云环境的安全配置与威胁检测
云环境引入了全新的攻击面:误配置、身份管理、数据泄露。据统计,云端数据泄露的65%由误配置导致,而非软件漏洞。
| 威胁类型 | 云服务 | 典型案例 |
|---|---|---|
| 存储桶公开 | S3/GCS/Blob | 美军S3泄露(2017) |
| IAM过度授权 | IAM/RBAC | Capital One(2019) |
| 元数据服务滥用 | IMDSv1 | SSRF→密钥窃取 |
| 日志配置缺失 | CloudTrail | 攻击无审计轨迹 |
| 网络暴露 | SG/VPC | 0.0.0.0/0开放 |
# S3访问控制层级 (从上到下评估):
# 1. Bucket Policy - 存储桶级策略
# 2. IAM Policy - 用户/角色策略
# 3. ACL - 访问控制列表(旧版)
# 4. Block Public Access - 阻止公开访问(全局)
# 默认行为: 新建Bucket默认私有(2023+)
# 但旧Bucket可能仍公开!
# 1. 使用AWS CLI检查Bucket
aws s3 ls # 列出所有Bucket
aws s3api get-bucket-acl --bucket mybucket # 查看ACL
# 检查公开访问设置
aws s3api get-public-access-block \
--bucket mybucket
# 列出Bucket内容
aws s3 ls s3://mybucket/ --recursive
# 2. 未授权访问测试
# 尝试匿名列出Bucket
aws s3 ls s3://target-bucket/ --no-sign-request
# 尝试匿名上传
echo "test" > test.txt
aws s3 cp test.txt s3://target-bucket/ --no-sign-request
# 尝试匿名下载
aws s3 cp s3://target-bucket/secrets.env . --no-sign-request
# 3. Bucket枚举(基于名称)
# 使用bucket_finder
git clone https://github.com/buckeye17/bucket_finder.git
ruby bucket_finder.rb wordlist.txt
# 或使用S3Scanner
pip install s3scanner
s3scanner scan --targets buckets.txt
# ScoutSuite - 多云安全审计
pip install scoutsuite
scout aws -p aws_profile
# Prowler - AWS安全最佳实践检查
pip install prowler
prowler aws -p default
# CloudSploit (ACSC)
git clone https://github.com/aquasecurity/cloudsploit.git
cd cloudsploit
node index.js -c config.js
# Pacu - AWS渗透测试框架
pip install pacu
pacu
# > import_keys
# > run s3__bucket_finder
# > run s3__enum
# > run iam__enum_users
# AWS实例元数据服务 (IMDS)
# 169.254.169.254 - AWS内部元数据端点
# IMDSv1 (旧版,易受SSRF攻击):
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME
# 返回: AccessKeyId, SecretAccessKey, Token!
# IMDSv2 (新版,需PUT获取token):
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" \
-H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" \
http://169.254.169.254/latest/meta-data/
# 通过SSRF获取临时凭证
# 如果应用存在SSRF:
# https://app.target.com/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
# 使用窃取的凭证
aws configure set aws_access_key_id ASIA...
aws configure set aws_secret_access_key wJalrX...
aws configure set aws_session_token FwoGZX...
aws s3 ls # 现在可以访问受害者的S3!
