1. AWS KEYS (TO THE KINGDOM)
War Stories, Lessons, and watching your adversary

2. WHY ARE WE HERE?
•Everyone likes a war story
•How can you stop being the war story
•Options for diving further

3. {
“Real Name”: “Andrew Waite”,
“Twitter”: “@InfoSanity”,
“URL”: “https://blog.infosanity.co.uk”,
“DayJob”: “Cloud Security Lead @ Matillion”,
“Pronouns”: “He/Him/His”,
“Personal”: [
“Husband”, “Father”, “Dog person”, “Painter of Soldier-Barbies”
],
}
$AWS STS GET-CALLER-IDENTITY

4. JACKANORY TIME
Disclaimers first…

5. ARE WE SITTING COMFORTABLY?

6. INTERMISSION: WHAT’S A KEY PAIR?
• Think username/password
• What’s special about ROOT?

7. WHAT WAS DONE?
• Initial look around
• Deployed LARGE servers for crypto-mining

8. WHAT DID WE DO?
• Triggered by Finance…
• Identify and remove all(?) unauthorised resources
• Full(?) review of malicious activity
• Briefing to all stakeholders
• Rotate (and remove) all compromised keys
• Forensics of deployed infrastructure
• £$ ???

9. THAT DOESN’T SOUND FUN
• No ROOT account
• Activity Monitoring
• Restrict Regions
• Baseline ‘normal’
DC44191 2020-08 – familiar voice

10. DIGGING DEEPER

11. HONEYPOT ARCHITECTURE

12. DEPLOYMENT
• Terraform apply
• Requirements:
• ‘leak’ those keys
• And destroy

13. AWS RESPONSE
• Money Making? – possibly….
• A new policy has entered the arena:
• AWSCompromisedKeyQuarantine
• Impressive partner co-operation
• Know more?:
• https://brokenco.de/2021/01/15/leaking-aws-keys.html

14. PREVENTION > CURE
• Protect those credentials
• Least Privilege
• MFA
• Conditional Restrictions
• Role Assumption
• Don’t leak them
• Git-secrets
• Trufflehog
• Detect-secrets

15. SUMMARY
•How not to us Finance as monitoring sys
•How to avoid being the next war story
•Inspire you to know more; hopefully

16. CALL TO ACTION
https://github.com/infosanity/Access-Key-Pot

17. CALL TO ACTION
https://canarytokens.org/generate

18. Q&A

19. WOULD YOU LIKE TO KNOW MORE?
https://github.com/infosanity/Access-Key-Pot