网站建设、公众号开发、微网站、微商城、小程序就找牛创网络 !

7*24小时服务专线： 152-150-65-006 023-68263070 扫描二维码加我微信

网络安全工具团结互助，让我们共同进步！

当前位置：主页 > 技术资讯 > 工具 > 网络安全工具 >

我们的优势： 10年相关行业经验，专业设计师量身定制设计师一对一服务模式，上百家客户案例！企业保证，正规流程，正规合作 7*24小时在线服务，售后无忧

s3tk：用于Amazon S3的安全审核套件

文章来源：重庆网站建设围观次数：

分享到:

摘要：s3tk是Amazon S3的安全审核套件。大多数安全研究人员可以使用s3tk在Amazon S3 Bucket上执行安全测试。

s3tk是Amazon S3的安全审核套件。大多数安全研究人员可以使用s3tk在Amazon S3 Bucket上执行安全测试。

工具安装

大多数研究人员可以使用pip完成s3tk的安装：

pip install s3tk

研究人员可以使用AWS CLI命令行工具来配置AWS凭证：

pip install awscli

aws configure

工具使用命令

安全扫描

可以扫描的存储桶组件如下：

1.公共ACL

2.开放战略

3.公共访问受阻

4.启用登录

5.版本修改

6，默认加密

s3tk scan

针对特定Bucket运行运行扫描：

s3tk scan my-bucket my-bucket-2

支持通配符：

s3tk scan "my-bucket*"

跳过日志和默认加密：

s3tk scan --skip-logging --skip-versioning --skip-default-encryption

获取电子邮件通知（通过SNS）：

s3tk scan --sns-topic arn:aws:sns:...

枚举策略

枚举Bucket策略：

s3tk list-policy

针对特定存储桶运行扫描：

s3tk list-policy my-bucket my-bucket-2

显示名称：

s3tk list-policy-命名

设定政策：

s3tk set-policy my-bucket --no-object-acl

删除策略：

s3tk delete-policy my-bucket

禁止公共访问：

s3tk block-public-access my-bucket my-bucket-2

启用默认加密

为所有Bucket启用默认加密：

s3tk enable-default-encryption

仅针对特定Bucket启用：

s3tk enable-default-encryption my-bucket my-bucket-2

扫描对象ACL

扫描目标Bucket中所有对象的ACL：

s3tk scan-object-acl my-bucket

排除特定对象：

s3tk scan-object-acl my-bucket --only "*.pdf"

排除DNS

s3tk scan-object-acl my-bucket --except "*.jpg"

扫描DNS

s3tk scan-dns

证书

用户凭证可以在“〜/ .aws /credentials”或环境变量中设置。我们可以使用以下命令设置配置文件：

AWS_PROFILE=your-profile s3tk

IAM策略

每个命令所需的权限如下。用户只需要在以下代码中声明相应的权限：

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Scan", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketAcl", "s3:GetBucketPolicy", "s3:GetBucketPublicAccessBlock", "s3:GetBucketLogging", "s3:GetBucketVersioning", "s3:GetEncryptionConfiguration" ], "Resource": "*" }, { "Sid": "ScanDNS", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "route53:ListHostedZones", "route53:ListResourceRecordSets" ], "Resource": "*" }, { "Sid": "ListPolicy", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketPolicy" ], "Resource": "*" }, { "Sid": "SetPolicy", "Effect": "Allow", "Action": [ "s3:PutBucketPolicy" ], "Resource": "*" }, { "Sid": "DeletePolicy", "Effect": "Allow", "Action": [ "s3:DeleteBucketPolicy" ], "Resource": "*" }, { "Sid": "BlockPublicAccess", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:PutBucketPublicAccessBlock" ], "Resource": "*" }, { "Sid": "EnableLogging", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:PutBucketLogging" ], "Resource": "*" }, { "Sid": "EnableVersioning", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:PutBucketVersioning" ], "Resource": "*" }, { "Sid": "EnableDefaultEncryption", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:PutEncryptionConfiguration" ], "Resource": "*" }, { "Sid": "ResetObjectAcl", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObjectAcl", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] }, { "Sid": "Encrypt", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] }, { "Sid": "DeleteUnencryptedVersions", "Effect": "Allow", "Action": [ "s3:ListBucketVersions", "s3:GetObjectVersion", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] } ] }

访问日志

Amazon Athena适合查询S3日志，创建以下列表：

CREATE EXTERNAL TABLE my_bucket ( bucket_owner string, bucket string, time string, remote_ip string, requester string, request_id string, operation string, key string, request_verb string, request_url string, request_proto string, status_code string, error_code string, bytes_sent string, object_size string, total_time string, turn_around_time string, referrer string, user_agent string, version_id string)ROW FORMAT SERDE 'org.apache.hadoop.hive.serde2.RegexSerDe'WITH SERDEPROPERTIES ( 'serialization.format' = '1', 'input.regex' = '([^ ]*) ([^ ]*) \\[(.*?)\\] ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) \\\"([^ ]*) ([^ ]*) (- |[^ ]*)\\\" (-|[0-9]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) (\"[^\"]*\\") ([^ ]*)$') LOCATION 's3://my-s3-logs/my-bucket/';

修改最后一行代码并指向您的日志Bucket：

SELECT date_parse(time, '%d/%b/%Y:%H:%i:%S +0000') AS time, request_url, remote_ip, user_agentFROM my_bucketWHERE requester = '-' AND status_code LIKE '2%' AND request_url LIKE '/some-keys%'ORDER BY 1

CloudTrail日志

Amazon Athena也可以用于查询CloudTrail日志并创建表：

CREATE EXTERNAL TABLE cloudtrail_logs ( eventversion STRING, userIdentity STRUCT< type:STRING, principalid:STRING, arn:STRING, accountid:STRING, invokedby:STRING, accesskeyid:STRING, userName:String, sessioncontext:STRUCT< attributes:STRUCT< mfaauthenticated:STRING, creationdate:STRING>, sessionIssuer:STRUCT< type:STRING, principalId:STRING, arn:STRING, accountId:STRING, userName:STRING>>>, eventTime STRING, eventSource STRING, eventName STRING, awsRegion STRING, sourceIpAddress STRING, userAgent STRING, errorCode STRING, errorMessage STRING, requestId STRING, eventId STRING, resources ARRAY<STRUCT< ARN:STRING, accountId:STRING, type:STRING>>, eventType STRING, apiVersion STRING, readOnly BOOLEAN, recipientAccountId STRING, sharedEventID STRING, vpcEndpointId STRING, requestParameters STRING, responseElements STRING, additionalEventData STRING, serviceEventDetails STRING)ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde'STORED AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'LOCATION 's3://my-cloudtrail-logs/'

修改最后一行代码，然后指向您的CloudTrail日志Bucket：

SELECT eventTime, eventName, userIdentity.userName, requestParametersFROM cloudtrail_logsWHERE eventName LIKE '%Bucket%'ORDER BY 1

Bucket策略

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:PutObjectAcl", "Resource": "arn:aws:s3:::my-bucket/*" } ] }