AMI Exposed
Author(s):
Jeff Jarmoc
Latest Version:
0.1.0
Description:
AMI Exposed is a Ruby framework for testing Amazon Machine Images (AMIs) for common security weaknesses and credential exposures. It was originally released in conjunction with a presentation by Ben Feinstein and Jeff Jarmoc at DEF CON 19 on August 6th, 2011 titled "Get Off of My Cloud: Cloud Credential Compromise and Exposure".
This release includes various libraries which extend Amazon's official AWS SDK for Ruby (see http://aws.amazon.com/sdkforruby/) adding some helpful methods to their classes, and a few new classes.
Also included are components allowing for easily tagging AMIs (TagImages.rb) to define the test scope, and running scans against AMIs in bulk (Scan.rb).
Several test modules are included in the tests subdirectory which detect common exposure and security weakness scenarios. By leveraging the class framework, additional modules can be easily added to suit the user's need.
Supported Versions of AWS-SDK:
This tool has been developed against version 1.0 of the AWS-SDK for Ruby. Other versions of the SDK may or may not work properly with this tool.
No Support, No Warranty
Dell SecureWorks cannot provide support for these tools, but feedback is appreciated.
License Agreement
Copyright (C) 2011 Dell. This program is free software subject to the terms of the GNU General Public License. You can use, copy, redistribute and/or modify the program under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or any later version. You should have received a copy of the GNU General Public License along with this program. If not, please see http://www.gnu.org/licenses/ for a copy of the GNU General Public License. The program is subject to a disclaimer of warranty and a limitation of liability, as disclosed below. Disclaimer of Warranty. THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR, CORRECTION OR RECOVERY FROM DATA LOSS OR DATA ERRORS. Limitation of Liability. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS
