avatarTeri Radichel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

5031

Abstract

have one).</li><li>Click on Settings next to the Organization to which you want to grant access.</li></ul><figure id="605a"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*050B9E0fLH-BimW6MSHUnA.png"><figcaption></figcaption></figure><p id="39c4">Click on <b>Settings</b>.</p><figure id="01c7"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*o32r2MKRUMfBp6-L1w_O3Q.png"><figcaption></figcaption></figure><p id="18b9">In the left menu click <b>Authentication Security</b>.</p><figure id="b6f1"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*RxCFD5QI6b0yP4xylnApmw.png"><figcaption></figcaption></figure><p id="2bda">Scroll down and add your NAT EIP to the list of allowed IP addresses.</p><figure id="44b6"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*UFaPneT5aywgBp9AsSr_sQ.png"><figcaption></figcaption></figure><p id="283c"><i>REMEMBER:</i> You need to have any other IP addresses listed here that also need access such as the one that is logging in to make these changes in GitHub. I wrote about this in prior posts and about adding a backup.</p><div id="1a08" class="link-block"> <a href="https://readmedium.com/git-and-github-security-8728bef0a057"> <div> <div> <h2>Git and GitHub Security</h2> <div><h3>Stories about securing git, GitHub, and your code</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*LQ5l21ueAnPOGOnhukzTCQ.png)"></div> </div> </div> </a> </div><p id="1dde">Also, if you delete any resources that have access to your GitHub account, remember to delete the associated IP address in GitHub. Otherwise someone might be able to spin up a resource using that IP and gain access.</p><p id="f1b0">It is about this time that I really wish GitHub had support for a Private Link to AWS, Azure, and GCP.</p><div id="dd9c" class="link-block"> <a href="https://readmedium.com/aws-private-link-and-vpc-endpoints-9b742fb5cbc9"> <div> <div> <h2>AWS PrivateLink and VPC Endpoints</h2> <div><h3>ACM.75 An alternative to NATs and Internet Gateways</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*z8hTa9VjuzlCFldo.png)"></div> </div> </div> </a> </div><p id="cc03">We can’t keep the traffic off the Internet to help thwart MITM attacks.</p><div id="1beb" class="link-block"> <a href="https://readmedium.com/different-types-of-man-in-the-middle-attacks-4a094a84a897"> <div> <div> <h2>Different Types of Man-In-The-Middle Attacks</h2> <div><h3>ACM.297 Different points of MITM attack and how they can affect victims and websites</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*POexJh3oRWl0hqStd1itOA.png)"></div> </div> </div> </a> </div><p id="f19a">But at least we can restrict by IP.</p><h2 id="50de">Create a personal access token with limited permission in GitHub</h2><p id="e47c">Next we want to create a personal access token associated with our GitHub account that has read only access to the repo we’ve been working with which is:</p><p id="731f"><i>dev.rainierrhodendrons.com</i></p><p id="d253">By the way, Rainier Rhododendrons tells me that they are not digging rhododendrons out of the ground right now because it’s too hot and they likely won’t live. So hold your calls until the fall when it starts raining again.</p><p id="4b90">But I digress.</p><p id="0bf7">First let’s check the settings for Personal Access Tokens by clicking that option in the left menu. Here’s how mine are set. I disable the old, less secure option. I allow them but I require administrator approval.</p><figure id="bdc5"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*zW4hwQg97GZtNuo7L0bu9g.png"><figcaption></figcaption></figure><p id="aca5">Now I, as a user in the organization, want to create a personal access token (PAT).</p><p id="9708">I click on my image for my account in the top right and choose <b>Settings</b>.</p><figure id="afe6"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*fVtcE_w25La-rspMzPWOMQ.png"><figcaption></figcaption></figure><p id="7ccb">Scroll down and click <b>Developer settings</b> in the left menu.</p><figure id="5f68"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*chtiyae2G3DRYhM5DjQbPw.png"><figcaption></figcaption></figure><p id="25de">Click on <b>Personal access tokens</b> and <b>Fine-gr

