search

DataDog / stratus-red-team

:cloud: :zap: Granular, Actionable Adversary Emulation for the Cloud
https://stratus-red-team.cloud
Apache License 2.0
1.78k stars 208 forks source link

Unable to re-detonate aws.credential-access.secretsmanager-batch-retrieve-secrets because same secret naming convention #551

Closed kljunowsky closed 1 month ago

kljunowsky commented 1 month ago

What is not working? Re-triggering scenario after celanup. I can not re-run aws.credential-access.secretsmanager-batch-retrieve-secrets because of the same secret naming convention.

Potential solution Change the way secret names are generated, use random strings instead of numbers if possible. If not, if for example secret-10 exists, try creating secrets from secret-11...

What OS are you using? Mac OS X

What is your Stratus Red Team version? 2.15.0

Full output?

└─# stratus detonate aws.credential-access.secretsmanager-batch-retrieve-secrets

2024/08/15 11:03:16 Checking your authentication against AWS
2024/08/15 11:03:16 Warming up aws.credential-access.secretsmanager-batch-retrieve-secrets
2024/08/15 11:03:16 Applying Terraform to spin up technique prerequisites
2024/08/15 11:05:22 Error during warm up. Cleaning up technique prerequisites with terraform destroy
2024/08/15 11:05:29 unable to run terraform apply on prerequisite: unable to apply Terraform: exit status 1

Error: error creating Secrets Manager Secret: InvalidRequestException: You can't create this secret because a secret with this name is already scheduled for deletion.

  with aws_secretsmanager_secret.secrets[26],
  on main.tf line 31, in resource "aws_secretsmanager_secret" "secrets":
  31: resource "aws_secretsmanager_secret" "secrets" {

Files in $HOME/.stratus-red-team?

total 140248
drwxr--r--@  5 REDACTED  REDACTED   160B Aug 15 13:27 .
drwxr-x---+ 68 REDACTED  REDACTED   2.1K Aug 15 13:28 ..
-rw-r--r--@  1 REDACTED  REDACTED   6.0K Aug  6 19:11 .DS_Store
drwxr--r--@ 10 REDACTED  REDACTED   320B Aug  5 19:40 aws.credential-access.secretsmanager-batch-retrieve-secrets
-rwx------@  1 REDACTED  REDACTED    68M Aug  2 09:33 terraform
./aws.credential-access.secretsmanager-batch-retrieve-secrets:
total 248
drwxr--r--@ 10 REDACTED  REDACTED   320B Aug  5 19:40 .
drwxr--r--@  5 REDACTED  REDACTED   160B Aug 15 13:27 ..
-rwxr--r--@  1 REDACTED  REDACTED     9B Aug 15 13:22 .state
drwxr--r--@  5 REDACTED  REDACTED   160B Aug 15 13:27 ..
-rwxr--r--@  1 REDACTED  REDACTED     9B Aug 15 13:22 .state
drwxr-xr-x@  3 REDACTED  REDACTED    96B Aug  5 15:00 .terraform
-rw-r--r--@  1 REDACTED  REDACTED     0B Aug  5 15:00 .terraform-initialized
-rwxr--r--@  1 REDACTED  REDACTED    46B Aug  5 15:01 .terraform-outputs
-rw-r--r--@  1 REDACTED  REDACTED   2.4K Aug  5 15:00 .terraform.lock.hcl
-rw-------@  1 REDACTED  REDACTED   234B Aug  5 19:40 .terraform.tfstate.lock.info
-rw-r--r--@  1 REDACTED  REDACTED   1.0K Aug  5 15:00 main.tf
-rw-r--r--@  1 REDACTED  REDACTED   103K Aug  5 15:01 terraform.tfstate

./aws.credential-access.secretsmanager-batch-retrieve-secrets/.terraform:
total 0
drwxr-xr-x@  3 REDACTED  REDACTED    96B Aug  5 15:00 .
drwxr--r--@ 10 REDACTED  REDACTED   320B Aug  5 19:40 ..
drwxr-xr-x@  3 REDACTED  REDACTED    96B Aug  5 15:00 providers

./aws.credential-access.secretsmanager-batch-retrieve-secrets/.terraform/providers:
total 0
drwxr-xr-x@ 3 REDACTED  REDACTED    96B Aug  5 15:00 .
drwxr-xr-x@ 3 REDACTED  REDACTED    96B Aug  5 15:00 ..
drwxr-xr-x@ 3 REDACTED  REDACTED    96B Aug  5 15:00 registry.terraform.io

./aws.credential-access.secretsmanager-batch-retrieve-secrets/.terraform/providers/registry.terraform.io:
total 0
drwxr-xr-x@ 3 REDACTED  REDACTED    96B Aug  5 15:00 .
drwxr-xr-x@ 3 REDACTED  REDACTED    96B Aug  5 15:00 ..
drwxr-xr-x@ 4 REDACTED  REDACTED   128B Aug  5 15:00 hashicorp

