verify.adoc

🛠 🔐💥 KeyNuker Post-install verification

Table of Contents

• List wsk actions
• Manually invoke the KeyNuker action sequence
• End-to-end system test: leak a live AWS key
  • Create IAM user with zero privileges
  • Leak key to public or private github repo
  • Invoke Keynuker
  • Verify key is nuked

List wsk actions

$ wsk action list

Should return a list of actions:

$ wsk action list
actions
/yourusername_dev/github-user-events-scanner-nuker                     private sequence
/yourusername_dev/fetch-aws-keys-write-doc                             private sequence
/yourusername_dev/github-user-aggregator-write-doc                     private sequence
/yourusername_dev/write-doc                                            private blackbox
/yourusername_dev/nuke-leaked-aws-keys                                 private blackbox
/yourusername_dev/lookup-github-users-aws-keys                         private blackbox
/yourusername_dev/github-user-events-scanner                           private blackbox
/yourusername_dev/github-user-aggregator                               private blackbox
/yourusername_dev/fetch-aws-keys                                       private blackbox

Manually invoke the KeyNuker action sequence

$ wsk action invoke github-user-events-scanner-nuker --blocking --result

Check the output, and assuming there weren’t any leaked keys, you should see "NukedKeyEvents": null, in the returned JSON. Also, you can see the latest scanned github event for each github user that was scanned.

End-to-end system test: leak a live AWS key

If you don’t want to do this test by hand, you can run the integration test suite which performs (mostly) the same steps, in particular in the end-to-end-integration test. See the Developer Guide for more info.

Create IAM user with zero privileges

In the AWS web admin UI, create a new IAM user called KeyLeaker with only Programmatic access and don’t assign the user any policy whatsoever — you should see a warning This user has no permissions

Leak key to public or private github repo

After creating the KeyLeaker user, it will generate an access key and secret. Post that to either:

• A public github repo using one of the github users in the org (presumably, your own github user account, which you are a member of the org)

• A private github repo. For this approach, you not only have to be in the github org, but you will also have to use a github access token with more permissions (the full repo permissions) and then run wsk action update github_user_events_scanner -p GithubAccessToken "new_token"

Invoke Keynuker

$ wsk action invoke github-user-events-scanner-nuker --blocking --result

Or you can just wait 15 minutes for the alarm task to kick in

Verify key is nuked

• In the AWS web UI, if you reload the list of keys for the KeyLeaker user, it should be gone!

• If you triggered github-user-events-scanner-nuker manually, you should see a non-nil value in the NukedKeyEvents JSON field. Otherwise if it was triggered via an alarm, you can find the activation id via wsk activation list and then view the logs via wsk activation logs [activation_id]