In the User Name list, choose the name of the intended MFA user.

iv. Choose the Security Credentials tab, and then choose Manage MFA Device.

v. In the Manage MFA Device wizard, choose A virtual MFA device, and then choose Next Step.

vi. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications.) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device).

vii. Determine whether the MFA app supports QR codes, and then do one of the following:

– Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the devices camera to scan the code.

– In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application. When you are finished, the virtual MFA device starts generating one-time passwords.

viii. In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Active Virtual MFA.

Now move to JavaScript code editor, which is on the right of the screen

It contains try & catch block, in try block we are using a function apiCaller for getting response.

Note: API Caller: apiCaller Function is used to make api calls to cloud provider e.g: AWS Resource, resource contains all data related to a resource.

Define service “IAM” inside the api caller block
Service params: Add API version AWS services have API version numbers to keep track of API compatibility.For example, the current API version for Amazon IAM is 2010-05-08.

Note: To add API Version visit AWS documentation link : https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/IAM.html#enableMFADevice-property

Specify region in which you want to test service “us-east-1”, here us-east-1 is a global region but in case if you have a service for which you want to test in all regions then use region:[resource.region].

An Endpoint object represents the endpoint URL for service requests. Add Endpoint endpoint:listMFADevices from AWS documentation.

14. Add the name of the user in params whose MFA devices you want to list params: { UserName: “JamesMichael” } . If you do not know usernames then you can list all users like this { UserName: resource.name }

15. Now, if you want to see the API response of your signature in the console, then add this console.log(apiResponse); after apiCaller block:
It will list all of your MFADevices in the “us-east-1” Region and it’ll look like the following.

In return we define the signature status and status message

signature status: return a boolean value either “true” or “false” depending upon the signature status and
status message: Here you have to define status message of signature for pass & fail (optional):

Add condition if apiResponse length is 0 that means multi-factor authentication is not enabled otherwise it’s enabled then, your code editor will look like this:

module.exports = async function(apiCaller, resource){
  try {
    const apiResponse = await apiCaller({
      service: "IAM",
      serviceParams: { apiVersion: "2010-05-08", region:[resource.region] },
      endpoint: "listMFADevices",
      params: {UserName: resource.name }
    });
   // console.log(apiResponse);
    // checking mfa is enabled or not
         if (
          apiResponse &&
          apiResponse[0] &&
          apiResponse[0][0].apiResponse.length === 0
        ) 
         {
            return { statusSig: true, statusMessage: "MFA is enabled" };
         } else {
          return { statusSig: false, statusMessage: "MFA is not enabled" };
        }
  } catch (err) {
    return { statusSig: false, statusMessage: "" };
  }
};

16. Now click “Test” and you will see response like this:

Console: