From 8c85ec4998e20dd0aece29119a1f9934c01a0e96 Mon Sep 17 00:00:00 2001 From: Mrugank Patankar Date: Wed, 7 Jun 2023 19:34:16 +1000 Subject: [PATCH] Remove `skip_metadata_api_check = true` from TF AWS Provider (#368) * removing skip_metadata_api_check tag in aws provider to allow natural discovery of credentials in aws * fix unintended white spaces * more white space fixes * Fix Terraform formatting --------- Co-authored-by: Christophe Tafani-Dereeper --- examples/custom/prerequisites.tf | 1 - .../aws/credential-access/ec2-get-password-data/main.tf | 1 - .../aws/credential-access/ec2-steal-instance-credentials/main.tf | 1 - .../credential-access/secretsmanager-retrieve-secrets/main.tf | 1 - .../ssm-retrieve-securestring-parameters/main.tf | 1 - .../aws/defense-evasion/cloudtrail-delete/main.tf | 1 - .../aws/defense-evasion/cloudtrail-event-selectors/main.tf | 1 - .../aws/defense-evasion/cloudtrail-lifecycle-rule/main.tf | 1 - .../attacktechniques/aws/defense-evasion/cloudtrail-stop/main.tf | 1 - .../aws/defense-evasion/organizations-leave/main.tf | 1 - .../aws/defense-evasion/vpc-remove-flow-logs/main.tf | 1 - .../aws/discovery/ec2-enumerate-from-instance/main.tf | 1 - .../attacktechniques/aws/discovery/ec2-get-user-data/main.tf | 1 - .../aws/execution/ec2-launch-unusual-instances/main.tf | 1 - v2/internal/attacktechniques/aws/execution/ec2-user-data/main.tf | 1 - .../exfiltration/ec2-security-group-open-port-22-ingress/main.tf | 1 - .../attacktechniques/aws/exfiltration/ec2-share-ami/main.tf | 1 - .../aws/exfiltration/ec2-share-ebs-snapshot/main.tf | 1 - .../attacktechniques/aws/exfiltration/rds-share-snapshot/main.tf | 1 - .../aws/exfiltration/s3-backdoor-bucket-policy/main.tf | 1 - .../aws/initial-access/console-login-without-mfa/main.tf | 1 - .../attacktechniques/aws/persistence/iam-backdoor-role/main.tf | 1 - .../attacktechniques/aws/persistence/iam-backdoor-user/main.tf | 1 - .../aws/persistence/iam-create-user-login-profile/main.tf | 1 - .../aws/persistence/lambda-backdoor-function/main.tf | 1 - .../aws/persistence/lambda-overwrite-code/main.tf | 1 - .../aws/persistence/rolesanywhere-create-trust-anchor/main.tf | 1 - 27 files changed, 27 deletions(-) diff --git a/examples/custom/prerequisites.tf b/examples/custom/prerequisites.tf index 9fa6c7a3..2afaef25 100644 --- a/examples/custom/prerequisites.tf +++ b/examples/custom/prerequisites.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/credential-access/ec2-get-password-data/main.tf b/v2/internal/attacktechniques/aws/credential-access/ec2-get-password-data/main.tf index d0dd0afb..f189652c 100644 --- a/v2/internal/attacktechniques/aws/credential-access/ec2-get-password-data/main.tf +++ b/v2/internal/attacktechniques/aws/credential-access/ec2-get-password-data/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.tf b/v2/internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.tf index 2b1123a3..80fc4ce8 100644 --- a/v2/internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.tf +++ b/v2/internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.tf @@ -11,7 +11,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.tf b/v2/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.tf index 0ccb0c1c..4d074b6e 100644 --- a/v2/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.tf +++ b/v2/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/credential-access/ssm-retrieve-securestring-parameters/main.tf b/v2/internal/attacktechniques/aws/credential-access/ssm-retrieve-securestring-parameters/main.tf index 659407db..edcc1c55 100644 --- a/v2/internal/attacktechniques/aws/credential-access/ssm-retrieve-securestring-parameters/main.tf +++ b/v2/internal/attacktechniques/aws/credential-access/ssm-retrieve-securestring-parameters/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-delete/main.tf b/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-delete/main.tf index 725c7491..276ef8c5 100644 --- a/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-delete/main.tf +++ b/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-delete/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-event-selectors/main.tf b/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-event-selectors/main.tf index 0ede22ff..ee0d33e0 100644 --- a/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-event-selectors/main.tf +++ b/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-event-selectors/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-lifecycle-rule/main.tf b/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-lifecycle-rule/main.tf index 61057abe..8bef66db 100644 --- a/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-lifecycle-rule/main.tf +++ b/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-lifecycle-rule/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-stop/main.tf b/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-stop/main.tf index d4b0bfeb..0ef85df8 100644 --- a/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-stop/main.tf +++ b/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-stop/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/defense-evasion/organizations-leave/main.tf b/v2/internal/attacktechniques/aws/defense-evasion/organizations-leave/main.tf index 3d07fd81..a0383ea6 100644 --- a/v2/internal/attacktechniques/aws/defense-evasion/organizations-leave/main.tf +++ b/v2/internal/attacktechniques/aws/defense-evasion/organizations-leave/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/defense-evasion/vpc-remove-flow-logs/main.tf b/v2/internal/attacktechniques/aws/defense-evasion/vpc-remove-flow-logs/main.tf index 348b713e..57722cfa 100644 --- a/v2/internal/attacktechniques/aws/defense-evasion/vpc-remove-flow-logs/main.tf +++ b/v2/internal/attacktechniques/aws/defense-evasion/vpc-remove-flow-logs/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance/main.tf