Subsections of Day 1: Basics
AWS Fundamentals Part II
You have been PWNED
Check out the web application you got up and running in the last lab. A hacker was able to find a weakness in the code running on your virtual server.
Hackers have goals like all of us. Once they have found a breach they get to work on those goals. They want to create another way to access you virtual server in case you fix the current exploit. They will want to find other virtual servers or resources within your environment. Ultimately they will want to try and gain access to your cloud account itself.
Lab Overview
In this lab you will revisit some of the decisions made while rushing to get your web application up and running. The decisions made were to remove friction and reach your goal of running your web application as quickly as possible. Keep in mind that these decisions are the exact same decisions that cloud practitioners are faced with everyday. Keeping a cloud environment secure is a constant effort and has many dimensions.
Code: Install all the things
The first thing you did on your new virtual server was to install new software and code. You started with copying some code from Github. Followed by adding the NodeJS runtime and NodeJS package manager (NPM). Then using the NPM package manager you installed even more code, some of that code installed even more code.
You did get a warning from NPM about vulnerabilities with some of the code you installed. To try and reduce your risk go back to the AWS Instant Connect console where you started you web application. Use control x to exit the application and run the following command that npm suggest.
While this didn’t resolve all of the security issues, it did reduce your risk from 4 highs to 1 high (and one moderate) vulnerablity.
Take away is all your code is built on other code. All code comes with risks.
Configuration: Open all the ports
The web application you setup only needed port 3000 open to receive inbound requests. Instead of taking the time to figure out what port was needed you opened up all the ports from 1000 and 6000. This was done to save time and avoid issues. The downside of this decision is your virtual server is now listening for inbound traffic all of those ports
The hacker first step will be to a new service that would allow them to access your virtual server. If only port 22 and 3000 were open they would have to stop one of those services to use those ports. This is something you would probably notice. Having so many ports open allows the hacker to simply start up a service listing on port 5000, for example.
Run the command below in the Instance Connect console where you ran commands before. The nc command is a unix utility called netcat. Passing the -l flag to netcat makes it listen for connection over TCP or UDP on a given port.
In your browser return to your web application page and replace the 3000 with 5000 and reload the page. Got back to the AWS Instant Connect console where you will find you were able to connect with netcat. Note you can see what browser used, the OS and the IP address of where the request came from.
Take away is opening too many ports is not a great idea. Be careful what you expose to the Internet!
Identity: Grants all the permissions
Recall that you needed to allows your web application to access a shared database. To allow this access you granted the admin role directly to your virtual server. In AWS users and resources can have roles attached that allow them to access and manage cloud resources. Let’s explore a few of the issue with granting so many privileges.
The main goal of a hacker is to gain greater access either to other virtual server or better yet your cloud account. Getting existing user credentials would be a great. If these credentials could be used to create a new user, even better.
AWS runs an internal service call the metadata service. The metadata service is designed to allow for discovery details about virtual servers. These details include role and permission assigned to the server.
The commands below will create a token that we will use to query for information from the metadata service. Then next command will return the name of the role assigned to your virtual server.
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
curl -v -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/; echo ""
Replace the role name returned from the previous command for <ROLE_NAME> in the command below. The output of the command below will include a set of AWS security credentials (AccessKeyId, SercretKey and Token).
curl -v -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/<ROLE_NAME>
These credentials can be used by an attacker to perform any actions the role can. As you might recall we gave this role admin privileges. The goal of moving from your virtual server to the your cloud account is achieved.
Take away grant the least permissions you can to a resource of user.
Cloud Security is tough
The cloud has changed how teams work. The cloud has enabled engineering teams to move quickly, scale massively services and outpace other teams like operations and security. Hopefully you have seen how seemingly small decisions can have big impacts on the security posture of your cloud environment. This is where products like FortiCNAPP can help, they give teams visibility into their cloud security posture.
AWS Command Line Basics
Lab Overview
The goal of this lab is to learn the basics of the AWS command line interface (CLI). You have already seen how you can use the AWS Web Console to create and manage cloud resouce. Everything you can do with the Web Console you can do with the CLI. One advantage of thbuild automation around performing tasks like creating users and fetching lists of virtual server.
Log into AWS Console
Before we can do anything you will need to get access AWS web console in your browser. The log in details for your lab provided AWS account are on the left hand of the lab. Each field has a copy link you can use.
Click on the Open Console link.
Copy/paste the Username, Password and click Sign In.
