Cloud asset collection

The VMware NSX Network Detection and Response can acquire Cloud Asset data from Amazon AWS and correlate these data to threats seen in the AWS environment. You can use the Kibana visualization tool to view and analyze the data.

In order to acquire Cloud Asset data, your AWS account must be configured with at least the minimal security policy recommended by ScoutSuite. See AWS credentials tab for configuration details.

The VMware NSX Network Detection and Response collects the following assets:

EC2 instance assets

Some of the Elastic Compute Cloud (EC2) instance data returned includes:

  • Virtual compute environment instances

  • Amazon Machine Image (AMI) templates

  • Configuration of CPU, memory, storage, and networking capacity

  • Secure login information

  • Storage volumes for temporary data

  • Persistent data storage volumes using Elastic Block Store (EBS)

  • Regions and Availability Zones

The service_name defines the resource type of the asset.

Example ec2.json:

{
  "LaunchTime": "2020-01-24 01:48:04+00:00",
  "service_name": "ec2",
  "ip_addresses": [
    "172.31.30.68"
  ],
  "metadata_options": {
    "HttpPutResponseHopLimit": 1,
    "HttpTokens": "optional",
    "State": "applied",
    "HttpEndpoint": "enabled"
  },
  "observer.name": null,
  "IamInstanceProfile": {
    "Id": "AIPAU2VHIUBKJXHY5LJNE",
    "Arn": "arn:aws:iam::332137013332:instance-profile/RAPID2.0.0MinimumAccess"
  },
  "source": "8NELPYCFXASTKTXTTJYM:staging",
  "SubnetId": "subnet-b0ddc7d7",
  "KeyName": "rapid-s3-new",
  "reservation_id": "r-0db7fb6070a5f9ba7",
  "dns_names": [
    "ip-172-31-30-68.us-west-1.compute.internal"
  ],
  "monitoring_enabled": false,
  "State": {
    "Code": 80,
    "Name": "stopped"
  },
  "name": "RAPID S3 Crawler Image s3-crawler-release-2.0.0",
  "id": "i-04610741aad5920d8",
  "InstanceType": "t2.large",
  "ts_start": 1604594012000,
  "user_data_secrets": {}
}

IAM role assets

Some of the Identity and Access Management (IAM) role data returned includes:

  • Permission policies

  • Access delegation

  • Temporary security credentials

The service_name defines the resource type of the asset.

Example iamrole.json:

{
  "policies_counts": 1,
  "service_name": "iam_role",
  "observer.name": null,
  "policies": [
    "ANPAILL3HVNFSB6DCOWYQ"
  ],
  "description": "Allows EC2 instances to call AWS services on your behalf.",
  "source": "8NELPYCFXASTKTXTTJYM:staging",
  "inline_policies_count": 0,
  "max_session_duration": 3600,
  "path": "/",
  "instances_count": 1,
  "name": "sureshdemoreadonlyrole",
  "assume_role_policy_effect": "Allow",
  "id": "AROAU2VHIUBKEZVDM4CAX",
  "create_date": "2020-06-04 14:09:34+00:00",
  "arn": "arn:aws:iam::332137013332:role/demoreadonlyrole",
  "ts_start": 1604594012000
}

IAM user assets

Some of the Identity and Access Management (IAM) user data returned includes:

  • The "friendly name"

  • Amazon Resource Name (ARN)

  • Unique identifier for the user

The service_name defines the resource type of the asset.

Example iamuser.json:

{
  "Path": "/",
  "policies_counts": 2,
  "service_name": "iam_user",
  "observer.name": null,
  "policies": [
    "ANPAJ4L4MM2A7QIEB56MS",
    "ANPAIWMBCKSKIEE64ZLYK"
  ],
  "groups": [],
  "source": "8NELPYCFXASTKTXTTJYM:fillipo-staging",
  "inline_policies_count": 0,
  "CreateDate": "2020-02-04 19:33:03+00:00",
  "LoginProfile": {
    "PasswordResetRequired": false,
    "UserName": "skasinathan",
    "CreateDate": "2020-02-04 19:33:04+00:00"
  },
  "PasswordLastUsed": "2020-09-21 18:04:15+00:00",
  "name": "skasinathan",
  "id": "AIDAU2VHIUBKGI6KFJO3Y",
  "arn": "arn:aws:iam::332137013332:user/skasinathan",
  "inline_policies": {},
  "ts_start": 1604594012000,
  "MFADevices": []
}

S3 bucket assets

Some of the Simple Storage Service (S3) bucket data returned includes:

  • Bucket name

  • Object data and metadata

  • Unique identifier keys

  • Regions and endpoints

The service_name defines the resource type of the asset.

Example s3.json:

{
  "CreationDate": "2019-03-05 17:14:43+00:00",
  "users_count": 12,
  "secure_transport_enabled": false,
  "version_mfa_delete_enabled": false,
  "service_name": "s3",
  "observer.name": null,
  "web_hosting_enabled": false,
  "source": "8NELPYCFXASTKTXTTJYM:fillipo-staging",
  "default_encryption_enabled": false,
  "name": "lastline-flowlogs",
  "roles_count": 9,
  "logging": "Disabled",
  "id": "7a5ccf0cab3ea9898787b382b9f101a7da9637e9",
  "region": "us-west-1",
  "versioning_status_enabled": false,
  "ts_start": 1604594012000
}