Why do you assume they are using TerraForm? You also have the AWS CDK and Cloudformation. So maybe AWS Guard use? Then your rules are easier to read and remember and you can make the output human-readable: “file h contains resource x with property y with value z which is not in the q list of allowed values/does not meet the allowed pattern R”. and AWS Config / ControlTower, because even large companies still have departments that make manual adjustments.

But all of these tools don’t look at the content loaded into the S3 container.
So this problem will not occur.

You can also https://www.clamav.net/ Run it in a lambda container and run it automatically with each new or changed file. With tags and AWS iam you can ensure that only approved files are publicly accessible.

This way you can at least prevent the potential impact of the attack. But until then it doesn’t check if there are credentials in the files on the S3.

You can still block known file extensions (same by tagging), and maybe add pattern recognition next to the virus scanner (like those gitleaks but for the new/updated S3 file), but it also ends up somewhere.

[Reactie gewijzigd door djwice op 31 december 2021 13:18]