Options

ained tokens</b>.</p><figure id="adf7"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*PjseloELXStWFuGp02cY0g.png"><figcaption></figcaption></figure><p id="aebb">Click <b>Generate new token</b>.</p><figure id="58f3"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*-dEfycZ8Yva-8NuGS8mEOQ.png"><figcaption></figcaption></figure><p id="6ffa">Enter a <b>Token name</b>.</p><figure id="cc33"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*YsVMmxeqb2NYE2y7yUJ69A.png"><figcaption></figcaption></figure><p id="0deb">Under <b>Resource owner</b> select your organization.</p><figure id="21e8"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*BdMsy3nPnQdq9tzlDq_Myg.png"><figcaption></figcaption></figure><p id="e947">Choose <b>Only select repositories</b>.</p><p id="e050">Under<b> Select repositories</b>, choose the specific repository or repositories this token can access.</p><figure id="68be"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*lxHXuQTV342N0oenpVvf4w.png"><figcaption></figcaption></figure><p id="38ed">Click on <b>Repository permissions</b>.</p><figure id="ec66"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*5LgF_JDulUumFlqak4n81Q.png"><figcaption></figcaption></figure><p id="bb70">Next to <b>Contents</b> choose <b>Read only</b>.</p><figure id="1bc6"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*7YjufOfHSBvre25o7fuVSA.png"><figcaption></figcaption></figure><p id="4ac2">Copy the token as this is the only time you’ll be able to get the value.</p><p id="c521">If you need to authorize the token, return to your organization settings.</p><p id="43ff">Click on <b>Personal access tokens </b>in the left menu, then Pending requests.</p><p id="0dbe">Authorize the token.</p><figure id="dcdf"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*4p9_AxvaJnZhQV2kB2xY9w.png"><figcaption></figcaption></figure><h2 id="cad7">Add the PAT to AWS Secrets Manager</h2><p id="4321">In AWS Navigate to the Secrets Manager dashboard.</p><p id="f67e">Click on the secret with the name matching the function — in my case “dockertestSecret” — and then click on <b>Retrieve secret value</b>.</p><figure id="b25f"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*sF20AxHzNtu1gVufC_SZ9Q.png"><figcaption></figcaption></figure><p id="bf78">What I realized is that when I created the plaintext value “test” when deploying the secret I couldn’t see this key/value pair screen.</p><p id="30ef">To fix that I added the plaintext value {} for the token (open and close curly braces) and then I saved it.</p><p id="b60f">Then I could see the screen to add a new key/value pair. I named the key github_pat and added the value of the token.</p><figure id="ec24"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*KmuvqW95wLQCmxpmU27Xyg.png"><figcaption></figcaption></figure><p id="b907">Next up, we will try to use the secret in our Lambda function.</p><p id="5cf7">Follow for updates.</p><p id="01f7">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2024</i></p><div id="8334"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity for Executives in the Age of Cloud
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="46f6"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Appication Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presenation</pre></div><div id="5a42"><pre><span class="hljs-attribute">Follow for more stories like this</span><span class="hljs-punctuation">:</span>
<span class="hljs-attribute">~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Medium</span><span class="hljs-punctuation">:</span> <span class="hljs-string">Teri Radichel</span>
<span class="hljs-attribute">❤️ Sign Up For Email
❤️ Twitter</span><span class="hljs-punctuation">:</span> <span class="hljs-string">@teriradichel</span>
<span class="hljs-attribute">❤️ Mastodon</span><span class="hljs-punctuation">:</span> <span class="hljs-string">@[email protected]</span>
<span class="hljs-attribute">❤️ Facebook</span><span class="hljs-punctuation">:</span> <span class="hljs-string">2nd Sight Lab</span>
<span class="hljs-attribute">❤️ YouTube</span><span class="hljs-punctuation">:</span> <span class="hljs-string">@2ndsightlab</span></pre></div><figure id="faf5"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure></article></body>

Configuring GitHub With a Personal Access Token and Network Access for a Lambda function

ACM.316 Configuring a fine-grained personal access token and network access to a GitHub organization for an AWS NAT

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Lambda | GitHub Security | Application Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post I created an AWS Secrets Manager Secret that has a policy that grants a Lambda function read only access to the secret.

In this post, I want to clone a private repository to my container.

