Blog
-

10 min read

Alibaba Cloud - Nuclei Templates v10.1.1 🎉

Nuclei & Templates
Alibaba Cloud - Nuclei Templates v10.1.1 🎉

Share

We're excited to tell you about Nuclei Templates release v10.1.1 ! This new version includes newly added Alibaba Cloud Review templates. In this blog post, we'll discuss automating Alibaba cloud misconfiguration review, creating custom checks, and sharing results on the PDCP Cloud for review.

An Alibaba Cloud Configuration Security Review is essential for assessing and improving the security of your cloud infrastructure. It ensures that your resources are configured correctly, compliant with regulations, and aligned with best security practices.

For those particularly interested in using the Alibaba Cloud Config templates, feel free to skip to the end of the blog

Key areas of focus during the review include:

  • Access Control: Verifying the principle of least privilege by reviewing user roles and permissions. Ensuring that Multi-Factor Authentication (MFA) is enabled for privileged accounts.
  • Resource Management: Ensuring that resource locks are in place and that logging for critical resource changes is enabled for traceability.
  • Network Security: Reviewing Security Groups and VPC configurations to restrict unnecessary access and ensure secure communication.
  • Compliance: Ensuring adherence to industry regulations like PCI-DSS, GDPR, or HIPAA, and verifying audit logging and retention settings.
  • Security Best Practices: Enforcing data encryption, secure communication protocols, and protecting against vulnerable services.

To simplify this process, we’ve created Nuclei templates in YAML format that automatically check these critical areas. These templates allow you to quickly assess the security configuration of your Alibaba Cloud environment and generate actionable reports with remediation suggestions.

By using these templates, you can streamline your security review, ensuring your cloud resources are well-protected and compliant with industry standards.

What are Code Protocol Templates?

Nuclei empowers users to execute external code on the host operating system, granting security researchers, pentesters, and developers the flexibility to expand its capabilities beyond standard protocol-based testing. This functionality enables interaction with the underlying OS, facilitating the execution of custom scripts or commands for a diverse array of tasks including system configurations, file operations, and network interactions. Such control and adaptability empower users to customize their security testing workflows to meet precise needs. Explore the Code protocol templates in our documentation for more details.

Because code templates can execute commands on hosts, users must first sign the template using their keys, and these are not included in default scans. To use these templates, you need to sign them using the 
-sign flag. After signing, you can run the templates by providing the -code flag.

In the example below, you'll notice that we can easily run an aliyun command directly from the template. However, unlike other templates that execute on target hosts, this one will run the command on our own host.

yaml

1id: alibaba-cloud-code-env
2
3info:
4  name: Alibaba Cloud Environment Validation
5  author: DhiyaneshDK
6  severity: info
7  description: |
8    Checks if Aliyun CLI is set up and all necessary tools are installed on the environment.
9  reference:
10    - https://github.com/aliyun/aliyun-cli
11  metadata:
12    max-request: 3
13    verified: true
14  tags: cloud,devops,aliyun,alibaba,alibaba-cloud-config
15
16variables:
17  region: "cn-hangzhou"
18
19flow: code(1) && code(2) && code (3)
20
21self-contained: true
22
23code:
24  - engine:
25      - sh
26      - bash
27    source: |
28      aliyun sts GetCallerIdentity
29
30    matchers:
31      - type: word
32        internal: true
33        words:
34          - '"UserId":'
35
36    extractors:
37      - type: json
38        name: account
39        internal: true
40        json:
41          - '.AccountId'
42
43  - engine:
44      - sh
45      - bash
46    source: |
47      jq --version >/dev/null 2>&1 && echo "jq is installed." || echo "jq is not installed."
48
49    matchers:
50      - type: word
51        words:
52          - "jq is installed"
53
54  - engine:
55      - sh
56      - bash
57    source: |
58      ossutil --version >/dev/null 2>&1 && echo "ossutil is installed." || echo "ossutil is not installed."
59
60    matchers:
61      - type: word
62        words:
63          - "ossutil is installed"
64
65    extractors:
66      - type: dsl
67        dsl:
68          - '"Aliyun CLI is properly configured for account \"" + account + "\" and all the necessary tools required are installed."'

