/patrolaroid

A production-friendly malware scanner for your AWS cloud

Primary LanguageYARAGNU General Public License v2.0GPL-2.0

Patrolaroid


Patrolaroid is an instant camera for capturing cloud workload risks. It’s a prod-friendly scanner that makes finding security issues in AWS instances and buckets less annoying and disruptive for software engineers and cloud admins.

Patrolaroid scans production infrastructure from a safe distance rather than within production, so you don’t have to install an agent, run code, or perform other invasive infosec rituals to use it.

Overview

Patrolaroid snapshots AWS instances and buckets to uncover malware, backdoors, cryptominers, toolkits, and other attacker tomfoolery that you probably don’t want in your prod. Software engineers, security engineers, and cloud administrators only need familiarity with YARA and the AWS Management Console to use it.

Patrolaroid does not require running an agent or code in prod, only needs read-only access to cloud assets, and generally avoids the myriad stability and performance sins of security tools.

Why?

The tired way

Most commercial “cloud security” scanners that aim to detect malware in cloud workloads ironically operate pretty similarly to malware. Their mode of operation is:

  1. Just-in-time installation of an agent via SSH
  2. Running the agent from /tmp
  3. Deleting themselves once the scan completes

This results in the security agent stealing compute cycles and I/O from the host it’s scanning, which is veritably unstonkly – as is the chance that prod is borked if the agent screws up.

The inspired way

Patrolaroid avoids these problems by scanning prod instances and buckets for security problems while staying safely out of prod. After the engineer or admin identifies the AWS account containing the resources they want to scan, Patrolaroid then:

  1. Runs from an AWS instance within the same account as the target instances or buckets
  2. Snapshots each instance
  3. Uses YARA rules to scan the instance’s filesystem for matches (and generates an alert if there is a match)
  4. Deletes the snapshot volume

In short, Patrolaroid provides "point-and-shoot" malware scanning of AWS assets without the malware-like tactics of existing “cloud security” tools.

Getting Started with Patrolaroid

All you need is an AWS account and the ability to create an AWS role and EC2 instance to get Patrolaroid up and running. Getting started involves creating a dedicated EC2 instance for Patrolaroid in the same AWS account and availability zones as the assets you want to scan.

Step 1: Create an AWS role

☁️ Make sure to use the account and availability zone you want to scan to create the role ☁️

  1. Log into your AWS account and access the Identity and Access Management (IAM) service in the AWS Management Console, then choose Create Role (you can also use the AWS CLI if you prefer)
  2. Select AWS service for type of trusted entity
  3. Select EC2 as the allowed service and use case, then choose Next: Permissions
  4. Select the AmazonEC2FullAccess andAmazonS3FullAccess policies or paste our recommended policy (with tighter permissions) into the JSON editor, then choose Next: Tags
  5. No tags are needed, so select Next: Review
  6. Type Patrolaroid for the Role name
  7. Review the role and, if satisfied, choose Create role

Step 2: Create an EC2 instance

☁️ Make sure you’re still logged into the account you want to scan before proceeding ☁️

  1. Open the AWS EC2 console, then choose Launch instance
  2. On the Step 1: Choose an Amazon Machine Image (AMI) page, select Ubuntu Server 20.04 LTS (HVM), SSD Volume Type
  3. On the Step 2: Choose an Instance Type page, select the t2.micro type, then click Next: Configure Instance Details
  4. For IAM role, select the Patrolaroid role you created
  5. Click Review and Launch

Step 3: Install dependencies

  1. Connect to your new EC2 instance via SSH (or PuTTY if using Windows)
  2. Install curl by running the command:
sudo apt-get install curl

Step 4: Install Patrolaroid

Ensure you are connected to your dedicated EC2 instance and then download Patrolaroid to it by running:

curl -L https://github.com/rpetrich/patrolaroid/releases/download/v0.3/patrolaroid.tar.gz | tar xz

Step 5: Run Patrolaroid

Start scanning by running Patrolaroid via sudo:

sudo ./patrolaroid

Enjoy your ☁️ 🔒 📷 🖤