aws ec2 modify-instance-metadata-options强制启用。# 1. 启用S3 Block Public Access (账户级)
aws s3control put-public-access-block \
--account-id 123456789012 \
--public-access-block-configuration \
BlockPublicAcls=true,\
IgnorePublicAcls=true,\
BlockPublicPolicy=true,\
RestrictPublicBuckets=true
# 2. 启用Bucket加密
aws s3api put-bucket-encryption \
--bucket mybucket \
--server-side-encryption-configuration '{
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:key/xxx"
},
"BucketKeyEnabled": true
}]
}'
# 3. 启用版本控制和MFA删除
aws s3api put-bucket-versioning \
--bucket mybucket \
--versioning-configuration Status=Enabled,MFADelete=Enabled
# 4. 启用访问日志
aws s3api put-bucket-logging \
--bucket mybucket \
--bucket-logging-status '{
"LoggingEnabled": {
"TargetBucket": "access-logs-bucket",
"TargetPrefix": "logs/mybucket/"
}
}'
# 5. 最小权限Bucket Policy
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:role/AppRole"},
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "arn:aws:s3:::mybucket/data/*",
"Condition": {
"StringEquals": {"aws:SourceVpce": "vpce-xxx"},
"Bool": {"aws:SecureTransport": "true"}
}
}]
}
# IAM策略审计
aws iam get-account-authorization-details > iam_audit.json
# 检查过度授权的策略
# 工具: PMapper (判断IAM权限提升路径)
pip install principalmapper
pmapper graph create
pmapper query "who can do s3:GetObject with *"
pmapper query "who can privesc" # 查找提权路径
# CloudCustodian - 策略即代码
pip install c7n
# config.yml
policies:
- name: s3-bucket-no-encryption
resource: s3
filters:
- type: bucket-encryption
state: false
actions:
- type: set-encryption
enabled: true
- name: s3-bucket-public-access
resource: s3
filters:
- type: global-grants
actions:
- type: delete-global-grants
# 检查安全组开放规则
aws ec2 describe-security-groups \
--filters Name=ip-permission.cidr,Values='0.0.0.0/0' \
--query 'SecurityGroups[*].{Name:GroupName,Rule:IpPermissions[*].{FromPort:FromPort,ToPort:ToPort}}'
# 限制SSH/RDP访问
aws ec2 authorize-security-group-ingress \
--group-id sg-xxx \
--protocol tcp \
--port 22 \
--cidr 10.0.0.0/8 # 仅内网
# 启用VPC Flow Logs
aws ec2 create-flow-logs \
--resource-type VPC \
--resource-id vpc-xxx \
--traffic-type ALL \
--log-destination-type cloud-watch-logs
| 安全特性 | AWS | Azure | GCP |
|---|---|---|---|
| 存储桶默认 | 私有(2023+) | 私有 | 私有 |
| 元数据服务 | IMDSv1/v2 | IMDS | 需查询header |
| IAM | IAM Policy | RBAC+ABAC | IAM Policy |
| 审计日志 | CloudTrail | Activity Log | Cloud Audit Log |
| 密钥管理 | KMS | Key Vault | Cloud KMS |
| 安全中心 | Security Hub | Defender for Cloud | Security Command Center |
# Azure Blob存储检测
# 使用MicroBurst
git clone https://github.com/NetSPI/MicroBurst.git
Import-Module MicroBurst.psm1
Get-AzureBlobInfo -Base target -OutputFile blobs.csv
# GCS Bucket检测
# 使用GCPBucketBrute
python3 gcpbucketbrute.py -k target -u
# CIS AWS Foundations Benchmark 关键检查项
# 1. IAM安全
# - 禁用root访问密钥
# - 启用MFA for root
# - 不使用root进行日常操作
# - 90天轮换访问密钥
# 2. 日志与监控
# - 启用CloudTrail(多区域)
# - 启用Config
# - 启用CloudWatch Logs
# - S3 Bucket日志
# 3. 网络
# - 默认安全组限制入站
# - VPC Flow Logs
# - 不开放0.0.0.0/0到管理端口
# 4. 加密
# - EBS加密
# - S3默认加密
# - RDS加密
# - KMS密钥轮换
# 合规框架映射
# ┌──────────────┬───────────┬──────────┬──────────┐
# │ 控制域 │ SOC 2 │ PCI DSS │ HIPAA │
# ├──────────────┼───────────┼──────────┼──────────┤
# │ 访问控制 │ CC6.1 │ Req 7,8 │ 45 CFR │
# │ 日志监控 │ CC7.2 │ Req 10 │ 45 CFR │
# │ 加密 │ CC6.7 │ Req 3,4 │ 45 CFR │
# │ 变更管理 │ CC8.1 │ Req 6 │ 45 CFR │
# │ 漏洞管理 │ CC7.1 │ Req 6,11 │ 45 CFR │
# └──────────────┴───────────┴──────────┴──────────┘
# Terraform安全扫描
# 使用tfsec
curl -sL https://github.com/aquasecurity/tfsec/releases/latest/download/tfsec-linux-amd64 -o tfsec
chmod +x tfsec
./tfsec /path/to/terraform/
# 使用Checkov
pip install checkov
checkov -d /path/to/terraform/
# 常见Terraform安全问题:
# 1. S3 Bucket未启用加密
# resource "aws_s3_bucket" "data" {
# # ❌ 缺少 server_side_encryption_configuration
# }
# 2. 安全组开放0.0.0.0/0
# resource "aws_security_group_rule" "ssh" {
# cidr_blocks = ["0.0.0.0/0"] # ❌ 危险!
# }
# 3. RDS公开访问
# resource "aws_db_instance" "main" {
# publicly_accessible = true # ❌
# }
# CI/CD集成
# .github/workflows/security.yml
# - name: tfsec
# uses: aquasecurity/tfsec-action@v1.0.0