Conenect to FortiCNAPPUbuntu
Connect to the FortiCNAPPUbuntu Instance that was created automatically for you
Use the AWS CLI
The AWS Command Line Interface (CLI) is a tool that enables users to interact with AWS services using command-line commands. It provides a direct way to manage AWS resources without needing to use the AWS Management Console.
Installing AWS CLI
Before using AWS CLI, ensure it is installed on your EC2 instance. You can check if AWS CLI is installed with:
If it is not installed, install it using the following command (for Amazon Linux 2):
sudo apt update
sudo apt install unzip -y
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip -qq awscliv2.zip
sudo ./aws/install
Now run :
Configuring AWS CLI
Once installed, you need to configure AWS CLI with your credentials. Use the following command:
You will be prompted to enter:
- AWS Access Key ID
- AWS Secret Access Key
- Default Region Name (e.g.,
us-east-1, us-west-2) - Default Output Format (
json, text, or table)
Use us-east-1
This stores the credentials in ~/.aws/credentials and the configuration in ~/.aws/config.
Basic AWS CLI Commands
Check Current AWS Identity
To verify the credentials are working, run:
aws sts get-caller-identity
Check Current AWS Identity
aws iam list-attached-role-policies --role-name us-east-1CloudLabRole
This should return details about your IAM user or role.
List Available Regions
To see all AWS regions:
aws ec2 describe-regions --output table
EC2 Instance Management
List All EC2 Instances
aws ec2 describe-instances
Press q to exit back the terminal
aws ec2 describe-instances | jq
aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,State.Name,PublicIpAddress]' --output json
aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,State.Name,PublicIpAddress]' --output table
Instead of manually specifying the instance ID, we can extract it dynamically:
INSTANCE_ID=$(aws ec2 describe-instances --query 'Reservations[*].Instances[*].InstanceId' --output text)
echo "Your Instance ID is: $INSTANCE_ID"
S3 Bucket Operations
We will use a predefined S3 bucket: training-bucket-demo and a sample file: sample.txt
List All S3 Buckets
IAM User and Role Management
List IAM Users
Create a New IAM User
aws iam create-user --user-name trainee-user
Your role does not allow you to create users
Conclusion
These are just a few essential AWS CLI commands to get started. The AWS CLI is powerful and can manage almost all AWS services directly from the terminal. To explore more, refer to the official AWS CLI documentation:
đź“Ś AWS CLI Reference Guide
In this lab you will learn the basics of DevOps using Terraform to provision cloud resources. To keep it simple you will access a virtual server running in AWS with the tools and configuration already setup. You will download a Infrastructure as Code (IaC) file that contains IaC code. You will then execute a few commands and two new virtual server, a virtual private network and networking will be setup. Finally you will confirm these resource exist in the AWS EC2 console.
In the previous lab you used the AWS Web Console to deploy a single virtual server. This is often referred to as ClickOps. ClickOps is a great way to create a small set of resource for learning or testing. Click Ops is not a ideal way to create full production environments that may have many many services. Imagine you need to create a hundred virtual server spread out over availability zone and regions. This is where tools like IaC and Terraform come in.
Using Terraform you can define the cloud resources we want as code. Running Terraform will then create all those resources. This could be virtual server, networks, security groups, storage assets, users and much more. If later you need make change to those resources, update your IaC code and rerun Terraform to make those changes. Further if none of those resources are needed anymore you can have Terraform destroy them.
Terraform is part of modern software development movement know as DevOps. DevOps combines two seperate concerns operations and development. It allows these two teams, with different concerns, work together to achieve business objective faster.
Log into AWS Console
The log in details for your lab provided AWS account are on the left hand of the lab. Each field has a copy link you can use.
Click on the Open Console link.
Copy/paste the Username, Password and click Sign In.
Access a Virtual Server running in EC2
EC2 is a AWS service that allows for easily creating virtual servers in the cloud. When moving from an on prem data center to the cloud, EC2 is often part of a ’lift and shift’ project. Each virtual server in EC2 is analogous to a physical server running in your own data center.
Click on (or search for) EC2.
Click on Instance (running) to see a list of the current virtual machine running.
Select the checkbox next to FortiCNAPP-UbuntuInstance and then click on Connect.
Use the EC2 Instance Connect connection type and click Connect.
Instance connect will launch and you will be logged into your own virtual server running in AWS. From here you will be able to run commands on the virtual server.
Great, with access to the virtual server let’s run some commands!
Create a new directory for your Terraform project and navigate and download the file:
cd ~
mkdir terraform
curl https://raw.githubusercontent.com/Ahmed-AG/basic-page/refs/heads/main/ec2.tf > ~/terraform/ec2.tf
Review the IaC file
Take a moment to examine the IaC file to see what we are asking Terraform to create. The cat command will output the file so you can read it.