Recall that before doing this I did the following in prior posts:

  • Setup a private network with outbound access through a NAT.
  • Locked down inbound access to invoke the Lambda function to specific IP addresses via an SCP.
  • Set up Elastic Container Registry (ECR)and changed the Resource Policy so Lambda can access containers in it.
  • Deploy a Lambda function that runs a container.
  • Created a custom runtime to execute bash in the container.
  • Created a mechanism to test the Lambda container locally outside the container service.
  • Deployed a secret for the Lambda function that the Lambda function can read and an administrator can edit.
  • Turned on Lambda event logging and enabled CloudWatch for Lambda logs.

All those post are in this sub-series:

The above steps help prevent an attacker from obtaining our Github personal access token that we are going to add to AWS. Nothing is ever foolproof but the attacker would not only have to get credentials but network access. In addition, the PAT will be readonly so they can only read the contents of GitHub repositories for public websites. Why not just go look at the website. 😆

Remaining steps to clone a private GitHub repository in a Lambda function

In order to clone a private repository in GitHub I need credentials and to modify my code to use them.

Here are the remaining steps.

  • Add the NAT EIP to the allowed IP addresses for my GitHub organization.
  • Create a personal access token with read-only access to the specified repository in GitHub and store that token in AWS Secrets Manager.
  • Ensure the Lambda function role includes the statements that allow it to access the Secret deployed in the last few posts.
  • Retrieve the token in my Lambda function.
  • Test cloning a private repository with the personal access token.

Let’s do it.

Add the NAT EIP to the allowed IP addresses in my GitHub organization

  • Log into AWS and navigate to the VCP Dashboard.
  • Click on NAT gateways on the left and your NAT Gateway.
  • Find the Primary public IPv4 address.
  • Login to GitHub.
  • Click on Organizations in the left menu (presuming you have one).
  • Click on Settings next to the Organization to which you want to grant access.

Click on Settings.

In the left menu click Authentication Security.

Scroll down and add your NAT EIP to the list of allowed IP addresses.

REMEMBER: You need to have any other IP addresses listed here that also need access such as the one that is logging in to make these changes in GitHub. I wrote about this in prior posts and about adding a backup.

Also, if you delete any resources that have access to your GitHub account, remember to delete the associated IP address in GitHub. Otherwise someone might be able to spin up a resource using that IP and gain access.

It is about this time that I really wish GitHub had support for a Private Link to AWS, Azure, and GCP.

We can’t keep the traffic off the Internet to help thwart MITM attacks.

But at least we can restrict by IP.

Create a personal access token with limited permission in GitHub

Next we want to create a personal access token associated with our GitHub account that has read only access to the repo we’ve been working with which is:

dev.rainierrhodendrons.com

By the way, Rainier Rhododendrons tells me that they are not digging rhododendrons out of the ground right now because it’s too hot and they likely won’t live. So hold your calls until the fall when it starts raining again.

But I digress.

First let’s check the settings for Personal Access Tokens by clicking that option in the left menu. Here’s how mine are set. I disable the old, less secure option. I allow them but I require administrator approval.

Now I, as a user in the organization, want to create a personal access token (PAT).

I click on my image for my account in the top right and choose Settings.

Scroll down and click Developer settings in the left menu.

Click on Personal access tokens and Fine-grained tokens.

Click Generate new token.

Enter a Token name.

Under Resource owner select your organization.

Choose Only select repositories.

Under Select repositories, choose the specific repository or repositories this token can access.

Click on Repository permissions.

Next to Contents choose Read only.

Copy the token as this is the only time you’ll be able to get the value.

If you need to authorize the token, return to your organization settings.

Click on Personal access tokens in the left menu, then Pending requests.

Authorize the token.

Add the PAT to AWS Secrets Manager

In AWS Navigate to the Secrets Manager dashboard.

Click on the secret with the name matching the function — in my case “dockertestSecret” — and then click on Retrieve secret value.

What I realized is that when I created the plaintext value “test” when deploying the secret I couldn’t see this key/value pair screen.

To fix that I added the plaintext value {} for the token (open and close curly braces) and then I saved it.

Then I could see the screen to add a new key/value pair. I named the key github_pat and added the value of the token.

Next up, we will try to use the secret in our Lambda function.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2024

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity for Executives in the Age of Cloud
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Appication Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presenation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Medium: Teri Radichel
❤️ Sign Up For Email
❤️ Twitter: @teriradichel
❤️ Mastodon: @[email protected]
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Github
Personal Access Token
AWS
Nat
Network Security
Recommended from ReadMedium