search

RhinoSecurityLabs / cloudgoat

CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool
BSD 3-Clause "New" or "Revised" License
2.88k stars 597 forks source link

Problem creating ec2 instance on cloud_breach_s3 #234

Closed trickdeath0 closed 10 months ago

trickdeath0 commented 10 months ago

Hello,

I had 2 errors at the beginning of setting up the lab, but the error for the s3 bucket was resolved thanks to https://github.com/RhinoSecurityLabs/cloudgoat/issues/198#issuecomment-1614876285 #233

But I can't figure out how to fix this error image

This is the code for ec2.tf

#IAM Role
resource "aws_iam_role" "cg-banking-WAF-Role" {
  name = "cg-banking-WAF-Role-${var.cgid}"
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
  tags = {
      Name = "cg-banking-WAF-Role-${var.cgid}"
      Stack = "${var.stack-name}"
      Scenario = "${var.scenario-name}"
  }
}

#IAM Role Policy Attachment
resource "aws_iam_role_policy_attachment" "cg-banking-WAF-Role-policy-attachment-s3" {
  role = "${aws_iam_role.cg-banking-WAF-Role.name}"
  policy_arn = "${data.aws_iam_policy.s3-full-access.arn}"
}

#IAM Instance Profile
resource "aws_iam_instance_profile" "cg-ec2-instance-profile" {
  name = "cg-ec2-instance-profile-${var.cgid}"
  role = "${aws_iam_role.cg-banking-WAF-Role.name}"
}

#Security Groups
resource "aws_security_group" "cg-ec2-ssh-security-group" {
  name = "cg-ec2-ssh-${var.cgid}"
  description = "CloudGoat ${var.cgid} Security Group for EC2 Instance over SSH"
  vpc_id = "${aws_vpc.cg-vpc.id}"
  ingress {
      from_port = 22
      to_port = 22
      protocol = "tcp"
      cidr_blocks = var.cg_whitelist
  }
  egress {
      from_port = 0
      to_port = 0
      protocol = "-1"
      cidr_blocks = [
          "0.0.0.0/0"
      ]
  }
  tags = {
    Name = "cg-ec2-ssh-${var.cgid}"
    Stack = "${var.stack-name}"
    Scenario = "${var.scenario-name}"
  }
}
resource "aws_security_group" "cg-ec2-http-security-group" {
  name = "cg-ec2-http-${var.cgid}"
  description = "CloudGoat ${var.cgid} Security Group for EC2 Instance over HTTP"
  vpc_id = "${aws_vpc.cg-vpc.id}"
  ingress {
      from_port = 80
      to_port = 80
      protocol = "tcp"
      cidr_blocks = var.cg_whitelist
  }
  egress {
      from_port = 0
      to_port = 0
      protocol = "-1"
      cidr_blocks = [
          "0.0.0.0/0"
      ]
  }
  tags = {
    Name = "cg-ec2-http-${var.cgid}"
    Stack = "${var.stack-name}"
    Scenario = "${var.scenario-name}"
  }
}
#AWS Key Pair
resource "aws_key_pair" "cg-ec2-key-pair" {
  key_name = "cg-ec2-key-pair-${var.cgid}"
  public_key = "${file(var.ssh-public-key-for-ec2)}"
}
#EC2 Instance
resource "aws_instance" "ec2-vulnerable-proxy-server" {
    ami = "ami-0a313d6098716f372"
    instance_type = "t2.micro"
    iam_instance_profile = "${aws_iam_instance_profile.cg-ec2-instance-profile.name}"
    subnet_id = "${aws_subnet.cg-public-subnet-1.id}"
    associate_public_ip_address = true
    vpc_security_group_ids = [
        "${aws_security_group.cg-ec2-ssh-security-group.id}",
        "${aws_security_group.cg-ec2-http-security-group.id}"
    ]
    key_name = "${aws_key_pair.cg-ec2-key-pair.key_name}"
    root_block_device {
        volume_type = "gp2"
        volume_size = 8
        delete_on_termination = true
    }
    provisioner "file" {
      source = "../assets/proxy.com"
      destination = "/home/ubuntu/proxy.com"
      connection {
        type = "ssh"
        user = "ubuntu"
        private_key = "${file(var.ssh-private-key-for-ec2)}"
        host = self.public_ip
      }
    }
    user_data = <<-EOF
        #!/bin/bash
        apt-get update
        apt-get install -y nginx
        ufw allow 'Nginx HTTP'
        cp /home/ubuntu/proxy.com /etc/nginx/sites-enabled/proxy.com
        rm /etc/nginx/sites-enabled/default
        systemctl restart nginx
        EOF
    volume_tags = {
        Name = "CloudGoat ${var.cgid} EC2 Instance Root Device"
        Stack = "${var.stack-name}"
        Scenario = "${var.scenario-name}"
    }
    tags = {
        Name = "ec2-vulnerable-proxy-server-${var.cgid}"
        Stack = "${var.stack-name}"
        Scenario = "${var.scenario-name}"
    }
}

