Check if any of the Elastic or Public IP are in Shodan (requires Shodan API KEY). : iCompaas Support

Profile Applicability:

Level 1

Description:

Shodan is a search engine that allows users to search for devices and systems exposed to the internet, including those with open ports. For security purposes, it is important to regularly check whether any Elastic IPs (EIPs) or Public IPs associated with your EC2 instances or other AWS resources are indexed by Shodan, as this could indicate potential exposure to the internet and security risks. This SOP provides the steps to check if your IPs are indexed by Shodan using their API.

Rationale:

Shodan scans the internet and indexes information about publicly accessible devices and services, including open ports, IP addresses, and metadata about services. If an Elastic IP or Public IP associated with an AWS resource is listed in Shodan, it may indicate that the resource is unnecessarily exposed to the internet, which could lead to unauthorized access, security breaches, or exploitation. Regularly checking for exposed IPs on Shodan helps to mitigate such risks and maintain a strong security posture.

Impact:

Pros:

Helps identify unintended exposure of your Elastic IPs or Public IPs to the internet.
Proactively identifies potential vulnerabilities that could be exploited.
Improves overall security by allowing you to remediate issues before they lead to a breach.

Cons:

Requires access to a Shodan API key, which may involve additional setup.
Misidentifications could cause false positives if IPs are misreported.

Default Value:

By default, AWS EC2 instances with Elastic IPs or Public IPs could be exposed to the internet if not correctly configured with security groups, NACLs, or firewall rules. These IPs may also be indexed by Shodan unless properly secured.

Pre-requisite:

Shodan API Key: You will need a valid Shodan API key to query Shodan's database.
AWS IAM permissions:
- ec2:DescribeInstances
- ec2:DescribeAddresses
AWS CLI installed and configured.
Familiarity with Shodan API and how to interact with it programmatically.

Remediation:

Test Plan:

Using Shodan API:

Obtain a Shodan API Key:
- Sign up for a Shodan account at Shodan.io.

Obtain your API Key from your account settings.

Use the Shodan API to search for IPs:
- The Shodan API allows you to query its database to find out whether specific IPs are indexed. To do this, you will use the host endpoint to check individual IPs.

Using AWS CLI:

to list all Elastic IPs and Public IPs:

Run the following command to get all Elastic IPs (EIPs):

aws ec2 describe-addresses --query 'Addresses[*].PublicIp' --output text

This command will list all the public IPs associated with your AWS account.

Query each IP in Shodan:

For each public IP address retrieved from the AWS CLI, use the Shodan API to check if it is indexed. Use the following cURL command or Python script to query Shodan:

cURL Command:

curl "https://api.shodan.io/shodan/host/<Public-IP>?key=<Your-API-Key>"

Replace <Public-IP> with the IP address and <Your-API-Key> with your actual Shodan API key. If the response contains information about the IP (e.g., open ports, services), it means the IP is indexed in Shodan.

Python Script (Optional for bulk check):

import requests

SHODAN_API_KEY = 'your_shodan_api_key'

ips = ['<IP-1>', '<IP-2>', '<IP-3>']  # List of IPs to check



for ip in ips:

    response = requests.get(f'https://api.shodan.io/shodan/host/{ip}?key={SHODAN_API_KEY}')

    data = response.json()

    if 'error' not in data:

        print(f"IP {ip} is indexed in Shodan")

    else:

        print(f"IP {ip} is not indexed")

Review Shodan Responses:

If the response from Shodan contains data about the IP, it means that Shodan has indexed the IP, and it could potentially be exposed to the internet.
If there is no data returned (or an error response), it means the IP is not indexed by Shodan.

Implementation Steps:

Using AWS Console:

Log in to the AWS Management Console.
Navigate to EC2 under Services.

In the Elastic IPs section, make a list of Elastic IPs associated with your EC2 instances or other resources.

For each Elastic IP or Public IP, query Shodan using the Shodan API (as described above) to see if any of these IPs are indexed.

Using AWS CLI and Shodan API:

Use the following AWS CLI command to list your Elastic IPs:

aws ec2 describe-addresses --query 'Addresses[*].PublicIp' --output text

Query each Elastic IP or Public IP with the Shodan API to see if it is indexed.
Review the results to identify any exposed IPs and take appropriate actions to secure them (e.g., restricting access via security groups or using a VPN).

Backout Plan:

If any Elastic IPs or Public IPs are found to be exposed on Shodan, take the following corrective actions:

Revoke or Replace Exposed IPs:
- Modify security group rules to block public access to the IPs.
- If necessary, release the Elastic IPs and assign new ones.
Enable Additional Security Measures:
- Use NAT Gateways or Load Balancers to provide access while keeping EC2 instances private.
- Consider implementing a VPN for external access to secure your resources.
Recheck the IPs after securing them to ensure they are no longer indexed by Shodan.

References:

CIS Controls Mapping:

Version	Control ID	Control Description	IG1	IG2	IG3
v8	3.4	Encrypt Data on End-User Devices – Ensure data encryption during file system access.	●	●	●
v8	6.7	Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.	●	●	●
v8	6.8	Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.	●	●	●

Check if any of the Elastic or Public IP are in Shodan (requires Shodan API KEY). Print