This article leads you through the process of generating test threats in Red Canary using Amazon Web Services.
Red Canary uses a similar test to the European Institute for Computer Anti-Virus Research (EICAR) with Cloudtrail to provide data flow validation testing for Amazon Web Services.
You may need to test data flow by creating or updating a resource, so we have built tests for both scenarios.
Resource Creation
AWS CLI
- Log in to AWS via the aws-cli tool.
- To trigger the detector, run the following command:
aws ec2 create-security-group --group-name rccar-27b29a4f6dd69ce1ca944d5c961daed8db30bb439b210a560a43c83a8cace217-rccar --description 'Red Canary Test'
AWS Web Console
- Log in to AWS via the web console.
- Click EC2 Dashboard.
- From the navigation menu, click the Network & Security dropdown.
- Click Security Groups.
- Click Create security group.
- For the Security group name, enter the following:
Rccar-27b29a4f6dd69ce1ca944d5c961daed8db30bb439b210a560a43c83a8cace217-rccar
- Click Create security group.
Resource Updates
AWS CLI
- Log in to AWS via the aws-cli tool.
- To trigger the detector, run the following command:
aws ec2 authorize-security-group-ingress --group-name rccar-27b29a4f6dd69ce1ca944d5c961daed8db30bb439b210a560a43c83a8cace217-rccar --protocol icmp --port -1
Note: It does not matter if the command is successful or not. Including the string rccar-27b29a4f6dd69ce1ca944d5c961daed8db30bb439b210a560a43c83a8cace217-rccar in the request will work.
AWS Web Console
- Log in to AWS via the web console.
- Click EC2 Dashboard.
- From the left navigation menu, click the Network & Security dropdown.
- Click Security Groups.
- Click the Create Security Group button to open the previously created security group’s dialog.
- Click Edit inbound rules.
- Click Add rule.
- Add an authorization rule to allow all ICMP traffic from your current IP address using the following data:
- For the type dropdown, select All ICMP - IPv4.
- For the source dropdown, select My IP.
- Click Save rules.
Clean Up
This authorization rule allows all Internet Control Message Protocol (ICMP) traffic from any host on the Internet, so immediate cleanup after validating the activity is recommended.
AWS CLI
The test security group can be cleaned up via deletion by running the following command:
aws ec2 delete-security-group --group-name rccar-27b29a4f6dd69ce1ca944d5c961daed8db30bb439b210a560a43c83a8cace217-rccar
Note: If the test command failed due to an error, then this security group likely does not exist, and no cleanup is necessary.
AWS Web Console
Delete the group via the EC2 Security Groups page in the web console.
- Log in to AWS via the web console.
- Click EC2 Dashboard.
- From the navigation menu, click the Network & Security dropdown.
- Click Security Groups.
- Select the relevant entry in the list of security groups by clicking on its Security group ID.
- Click the Actions dropdown.
- Select Delete security groups.
- After confirming this is the test security group that was just created, click Delete.
Comments
0 comments
Please sign in to leave a comment.