Here is a review of the resources we will create:
- VPC
- Subnets
- A group of instances
Run terraform --version to verify that you have Terraform installed:
If Terraform is not installed you can install it by running the following the instructions: [https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli#install-cli]
Then test again:
This initializes the Terraform project and downloads necessary providers:
cd ~/terraform
terraform init
This previews the changes Terraform will make:
Confirm the action when prompted by typing yes.
Verifying the Deployment
Once applied, you can check the virtual machine in the AWS console and examine the EC2 service. View the instances and the VPCs
Destroying the Infrastructure
To clean up resources, run:
Confirm the action when prompted by typing yes.
Conclusion
You have successfully run Terraform and deployed a AWS VPC and virtual servers using Infrastructure as Code! Next steps would be to learn more about what other resources you can mange with Terraform, how to make change to existing Terraform managed resources and what you can do with other clouds like Google and Azure.
Subsections of Day 2: ForitCNAPP Basics
FortiCNAPP Agent
Lab Overview
In this lab you will perform manual steps to get the FortiCNAPP linux agent setup on a virtual server running in AWS EC2. To complete these steps you will have to log into FortiCNAPP and get the agent install script download link. You will then log into your lab provided AWS account where a virtual server has been pre-provisioned. Using EC2 instance connect you will gain access to the virtual server and run a series of commands to get the FortiCNAPP installed.
Why use the FortiCNAPP Linux Agent?
The FortiCNAPP agent provides a variety of benefits from a security perspective. FortiCNAPP features fall under two broad buckets of Risks and Threats . Risks are any existing miss-configurations or vulnerabilities that exist on your virtual server. Threats are an active behavior that is using your Risks to gain access to your cloud or compute resources.
On the Risks side the FortiCNAPP agent scans well defined directories looking for vulnerable code libraries and operating system packages. The agent also scans for binaries artifacts that might be used by attackers, like metasploit.
On the Threats side the FortiCNAPP agent watches for anomalous runtime behavior like new applications being started, changes to files and inbound/outbound network activity.
Together these signals can help determine if a virtual server has been breached, what the attacker did and possible weaknesses that enabled the breach.
Access FortiCNAPP
First step will be to gain access to the FORTICNAPP-LAB tenant in the partner-demo org tenant.
Log into FortiCNAPP using Magic Link
Open the link below in a browser
https://partner-demo.lacework.net
Enter your Fortinet email address and click Get sign in link.
Check your email for an email from Lacework (now know as FortiCNAPP). The email will contain a link that will allow you to log into the FortiCNAPP tenant.
Click on Sign in to gain access to the partner-demo tenant.
Ensure that you are using the FORTICNAPP-LAB tenant. You have been added to this tenant as an admin. Using the wrong tenant can cause issues due to lack of permissions.
Review and Select Agent Installation Method
Excellent! Now that you have gained access to the FORTICNAPP-LAB tenant let’s see what options we have to setup a FortiCNAPP agent.
Find the Agent token and install options
Using the left hand navigation browser to Setting -> Agent Tokens.
Review agent installation options
Click on the Lab Token to bring up the fly out panel on the right side of the page. Each token has a unique identifier the agent uses when sending up metrics, as well as fetching runtime configuration from the FortiCNAPP back end.
The default Detail page shows the token and other basic details. You can also review the configuration options, but please do no make any changes!
Click on Install to see all the options there are to install an agent. There are links to release details and documentation for the FortiCNAPP agent that can provide more information.
Copy the install script for later use
Click on the Copy URL link. The link to download a script, with the agent token baked in, will be in your copy buffer. Paste the link into a text file locally for use in a future step.
Feel free to also use the Download script link to get the full script on your own computer if you want to review the script.
Log into AWS Console
The log in details for your lab provided AWS account are on the left hand of the lab. Each field has a copy link you can use.
Click on the Open Console link.
Copy/paste the Username, Password and click Sign In.
Access a Virtual Server running in EC2
EC2 is a AWS service that allows for easily creating virtual servers in the cloud. When moving from an on prem data center to the cloud, EC2 is often part of a ’lift and shift’ project. Each virtual server in EC2 is analogous to a physical server running in your own data center.
Click on (or search for) EC2.
Click on Instance (running) to see a list of the current virtual machine running.
Select the checkbox next to FortiCNAPP-UbuntuInstance and then click on Connect.
Use the EC2 Instance Connect connection type and click Connect.
Instance connect will launch and you will be logged into your own virtual server running in AWS. From here you will be able to run commands on the virtual server.
