PAC Configuration Wizard for AWS Cloud
Introduction
Prancer Cloud Security Solution's Cloud Security Posture Management (CSPM) functionality provides an automated way to identify and remediate security risks in cloud environments. With the ability to scan a wide range of your AWS cloud resources, the CSPM engine integrated to the Prancer platform can identify misconfigurations, vulnerabilities, and compliance issues that may pose a risk to your environment. The findings are then presented in a well-defined report page, making it easy for security teams to quickly take action and improve the overall security posture of your cloud environment.
This page describes how organizations can use their existing AWS account to run a penetration testing instance, with PAC generating a manifest file based on YAML format that provides all the details of the pentesting job, including the application information, scanner setup, target selection, and authentication configuration. Prancer PAC engine then communicates with your AWS tenant, creates the PAC scanner based on the configuration details, completes the pentesting scan, and displays the results on the "Pentest Findings" page.
In order to conduct this process, click on the "Pentest Wizard" from the side menu and follow these instructions.
Step 1 - Establish the connection to your AWS account
Select the "AWS Cloud" from the target environment selection. You can use either an existing connection available for you or create a brand new connection to the AWS account.
Select the "Existing connection" and search for your connection in the box to use one of the existing connections. To create a new connection, click on the "New connection" button. You need to fill out a few items to connect to your AWS account.
Prancer uses IAM users to connect to the AWS account. To understand more, check this link from AWS.
Collection Name: name of the collection you want to use for your Pentesting project. It will be used as an identifier for future use.
Access Key: The Access key ID for your IAM user
Access Secret: The key secret for your IAM user
Permissions: The IAM user should have the proper permission on the account resources to read the information and to be able to create pentest-related resources.
These are our recommendations for the IAM role to use in PAC:
-
Read permission on the related resources: IAM user can read the name secret managers information that holds authenticated scans' secrets. Also, Iam user needs to read the information of VPC / subnets
-
Permission to create resources: during the pentest in AWS, Prancer creates a Fargate ECS instance to hold the pentest scanner.
-
Read Permission on AWS Resources: If you want to use the auto-discovery feature of PAC to find out the resources automatically in AWS and do a white box scan for you, you need to give the proper permission to the IAM user.
When you fill out the required information, click on the "Load Accounts" button to load all the accounts the IAM user has access.
Select the accounts you want to include in your "Collection" and hit the Next button.
Step 2 - Application Information
On this page, we will fill out the basic information regarding the application you want to do the pentesting.
-
Application Name: Give your application a name for future references
-
Application Type: PAC supports Web, Open API, and Soap API applications for scanning
-
Risk Level: There are three risk levels available for pentesting:
-
Safe: running pentesting rules which are safe for production instances.
-
Attack: When you run the pentesting in an attack mode, it will insert data into your forms. This is the best choice when you are pentesting on lower environments and have existing crawls.
-
Standard: doing safe and attack pentesting together. It is recommended for all lower environments.
-
-
Compliance: Which compliance do you have to follow. You can filter your applications based on the selected compliance later.
-
Schedule: How often do you want to run the pentesting? Is it just one time run? or you want to put it on a scheduled bases
-
Scanner Instance: What to do with the scanner instance when the Pentesting is completed in your environment? You have the option to delete the scanner or keep it for future use.
Note: PAC uses Elastic Container Service (ECS) to run pentesting. To understand more, check this link from AWS.
Step 3 - Scanner setup
You can use either an existing scanner from your AWS account or create a new scanner instance on the scanner setup page.
To use an existing pentest instance, select the option on the page. Then you need to choose the AWS account, Region, and the Scanner instance.
Note: The IAM user who established the connection should have proper access to read AWS ECS instances.
To create a new pentest instance, select the appropriate item on the page, and select the account name and Region you want to put the scanner instance in.
Also, you have the option to do an External Pentest or an Internal Pentest.
When you are doing an External PenTest, it is supposed that your target is reachable from the internet. And Prancer PAC will spin up the ECS instance with a public IP address.
When doing an Internal PenTest, you should select which subnet you want to put your scanner on. Your scanner won't have a public IP address and can do an internal pentest on resources that resides on the selected subnet.
Then you need to select the VPC and subnet you want to provision the ECS instance on.
Step 4 - Target Selection
In this step, you will specify which target you want to run the pentest against. you have two options, you can either enter the URL endpoint manually or use the auto-discovery feature from Prancer's CSPM engine.
Note : If you want to use the auto-discovery feature of the Prancer's CSPM engine, make sure the IAM user has proper access to the resources you want to do pentesting on.
To enter the endpoint manually, select the appropriate option on the page and enter the URL in the box. The server servicing the endpoint could be hosted on AWS (an EC2, a BeansTalk, API Gateway, etc.) or outside the AWS as a publicly available endpoint.
You have the option to select the "Find in AWS" section to use the Prancer's CSPM engine and auto-discover the endpoints in AWS for you.
Enter the appropriate information on this page and hit "Next" button.
Step 5 - Authentication
On this page, you can configure the authentication information of your application.
Prancer PAC supports various authentication mechanisms, including:
-
Form-based
-
HTTP / NTLM
-
JSON-based
-
Azure AD
-
JWT Token
PAC requires different information to be entered on this page for each authentication type. All the secrets needed for the authentication are stored on the customer's account. PAC is not keeping any secret related to your application. as Part of the authentication configuration, you need to select the vault based on the type of the Cloud and reference the secret items. For example, in the case of Amazon AWS, we are using AWS Secret Manager to retrieve the secrets at the time of pentesting.
AWS Secret Manager selection
PAC uses a Secret Manager in the customer's AWS Account to retrieve secrets when doing pentesting. You need to specify which Secret Manager holds the authentication secrets. To do that, You should select the account and Region and the name of the Secret Manager.
Form-based Authentication
Form-based authentication is a method most web applications use to authenticate their users. To configure PAC to use Form-based authentication, you should enter the following information:
Login URL: The URL of the login page in your web application. For example, "/login"
Logout URL: The URL of the logout page in your web application. For example, "/logout"
Login Request Post Data: The format of the post data you are using when submitting the login form. For example, identity={%username%}&password={%password%}
This means the variables developer used to send the post data back to the server are identity
and password
At the time of pentesting, we are replacing {%username%}
and {%password%}
with the values we are retrieving from Secret Manager Vault
Login Indicator: When the user is logged in, what element on the page shows the user has logged in? For example, in all of your login pages, you have a logout link, which could indicate that a user is logged in.
Username: select the secret key from the Key Vault, which holds the username
Password: select the secret key from the Key Vault, which holds the password
When you have entered all the authentication information, click on "Next" button to go to the next page.
Step 6 - PAC file
In the last step of the pentesting wizard, PAC generates a manifest file based on the YAML format showing all the details you have entered in previous steps with more details. You can change the items here if you need. For example, for the name of the ECS scanner on the AWS, we have a default name "prancer-instances". You can change this name to something else to comply with your company's naming convention.
Note: To understand more about the available options in PAC file, check this page. Review all the items and if everything is fine, click on "Submit" to submit a new pentesting job to Prancer.
What happens next?
Prancer PAC engine starts to communicate with your AWS account, create the PAC scanner based on the configurations details in the PAC file, complete the pentesting scan, and show the results on "Pentest Findings" page.