If anyone has had this problem in the past or knows how to fix it, I'd love to hear :)

andrew-aiken commented 10 months ago

If you try running the cloudgoat create command again does that resolve your issue?

The issue looks like there is not timeout between the server coming online and the provisioner/user_data running. A solution to this would be to have the file created in the user_data.

trickdeath0 commented 10 months ago

If you try running the cloudgoat create command again does that resolve your issue?

The issue looks like there is not timeout between the server coming online and the provisioner/user_data running. A solution to this would be to have the file created in the user_data.

I tried several times to overwrite; I also tried to destroy and create a new one, but it was not resolved

trickdeath0 commented 10 months ago

@andrew-aiken I looked at previous solutions and found this one, which worked perfectly for updating the whitelist.

Thanks for the quick availability for help :)

andrew-aiken commented 10 months ago

Ahh, yup an allow listed IP would have done it.

lmatzer commented 3 months ago

This is still open for me. Applies to any scenario containing ec2 instances. Error as described above when provisioning the instance from file: ssh timeout on the newly spawned ubuntu machines. I checked my whitelist as advised, it's definitely correct.

andrew-aiken commented 3 months ago

This is still open for me. Applies to any scenario containing ec2 instances. Error as described above when provisioning the instance from file: ssh timeout on the newly spawned ubuntu machines. I checked my whitelist as advised, it's definitely correct.

If you look in the AWS console what is the IP & what are the security group rules? Try connecting directly to that IP telnet <IP> 22

lmatzer commented 3 months ago

Let's stay with the example cloud_breach_s3, though this applies to all other scenarios containing ec2 instances for me. Telnet connection is impossible as well, aws_security_group.cg-ec2-ssh-security-group and aws_security_group.cg-ec2-http-security-group are being created successfully. This does not seem to be a timeout, but rather a provisioning issue: Adding a long "timeout" property to the connection in the ec2.tf followed by recreation does not solve the problem.

andrew-aiken commented 3 months ago

If you cannot hit the IP (telnet) then its probably related to the security group blocking your access.

What are the rules on the security group (aws_security_group.cg-ec2-ssh-security-group)? Note it will include your public IP

lmatzer commented 3 months ago

The terraform summary at the beginning of the creation process states the 2 security groups correctly; the ingress cidr-blocks correctly reflect the contents of my whitelist.txt. The one egress cidr-block is 0.0.0.0/0, which I assume to be correct as well. Through my cloudgoat profile I can not list the groups after the creation breaks, and as I do not yet have the credentials from start.txt I can not check there.

andrew-aiken commented 3 months ago

Through my cloudgoat profile I can not list the groups after the creation breaks

The user your using should have permission to view the security groups since it should have created them. You can also view the security groups from the AWS console