Install FortiCNAPP Agent
Now that you have access to execute commands on a virtual server running in AWS EC2 let’s get the FortiCNAPP agent installed and configured.
Recall install script you copy for later use
Find the URL you copied from the Agent Token panel in FortiCNAPP. Now is the time for us to use it!
Run commands on your virtual server
The first command we are going to run is wget. This command will take a single parameter of the URL for the install script. Once run wget will download the script from GitHub and save it on the virtual server as a file named install.sh.
wget REPLACE_WITH_YOUR_AGENT_INSTALL_URL
Next you will need to run chmod to make the install.sh executable. This will allow us to run the script on the virtual server.
Finally you will run the install.sh script as the root user using the sudo command. The sudo command allows the script to make changes to the virtual server as user with elevated privileges.
Running install.sh will download the FortiCNAPP agent to your virtual server and setup a config file that will include the agent token. Once the script completes the agent should be up and running. Metrics will be collected and sent to the FortiCNAPP backend.
Confirm Agent is running
You can run these commands to see that the agent is up and running.
See the status of the agent
sudo /var/lib/lacework/datacollector -status
Review the log from the agent. The logs can be used to trouble shoot issues.
tail /var/log/lacework/datacollector.log
Review and next steps
Congratulations! You have enabled runtime visibility for a virtual server running in AWS EC2. With the agent running you will get insights into the behavior of this server.
After FortiCNAPP creates a baseline of normal behavior alerts will be generated for anomalous behavior like new application running, file change and network activity.
Once the agent has collected data for 15 minutes you should be able to find you agent in the Agents page in FortiCNAPP.
Next steps would be to learn how to setup the agent as part of a CI/CD pipeline or baking the agent into a private AWS server image file. These type of steps will ensure that the FortiCNAPP agent is installed as part of the normal deployment mechanisms and remove the manual process we just went through.
FortiCNAPP Cloud Integration
Lab Overview
In this lab you will perform manual steps to get the FortiCNAPP cloud integration setup in AWS. To complete these steps you will log into the AWS Console in a web browser. You will then log into FortiCNAPP and find the various option for integrating with cloud providers. You will choose to use AWS Cloud Formation as the installation option. Cloud Formation is a Infrastructure as Code (IaC) declarative language developed by AWS to manage cloud resources. You will then follow a link from FortiCNAPP that will take you into the Cloud Formation service in AWS where you will run the Cloud Formation code to setup the integration. Once complete your cloud account will have forged a trust relationship with FortiCNAPP’s AWS account that allows gathering activity logs and configuration details. FortiCNAPP will process this data in it’s back end to baseline what is normal for your cloud deployment. Then FortiCNAPP will be able to alert you to deviation from normal behavior in your cloud environment.
Why Integrate a cloud account with FortiCNAPP?
The FortiCNAPP cloud integration provides a variety of benefits from a security perspective. FortiCNAPP features fall under two broad buckets of Risks and Threats. Risks are any existing miss-configurations or vulnerabilities that exist in your cloud account. Threats are an active behavior that is using your Risks to gain access to your cloud or compute resources.
On the Risks side the FortiCNAPP analyze all your cloud configurations to look for issues that could allow an attacker to gain access, or escalate their privileges once breach. This includes configuration on AWS service like data stores and networks as well as entitlement granted to users and roles.
On the Threats side the FortiCNAPP watches for changes in cloud activity from normal. This include activities like creating a new user, deployed resources to a new region or an existing user logging in from a new location.
Together these signals can help determine if your cloud account has been breached, what the attacker did and possible miss configurations that enabled the breach.
Log into AWS Console
The log in details for your lab provided AWS account are on the left hand of the lab. Each field has a copy link you can use.
Click on the Open Console link.
Copy/paste the Username, Password and click Sign In.
Access FortiCNAPP
First step will be to gain access to the FORTICNAPP-LAB tenant in the partner-demo org tenant.
Log into FortiCNAPP using Magic Link
Open the link below in a browser
https://partner-demo.lacework.net/ui
Enter your Fortinet email address and click Get sign in link.
Check your email for an email from Lacework (now know as FortiCNAPP). The email will contain a link that will allow you to log into the FortiCNAPP tenant.
Click on Sign in to gain access to the partner-demo tenant.
Ensure that you are using the FORTICNAPP-LAB tenant. You have been added to this tenant as an admin. Using the wrong tenant can cause issues and possibly not work.
Review and Select Agent Installation Method
Excellent! Now that you have gained access to the FORTICNAPP-LAB tenant let’s see get your AWS cloud account integrated with FortiCNAPP.