Example #1:

In this example, we’ll create a Nuclei template to identify Alibaba Cloud RAM users who have console access but do not have Multi-Factor Authentication (MFA) enabled. This is an important security check as it ensures that an additional layer of protection is enforced for users accessing sensitive cloud resources.

We have set the template to be self-contained (self-contained: true) because it operates independently of a specific host. The template interacts with Alibaba Cloud's RAM service to fetch and analyze user configurations for MFA settings.

Code Breakdown

The template begins with two code blocks to interact with Alibaba Cloud APIs:

  1. In the first code block, we execute the aliyun ram ListUsers --region $region command to retrieve all the RAM users within the specified region (cn-hangzhou). The json extractor is used to capture the usernames of all the RAM users and store them in the variable username.
  2. The second code block checks whether MFA is required for each user. The command aliyun ram GetLoginProfile --UserName $user --region $region is executed for each username. If MFA is not enabled for the user ("MFABindRequired": false), we extract this information and label it as a potential security concern with the message "MFA For RAM Users With Console Password is Disabled".

Flow and Execution

The template uses a flow to control the execution sequence:

  • code(1) fetches the list of users from Alibaba Cloud RAM.
  • code(2) iterates through each user and checks if MFA is required for console access.
  • If MFA is disabled, a message is triggered, and the user is flagged for remediation.

yaml

1id: mfa-console-password-disabled
2
3info:
4  name: MFA For RAM Users With Console Password - Disabled
5  author: DhiyaneshDK
6  severity: medium
7  description: |
8    MFA (Multi-Factor Authentication) for RAM users with console password is currently disabled, meaning users can access the console without requiring a second form of authentication. This configuration reduces security by not enforcing an additional layer of protection beyond the password.
9  impact: |
10    Disabling MFA for RAM users with console passwords exposes accounts to a higher risk of unauthorized access through credential compromise. This weakens the overall security posture of the cloud environment.
11  remediation: |
12    Enable MFA for RAM users by configuring virtual MFA devices in the Alibaba Cloud Console. Ensure all users with console passwords are required to use MFA for enhanced account security.
13  reference:
14    - https://www.alibabacloud.com/help/en/ram/user-guide/bind-an-mfa-device-to-a-ram-user
15    - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/ram-user-multi-factor-authentication-enabled.html
16  metadata:
17    max-request: 1
18    verified: true
19  tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,alibaba-ram
20
21variables:
22  region: "cn-hangzhou"
23
24flow: |
25  code(1)
26  for(let UserName of iterate(template.username)){
27    set("user", UserName)
28    code(2)
29  }
30self-contained: true
31
32code:
33  - engine:
34      - sh
35      - bash
36    source: |
37      aliyun ram ListUsers --region $region
38    extractors:
39      - type: json
40        name: username
41        internal: true
42        json:
43          - '.Users.User[].UserName'
44
45  - engine:
46      - sh
47      - bash
48    source: |
49      aliyun ram GetLoginProfile --UserName $user --region $region
50    matchers:
51      - type: word
52        words:
53          - '"MFABindRequired": false'
54
55    extractors:
56      - type: dsl
57        dsl:
58          - '"MFA For RAM Users With Console Password is Disabled "'

Example #2:

This template checks Alibaba Cloud RAM (Resource Access Management) to identify if the password policy is not configured or set with a password expiration greater than 90 days, which could lead to security risks from weak or outdated passwords.

yaml

1id: password-policy-expiration-unconfigured
2
3info:
4  name: RAM Password Policy Expiration - Unconfigured
5  author: DhiyaneshDK
6  severity: medium
7  description: |
8    The Alibaba Cloud RAM Password Policy is unconfigured, leaving user accounts vulnerable to weak or expired passwords. This lack of a configured policy may lead to potential unauthorized access due to weak password management.
9  impact: |
10    Unconfigured Alibaba RAM password expiration policy increases the risk of compromised accounts due to long-lived credentials. It also fails to meet compliance requirements for secure password management.
11  remediation: |
12    Enable a password expiration policy in RAM with a defined expiration period (e.g., 90 days). Combine it with strong password rules to enforce regular updates and enhance security.
13  reference:
14    - https://www.alibabacloud.com/help/en/ram/user-guide/configure-a-password-policy-for-ram-users
15    - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/require-password-expiration-policy.html
16  metadata:
17    max-request: 1
18    verified: true
19  tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,alibaba-ram
20
21variables:
22  region: "cn-hangzhou"
23
24self-contained: true
25
26code:
27  - engine:
28      - sh
29      - bash
30
31    source: |
32      aliyun ram GetPasswordPolicy --region $region
33
34    matchers-condition: and
35    matchers:
36      - type: regex
37        regex:
38          - '"MaxPasswordAge":\s*(9[1-9]|[1-9][0-9]{2,})'  # Matches values greater than 90
39
40      - type: regex
41        regex:
42          - '"MaxPasswordAge":\s*(0|[1-9][0-9]?)'  # Excludes values between 0 and 90
43
44    extractors:
45      - type: dsl
46        dsl:
47          - '"RAM Password Policy Expiration is Greater than 90 Days "'

