Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Profile: composite/cloud-security.toml

Source

  • Original path: profiles/composite/cloud-security.toml

Profile (TOML)

# Cloud Security Profile
# Detects cloud-specific security issues (AWS, Azure, GCP)

includes = [
  "../base/credentials.toml"
]

decode = ["base64", "percent-encoding"]

# AWS-specific patterns
[[patterns]]
  name = "AWS ARN"
  pattern = "arn:aws:[a-z0-9-]+:[a-z0-9-]*:\\d{12}:[a-zA-Z0-9/_-]+"
  type = "regex"

[[patterns]]
  name = "AWS Account ID"
  pattern = "\\b\\d{12}\\b"
  type = "regex"

[[patterns]]
  name = "AWS S3 Bucket"
  pattern = "s3://[a-z0-9.-]+"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "AWS S3 URL"
  pattern = "https?://[a-z0-9.-]+\\.s3(?:[.-][a-z0-9-]+)?\\.amazonaws\\.com"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "AWS Lambda Function"
  pattern = "arn:aws:lambda:[a-z0-9-]+:\\d{12}:function:[a-zA-Z0-9-_]+"
  type = "regex"

# Azure-specific patterns
[[patterns]]
  name = "Azure Storage Account Key"
  pattern = "DefaultEndpointsProtocol=https;AccountName=[a-z0-9]+;AccountKey=[A-Za-z0-9+/=]{88}"
  type = "regex"

[[patterns]]
  name = "Azure Storage Connection String"
  pattern = "DefaultEndpointsProtocol=https;AccountName=[^;]+;AccountKey=[^;]+"
  type = "regex"

[[patterns]]
  name = "Azure Client Secret"
  pattern = "(?:azure|microsoft)[_-]?(?:client|application)[_-]?secret\\s*[:=]\\s*[\"']?[A-Za-z0-9~._-]{34,40}[\"']?"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Azure Subscription ID"
  pattern = "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}"
  type = "regex"

# GCP-specific patterns
[[patterns]]
  name = "GCP Service Account Key"
  pattern = "\"type\":\\s*\"service_account\",\\s*\"project_id\":\\s*\"[^\"]+\",\\s*\"private_key_id\":"
  type = "regex"

[[patterns]]
  name = "GCP Project ID"
  pattern = "(?:project[_-]?id|gcp[_-]?project)\\s*[:=]\\s*[\"']?[a-z][a-z0-9-]{4,28}[a-z0-9][\"']?"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "GCP Cloud Storage Bucket"
  pattern = "gs://[a-z0-9._-]+"
  type = "regex"

# Generic cloud patterns
[[patterns]]
  name = "Cloud Provider Config"
  pattern = "(?:aws|azure|gcp|google-cloud)_config"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Terraform State File"
  pattern = "terraform\\.tfstate"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Kubernetes Secret"
  pattern = "apiVersion:\\s*v1\\s*kind:\\s*Secret"
  type = "regex"

[[patterns]]
  name = "Docker Registry Credentials"
  pattern = "\"auths\":\\s*\\{[^}]+\\}"
  type = "regex"

[[signatures]]
  name = "Cloud Credential Exposure"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name LIKE '%AWS%' OR pattern_name LIKE '%Azure%' OR pattern_name LIKE '%GCP%' OR pattern_name LIKE 'Google%'"

[[signatures]]
  name = "Infrastructure as Code Secrets"
  query = "SELECT sha256 FROM pattern_matches WHERE pattern_name IN ('Terraform State File', 'Kubernetes Secret', 'Docker Registry Credentials')"