Cloud integration setup options
Using the left hand navigation browser to Setting -> Cloud account and click on + Add New.
Next expand Amazon Web Services, select CloudFormation and click Next.
Click on Run CloudFormation Template which will open AWS CloudFromation with the a new template ready to be run. You can download the CloudFormtaion script to your computer if you want to review it.
Here you can see that the stack is ready to create. The template to be used has already been made available in a AWS S3 storage bucket.
Click on Next to continue creating the CloudFormation stack.
Here you can specify some details for the CloudFormation stack, like the name, resource prefixes and other details.
Click on Next to continue creating the CloudFormation stack.
Here you can specify even more details for the CloudFormation stack like the tags, permission via a role and failure behavior.
Check the box to acknowledge the creation of resources and then click on Next.
Finally we can review the details of the stack you are about to create.
Click the Submit button.
Now the CloudFormation stack will run. This will setup the cross account permission to allow logs and config data from your cloud account be sent to the FortiCNAPP AWS account for collection and processing.
The whole process will take around 5 minutes to complete.
Review and next steps
Congratulations! You have setup cloud configuration and activity monitoring for you AWS account. This is the first step to gain visibility of your cloud security posture.
After FortiCNAPP creates a baseline of normal behavior alerts will be generated for anomalous behavior like new AWS region being used, storage resource being deleted and networks being exposed to the internet.
Once the stack is done head back over to FortiCNAPP, Settings -> Cloud account and search using your AWS account ID. Since everyone is using the same FortiCNAPP tenant there will be many integration setup.
https://partner-demo.lacework.net/ui/investigation/settings/cloudaccounts
Next steps would be to learn how other ways to setup cloud integration using Terraform, run the integration with other clouds as well as how to remove the integrations.
FortiCNAPP vCPU Sizing
Lab Overview
Probably one of the biggest questions you will get talking to a new customer is: So, what will it cost?. FortiCNAPP uses consumption based pricing (for most of the product). The inventory script is here to help understand how many cVPU are currently being used in a cloud account.
Note that you will be running this script on a virtual server that has the correct permission and tooling already setup. In order to run this script with a customer they will need the AWS cli and credentials with permission to investigate EC2 vm.
Log into AWS Console
The log in details for your lab provided AWS account are on the left hand of the lab. Each field has a copy link you can use.
Click on the Open Console link.
Copy/paste the Username, Password and click Sign In.
Access a Virtual Server running in EC2
EC2 is a AWS service that allows for easily creating virtual servers in the cloud. When moving from an on prem data center to the cloud, EC2 is often part of a ’lift and shift’ project. Each virtual server in EC2 is analogous to a physical server running in your own data center.
Click on (or search for) EC2.
Click on Instance (running) to see a list of the current virtual machine running.
Select the checkbox next to FortiCNAPP-UbuntuInstance and then click on Connect.
Use the EC2 Instance Connect connection type and click Connect.
Instance connect will launch and you will be logged into your own virtual server running in AWS. From here you will be able to run commands on the virtual server.
RTFM (or the README in this case)
Let’s start by visiting the Github README for the sizing scripts.
https://github.com/lacework-dev/scripts/tree/main/bash
Run the script already
All we need for this lab is to the aws inventory script. Below are the commands to download the script and make it executable.
curl -o lw_aws_inventory.sh https://raw.githubusercontent.com/lacework-dev/scripts/refs/heads/main/bash/lw_aws_inventory.sh
chmod +x lw_aws_inventory.sh
You can run this script without any commands and it will search over all the regions in AWS. To make the script run quicker you will limit the script to only searching the ‘us-east-1’ region. This is the only region where virtual server are running for this lab.
./lw_aws_inventory.sh -r us-east-1
As you can see the script only found a single vCPU, the one you using to run the script itself!
Want to get advanced?
Let’s deploy a few more virtual servers and re-run the script to ensure to it can count past one! You will speed run over the terraform portion of the lab from the first day. All the tooling and permission should be setup already.
cd ~
curl https://raw.githubusercontent.com/Ahmed-AG/basic-page/refs/heads/main/ec2.tf > ~/ec2.tf
terraform init
terraform apply -auto-approve
Run run the scrips to see the new vCPVs
Super, now you have two more VMs up and running in your region. Re-run the inventory script and hopefully it notices them.
./lw_aws_inventory.sh -r us-east-1
Wrap up
Next steps would be to try running the script when everything is not already setup. Start with getting the AWS cli setup locally, configuring it with credentials and run the sizing script.
Hopefully this will help when the deal starts go come down to how much it will cost.