./aws.credential-access.secretsmanager-batch-retrieve-secrets/.terraform/providers/registry.terraform.io/hashicorp:
total 0
drwxr-xr-x@ 4 REDACTED  REDACTED   128B Aug  5 15:00 .
drwxr-xr-x@ 3 REDACTED  REDACTED    96B Aug  5 15:00 ..
drwxr-xr-x@ 3 REDACTED  REDACTED    96B Aug  5 15:00 aws
drwxr-xr-x@ 3 REDACTED  REDACTED    96B Aug  5 15:00 random

./aws.credential-access.secretsmanager-batch-retrieve-secrets/.terraform/providers/registry.terraform.io/hashicorp/aws:
total 0
drwxr-xr-x@ 3 REDACTED  REDACTED    96B Aug  5 15:00 .
drwxr-xr-x@ 4 REDACTED  REDACTED   128B Aug  5 15:00 ..
drwxr-xr-x@ 3 REDACTED  REDACTED    96B Aug  5 15:00 3.76.1

./aws.credential-access.secretsmanager-batch-retrieve-secrets/.terraform/providers/registry.terraform.io/hashicorp/aws/3.76.1:
total 0
drwxr-xr-x@ 3 REDACTED  REDACTED    96B Aug  5 15:00 .
drwxr-xr-x@ 3 REDACTED  REDACTED    96B Aug  5 15:00 ..
drwxr-xr-x@ 3 REDACTED  REDACTED    96B Aug  5 15:00 darwin_arm64

./aws.credential-access.secretsmanager-batch-retrieve-secrets/.terraform/providers/registry.terraform.io/hashicorp/aws/3.76.1/darwin_arm64:
total 581824
drwxr-xr-x@ 3 REDACTED  REDACTED    96B Aug  5 15:00 .
drwxr-xr-x@ 3 REDACTED  REDACTED    96B Aug  5 15:00 ..
-rwxr-xr-x@ 1 REDACTED  REDACTED   284M Aug  5 15:00 terraform-provider-aws_v3.76.1_x5

./aws.credential-access.secretsmanager-batch-retrieve-secrets/.terraform/providers/registry.terraform.io/hashicorp/random:
total 0
drwxr-xr-x@ 3 REDACTED  REDACTED    96B Aug  5 15:00 .
drwxr-xr-x@ 4 REDACTED  REDACTED   128B Aug  5 15:00 ..
drwxr-xr-x@ 3 REDACTED  REDACTED    96B Aug  5 15:00 3.6.2

./aws.credential-access.secretsmanager-batch-retrieve-secrets/.terraform/providers/registry.terraform.io/hashicorp/random/3.6.2:
total 0
drwxr-xr-x@ 3 REDACTED  REDACTED    96B Aug  5 15:00 .
drwxr-xr-x@ 3 REDACTED  REDACTED    96B Aug  5 15:00 ..
drwxr-xr-x@ 4 REDACTED  REDACTED   128B Aug  5 15:00 darwin_arm64

./aws.credential-access.secretsmanager-batch-retrieve-secrets/.terraform/providers/registry.terraform.io/hashicorp/random/3.6.2/darwin_arm64:
total 30232
drwxr-xr-x@ 4 REDACTED  REDACTED   128B Aug  5 15:00 .
drwxr-xr-x@ 3 REDACTED  REDACTED    96B Aug  5 15:00 ..
-rw-r--r--@ 1 REDACTED  REDACTED    16K Aug  5 15:00 LICENSE.txt
-rwxr-xr-x@ 1 REDACTED  REDACTED    15M Aug  5 15:00 terraform-provider-random_v3.6.2_x5
christophetd commented 1 month ago

Hi there,

Thanks for reporting! I was not able to reproduce with:

export AWS_REGION=eu-west-1
stratus detonate aws.credential-access.secretsmanager-batch-retrieve-secrets
stratus cleanup aws.credential-access.secretsmanager-batch-retrieve-secrets
stratus detonate aws.credential-access.secretsmanager-batch-retrieve-secrets

The Terraform warmup code does set recovery_window_in_days to 0, so the cleanup should nuke the secrets right away: https://github.com/DataDog/stratus-red-team/blob/main/v2/internal/attacktechniques/aws/credential-access/secretsmanager-batch-retrieve-secrets/main.tf#L35

Is it possible that your second detonation happens very quickly after the cleanup? (e.g. less than 10 seconds)

kljunowsky commented 1 month ago

I remember. I used to manually clean up secrets on AWS since I faced issues with stratus cleanup (Expired keys). Triggering and cleaning with stratus works fine. Closing the issue.