Custom Signatures

Custom Signatures is one of the premium features of Cloudnosys which we have enabled for the users who would want to write their own security rules

Why do you need custom signatures ?

If you want to create your custom security rules based on your specific requirements then this feature answers the purpose

Creating a Custom Signature

For instance, you want to check if “S3 bucket versioning is enabled”

  1. Navigate to Custom Signatures dashboard
  2. Click on the Add new button &  Custom Signature screen would show up.

 3. Enter an accessible name for your ‘signature’. I.e:Ensure S3 bucket Versioning is Enabled

 AWS-S3-CUS-001

 4. Write a precise description of the signature in the description box. In this scenario simply type: Using versioning-enabled S3 buckets will allow you to preserve, retrieve, and restore every version of an S3 object. S3 versioning can be used for data protection and retention scenarios such as recovering objects that have been accidentally/intentionally deleted or overwritten by AWS users or applications and archiving previous versions of objects to AWS Glacier for long-term low-cost storage.”.

      5. Choose a cloud provider. In this case, it would be AWS since we are checking for ‘S3 Bucket’ encryption.

      6. Choose the S3 service from the dropdown menu.

The service layer is related to the cloud vendor, such as AWS provides storage services, database services, etc.

      7. Set the severity level to High since this is a critical security rule of high importance.

It depends upon how the compliance is being affected; based on its internal policy.

      8. Select Cryptography as a category, from the dropdown menu.

It works like an umbrella over the service, under which your signature falls. You can filter the purpose for your signature in the ‘category’ section.

      9. Select the function you want to perform. (Here we chose Cryptography since we are checking the storage encryption)

Here you can define the functionality of the signature.

10. Write your own Pass, Fail, Remediation messages for each output.

  • Pass message: When the signature runs successfully. i.e: S3 Bucket is encrypted.
  • Fail message: When the signature fails to run i.e:, S3 Bucket is not encrypted
  • Remediation message: When the signature shows errors/fails to run the command in the output, write steps that should be followed to fix that bug.

      11. In the Code Editor (NodeJS)section, you have the facility to write your own code for the signature. Cloudnosys provides a function named apiCaller, in which the user has to pass the default params related to its desired public cloud API.

API caller methods,max execution,

After adding the snippet,  since you want to check the encryption status of your S3 buckets, your code editor will look like this:

// console.log('resource',resource);
    const apiResponse = await apiCaller({
      service: "S3",
      serviceParams: { apiVersion: "2015-03-31", region: [resource.region] },
      endpoint: "getBucketEncryption",
      params: {FunctionName:resource.name}
    });
    let a = apiResponse[0][0]
    let obj = JSON.parse(a.Policy);
    let {Principal}=obj.Statement[0];
        if (SSEAlgorithm != "AES256") {if (!Statement.hasOwnProperty(Condition)) {
                status = false;
              }
            }
//   console.log('true')
        return true;
      } catch (err) {
        return false;
      }
};
  • Service: For service, we put S3 in the editor.
  • serviceParams:  Here, you put API-version as per AWS ‘documentation’ and ‘region’ of your choice.
  • endpoint: Since you want to check for S3 Bucket encryption, you need to put “getBucketEncryption”.
  • params: getBucketEncyption’ takes Bucket name in the parameters so you’ll write the desired Bucket name for which you need to check the storage encryption.

      12. Then, Click on the button, to check if the code is running successfully.

After clicking on the test signature on each resource it returns:

  • true // incase of pass
  • false // incase of failure

      13. Scroll down to the console tab to check the result, the other tab shows the resources that exist within the chosen service.

If you see the result, as shown above, navigate to the button and click away! 

Voila! You have created your own Custom Signature in your cloudnosys account.

Note: To check risks for the signature you just created, you need to run scan

Limitations for Custom Signatures:

  • Total execution time of running a Custom Signature is 60s (one minute)
  • All code executions are handled via sandbox environment
  • Eval function is not allowed
  • Accessing any file system is restricted