b/v2/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance/main.tf index 0586158c..13a4f1c5 100644 --- a/v2/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance/main.tf +++ b/v2/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance/main.tf @@ -11,7 +11,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/discovery/ec2-get-user-data/main.tf b/v2/internal/attacktechniques/aws/discovery/ec2-get-user-data/main.tf index 37b87f8b..6f4bd9ee 100644 --- a/v2/internal/attacktechniques/aws/discovery/ec2-get-user-data/main.tf +++ b/v2/internal/attacktechniques/aws/discovery/ec2-get-user-data/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/execution/ec2-launch-unusual-instances/main.tf b/v2/internal/attacktechniques/aws/execution/ec2-launch-unusual-instances/main.tf index 47189bdb..11189417 100644 --- a/v2/internal/attacktechniques/aws/execution/ec2-launch-unusual-instances/main.tf +++ b/v2/internal/attacktechniques/aws/execution/ec2-launch-unusual-instances/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/execution/ec2-user-data/main.tf b/v2/internal/attacktechniques/aws/execution/ec2-user-data/main.tf index 4fd5445b..5980b7fd 100644 --- a/v2/internal/attacktechniques/aws/execution/ec2-user-data/main.tf +++ b/v2/internal/attacktechniques/aws/execution/ec2-user-data/main.tf @@ -11,7 +11,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/exfiltration/ec2-security-group-open-port-22-ingress/main.tf b/v2/internal/attacktechniques/aws/exfiltration/ec2-security-group-open-port-22-ingress/main.tf index af9e6afc..f4f72861 100644 --- a/v2/internal/attacktechniques/aws/exfiltration/ec2-security-group-open-port-22-ingress/main.tf +++ b/v2/internal/attacktechniques/aws/exfiltration/ec2-security-group-open-port-22-ingress/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/exfiltration/ec2-share-ami/main.tf b/v2/internal/attacktechniques/aws/exfiltration/ec2-share-ami/main.tf index e3d11be8..5770d9cc 100644 --- a/v2/internal/attacktechniques/aws/exfiltration/ec2-share-ami/main.tf +++ b/v2/internal/attacktechniques/aws/exfiltration/ec2-share-ami/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/exfiltration/ec2-share-ebs-snapshot/main.tf b/v2/internal/attacktechniques/aws/exfiltration/ec2-share-ebs-snapshot/main.tf index 8a0d9eaa..1b792814 100644 --- a/v2/internal/attacktechniques/aws/exfiltration/ec2-share-ebs-snapshot/main.tf +++ b/v2/internal/attacktechniques/aws/exfiltration/ec2-share-ebs-snapshot/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/exfiltration/rds-share-snapshot/main.tf b/v2/internal/attacktechniques/aws/exfiltration/rds-share-snapshot/main.tf index f80dc108..71e6e205 100644 --- a/v2/internal/attacktechniques/aws/exfiltration/rds-share-snapshot/main.tf +++ b/v2/internal/attacktechniques/aws/exfiltration/rds-share-snapshot/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/main.tf b/v2/internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/main.tf index 0a4f24ef..44b64817 100644 --- a/v2/internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/main.tf +++ b/v2/internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/initial-access/console-login-without-mfa/main.tf b/v2/internal/attacktechniques/aws/initial-access/console-login-without-mfa/main.tf index 0be76a38..1afae96a 100644 --- a/v2/internal/attacktechniques/aws/initial-access/console-login-without-mfa/main.tf +++ b/v2/internal/attacktechniques/aws/initial-access/console-login-without-mfa/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true } data "aws_caller_identity" "current" {} diff --git a/v2/internal/attacktechniques/aws/persistence/iam-backdoor-role/main.tf b/v2/internal/attacktechniques/aws/persistence/iam-backdoor-role/main.tf index e43cfb86..d52a46e9 100644 --- a/v2/internal/attacktechniques/aws/persistence/iam-backdoor-role/main.tf +++ b/v2/internal/attacktechniques/aws/persistence/iam-backdoor-role/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true } locals { diff --git a/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.tf b/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.tf index dbe6e837..3df563a1 100644 --- a/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.tf +++ b/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.tf b/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.tf index 73281526..23e69103 100644 --- a/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.tf +++ b/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/persistence/lambda-backdoor-function/main.tf b/v2/internal/attacktechniques/aws/persistence/lambda-backdoor-function/main.tf index acf7fc9f..0b8bdc73 100644 --- a/v2/internal/attacktechniques/aws/persistence/lambda-backdoor-function/main.tf +++ b/v2/internal/attacktechniques/aws/persistence/lambda-backdoor-function/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/persistence/lambda-overwrite-code/main.tf b/v2/internal/attacktechniques/aws/persistence/lambda-overwrite-code/main.tf index 349e4441..68f5e85b 100644 --- a/v2/internal/attacktechniques/aws/persistence/lambda-overwrite-code/main.tf +++ b/v2/internal/attacktechniques/aws/persistence/lambda-overwrite-code/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true diff --git a/v2/internal/attacktechniques/aws/persistence/rolesanywhere-create-trust-anchor/main.tf b/v2/internal/attacktechniques/aws/persistence/rolesanywhere-create-trust-anchor/main.tf index 9c51a911..55e4ff5d 100644 --- a/v2/internal/attacktechniques/aws/persistence/rolesanywhere-create-trust-anchor/main.tf +++ b/v2/internal/attacktechniques/aws/persistence/rolesanywhere-create-trust-anchor/main.tf @@ -10,7 +10,6 @@ provider "aws" { skip_region_validation = true skip_credentials_validation = true skip_get_ec2_platforms = true - skip_metadata_api_check = true default_tags { tags = { StratusRedTeam = true