Example #3:

This template checks if encryption in transit is disabled for Alibaba Cloud RDS instances, which can expose data transmissions to potential interception and unauthorized access.

yaml

1id: encryption-intransit-disabled
2
3info:
4  name: RDS Encryption in Transit - Disabled
5  author: DhiyaneshDK
6  severity: high
7  description: |
8    Encryption in transit for Alibaba Cloud RDS is disabled, exposing data transmission to potential interception and unauthorized access.
9  impact: |
10    Disabling encryption in transit can expose sensitive data during communication, increasing the risk of unauthorized interception and data breaches.
11  remediation: |
12    Enable SSL/TLS encryption for Alibaba Cloud RDS instances to secure data in transit. This can be configured via the Alibaba Cloud console or CLI.
13  reference:
14    - https://www.alibabacloud.com/help/en/rds/apsaradb-rds-for-mysql/configure-ssl-encryption-for-an-apsaradb-rds-for-mysql-instance
15    - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RDS/enable-encryption-in-transit.html
16  tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,alibaba-rds
17
18flow: |
19  code(1)
20  for(let DBInstanceId of iterate(template.dbinstanceid)){
21    set("instance", DBInstanceId)
22    code(2)
23  }
24
25self-contained: true
26
27code:
28  - engine:
29      - sh
30      - bash
31    source: |
32      aliyun rds DescribeDBInstances --region $region
33    extractors:
34      - type: json
35        name: dbinstanceid
36        internal: true
37        json:
38          - '.Items.DBInstance[].DBInstanceId'
39
40  - engine:
41      - sh
42      - bash
43    source: |
44      aliyun rds DescribeDBInstanceSSL --DBInstanceId $dbinstanceid --region $region
45    matchers:
46      - type: word
47        words:
48          - '"SSLEnabled": "No"'
49
50    extractors:
51      - type: dsl
52        dsl:
53          - 'instance + " RDS Encryption in Transit is Disabled "'

Check out all the other alibaba cloud templates by visiting the Nuclei Templates GitHub repository.

Custom Alibaba Cloud Config Review Templates for Advanced Use Cases

Custom Alibaba Cloud security checks tailored to advanced use cases allow security teams, penetration testers, and DevOps professionals to enhance the security posture of their cloud environments. Below are some specific scenarios where creating custom Alibaba Cloud Nuclei templates can prove invaluable:

