Skip to main content
Go to Red Canary Documentation
Red Canary Support

Generating AWS Threats in Red Canary

  • Updated .

Issue

This article includes step-by-step guidance on how to generate test threats in Red Canary using rccar for Amazon Web Services integrations.

Environment

Red Canary

   AWS Integrations

Cause

Red Canary uses a similar test to the European Institute for Computer Anti-Virus Research (EICAR) with Cloudtrail to provide data flow validation testing for Amazon Web Services.

You may need to test data flow by creating or updating a resource, so we have built tests for both scenarios.

Resolution

Using AWS CLI

  1. Log in to AWS via the AWS CLI tool
  2. Create the rccar security group using the following command
    • aws ec2 create-security-group --group-name rccar-27b29a4f6dd69ce1ca944d5c961daed8db30bb439b210a560a43c83a8cace217-rccar --description 'Red Canary Test'
  3. Next, authorize incoming ICMP traffic with the following command
    • aws ec2 authorize-security-group-ingress --group-name rccar-27b29a4f6dd69ce1ca944d5c961daed8db30bb439b210a560a43c83a8cace217-rccar --protocol icmp --port -1
  4. After testing, clean up the test resources by deleting the security group with the following command
    • aws ec2 delete-security-group --group-name rccar-27b29a4f6dd69ce1ca944d5c961daed8db30bb439b210a560a43c83a8cace217-rccar
    • Note: If this command fails, the security group likely does not exist, and no cleanup is necessary

Using the AWS Web Console

  1. Log in to the AWS web console
  2. Navigate to the EC2 Dashboard
    • c13accd4-d5b4-4d2e-b123-1c744efb7c04.png
  3. From the navigation menu, Click on the Network & Security dropdown and select Security Groups
    • 16b01aed-abc0-48b3-9fa9-f8d64ccef326.png
  4. Click Create security groups
    • 790963d2-7b0e-483d-8eb4-d81b7cecb219.png
  5. For the security group name, enter the following
    • rccar-27b29a4f6dd69ce1ca944d5c961daed8db30bb439b210a560a43c83a8cace217-rccar
    • a1bb6db5-aea3-44e2-b954-65f3707c7d4a.png
  6. Click Create security group
  7. After testing, find and select the rccar security group by clicking on its Security Group ID
  8. Click the Actions dropdown
  9. Select Delete security groups
    • 9bfd007e-c4df-45d4-afa4-66c8c13d014e.png

Validating Test in AWS CloudTrail

This process allows you to confirm that the actions you performed have been logged in CloudTrail, ensuring that your test events are recorded and can be analyzed for verification.

Note: CloudTrail event history is limited to the past 90 days of events.

  1. Navigate into CloudTrail
    • 1f44649f-84ce-4866-906e-6cda35d70b67.png
  2. Select Event History from the navigation tree
    • 3f406488-b8b3-45d5-92ec-63f00465d093.png
  3. Filter for Event Name and CreateSecurityGroup and see if our test is picked up
    • ca2fed2d-505a-4bfe-8315-6f07b7fcd9b0.png
    • Note: Ensure the CreateSecurityGroup event type occurred seen in the history shows up within 5 minutes of your testing
  4. Filter for Event Name and DeleteSecurityGroup
    • 86c11c00-4b6e-4259-8af8-f605e093404f.png
    • Note: Ensure the DeleteSecurityGroup event type occurred seen in the history shows up within 5 minutes of your testing
  5. Filter for Event Name and AuthorizeSecurityGroupIngress
    • 0f5638fb-5c02-40b9-8f35-8d50ef3cd742.png
    • Note: Ensure the AuthorizeSecurityGroupIngress event type occurred seen in the history shows up within 5 minutes of your testing

Additional Notes

  • For the purposes of rccar testing, security group updates can only be tested via AWS CLI

Comments

0 comments

Please sign in to leave a comment.