  1. Elastic Load Balancer (ELB) Configuration Checks: For organizations leveraging Alibaba Cloud ELB, custom templates can ensure secure load balancer configurations. For example, a template can verify if HTTPS is enforced across all load balancers to safeguard data in transit. Additionally, it can check for SSL certificates with strong encryption and ensure that expired certificates are flagged. The template can also audit session stickiness settings and security group rules to prevent overly permissive access.
  2. Function Compute Security Hardening: For applications using Alibaba Cloud Function Compute, a custom template can help enforce best practices for serverless security. A template might verify that functions are not directly exposed to the public unless explicitly required, ensuring that environment variables containing sensitive information are encrypted. It can also check whether RAM roles follow the principle of least privilege and if proper logging mechanisms are configured to monitor function activity.
  3. Cloud Firewall Configuration Audits: Custom templates can help validate that Alibaba Cloud firewalls are configured securely. For instance, a template can identify overly permissive rules allowing traffic from 0.0.0.0/0 or ::/0. It can verify that intrusion prevention is enabled and audit logging is configured to track malicious activity. Additionally, the template can ensure critical resources are protected by strict inbound and outbound rules.
  4. SLB Health Check Optimization: For users relying on Alibaba Cloud SLB (Server Load Balancer), a custom template can verify health check configurations. For example, it can check that health check intervals and timeout values are optimized for quick failure detection. It can also ensure that only required protocols (HTTP/HTTPS/TCP) are monitored and that health check results are logged for troubleshooting.
  5. PolarDB Compliance Reviews: Custom templates for Alibaba Cloud PolarDB can ensure database instances comply with security requirements. These templates can check if instance-level encryption is enabled, if audit logs are captured and stored securely, and whether IP whitelisting restricts access to authorized users. Additionally, they can verify backup configurations and ensure that backups are encrypted at rest.
  6. EIP Monitoring and Security: For organizations using Elastic IPs (EIP) in Alibaba Cloud, custom templates can help monitor EIP usage. A template can ensure no unused EIPs are incurring unnecessary costs and verify that EIPs associated with sensitive resources have DDoS protection enabled. Furthermore, it can audit access logs to ensure no unauthorized connections are using these public IPs.
  7. Log Service Security Audits: Alibaba Cloud Log Service custom templates can help verify proper logging practices. For instance, a template can ensure critical applications and services are forwarding logs to Log Service, verify that sensitive information is not being logged, and check whether log data is encrypted at rest and stored for an adequate retention period to comply with organizational policies.

Running Alibaba Cloud Config Templates

  • To use these templates, ensure your environment is properly set up. You will need to install the Alibaba Cloud CLI and configure its contexts or specific access permissions.
  • In Nuclei-Templates, we've introduced profiles, allowing users to run a set of templates tailored for specific use cases. For Alibaba Cloud Config security reviews, we have a profile named alibaba-cloud-config.
  • Once your environment is configured, users can execute the following command to verify everything is set up correctly before running the profile:

yaml

1$ nuclei -id alibaba-cloud-code-env -code -vv
2
3                     __     _
4   ____  __  _______/ /__  (_)
5  / __ \\/ / / / ___/ / _ \\/ /
6 / / / / /_/ / /__/ /  __/ /
7/_/ /_/\\__,_/\\___/_/\\___/_/   v3.3.7
8
9		projectdiscovery.io
10
11[INF] Current nuclei version: v3.3.7 (latest)
12[INF] Current nuclei-templates version: v10.1.0 (latest)
13[WRN] Scan results upload to cloud is disabled.
14[INF] New templates added in latest release: 114
15[INF] Templates loaded for current scan: 1
16[INF] Executing 1 signed templates from geekfreak
17[alibaba-cloud-code-env] Aliyun Cloud Environment Validation (@dhiyaneshdk) [info]
18[alibaba-cloud-code-env] [code] [info]  ["Aliyun CLI is properly configured for account "281381574" and all the necessary tools required are installed"]
  • If the template matches, this indicates that the environment has all the necessary tools installed and the CLI is set up.

Uploading Results to ProjectDiscovery Cloud Platform

To upload results to the cloud, you need to obtain an authentication token. Here are the steps to follow:

  1. Go to PDCP Cloud and log in to your account.
  2. Click on your profile picture in the top-right corner and select API key.
  3. Copy your API key, and in your terminal, type nuclei -auth <your-api-key>.

Now you're all set to run the templates!

yaml

1nuclei -profile alibaba-cloud-config -cloud-upload -code

Now that you've gathered numerous findings, you can easily access them on the Cloud. Just log in to PDCP Cloud, and you'll see a scan created with your results.

We have added 45 templates categorized by services. We invite the community to share their feedback. We anticipate this number will grow as the security community continues to contribute and collaborate.

Conclusion

The Nuclei templates for Alibaba Cloud provide great flexibility and creativity, allowing users to create checks tailored to their specific workflow and environment. This approach not only aids in detecting and addressing security misconfigurations but also supports ongoing monitoring of the entire Alibaba Cloud environment.

You can also join our Discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you, once again!

By leveraging Nuclei and actively engaging with the open-source community, or by becoming a part of the ProjectDiscovery Cloud Platform, companies can enhance their security measures, proactively address emerging threats, and establish a more secure digital landscape. Security represents a shared endeavor, and by collaborating, we can consistently adapt and confront the ever-evolving challenges posed by cyber threats.