SlideShare a Scribd company logo

Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes •

ContainerDay Security 2023
ContainerDay Security 2023

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. You’ve been hearing a lot about security best practices, but you’re not convinced they can really make a difference? Do you think your resources are safe only because nobody would notice your random IP address? If so – join my session! I’ll show you real-life attack scenarios to convince you that misconfigurations can have dire consequences.

Technology
1 of 48
Download to read offline
xebia.com Michał Brygidyn AWS Ambassador AWS Community Builder Cloud Hacking Scenarios ContainerDay Security 2023 Hamburg – 8.03.2023
xebia.com <HTML>
xebia.com Source code 1. Just view the source code J – Comments – JavaScript Step 1 HTML
Example
xebia.com Source code 1. Just view the source code J – Comments – JavaScript Step 1 HTML
xebia.com Source code 1. Just view the source code J – Comments – JavaScript Step 1 AWS ─ Administrator Access J Step 2 HTML – AWS
xebia.com What went wrong? Code, build, forget, repeat… Sensitive data left in code ─ “for the next team to let them know how it works” ─ “because that’s how I use variables in my JavaScript”
xebia.com GitHub
xebia.com Public GitHub repo 1. Config file with encrypted variables 2. Java class with a decrypt function and.. a secret key Step 1 GitHub
Example
xebia.com Public GitHub repo 1. Config file with encrypted variables 2. Java class with a decrypt function and.. a secret key Step 1 GitHub
xebia.com Public GitHub repo 1. Config file with encrypted variables 2. Java class with a decrypt function and.. a secret key Office365 1. Teams: ─ “Hello CxO J” 2. SharePoint: ─ PDF with a Jira configuration guide… ─ … including login and password Step 1 Step 2 GitHub – Office 365
xebia.com Public GitHub repo 1. Config file with encrypted variables 2. Java class with a decrypt function and.. a secret key Office365 1. Teams: ─ “Hello CxO J” 2. SharePoint: ─ PDF with a Jira configuration guide… ─ … including login and password Jira Project “AWS”: ─ Task to create IAM User for an external service ─ Plaintext AWS Access and Secret keys in comments Step 1 Step 2 Step 3 GitHub – Office 365 – Jira
xebia.com Public GitHub repo 1. Config file with encrypted variables 2. Java class with a decrypt function and.. a secret key Office365 1. Teams: ─ “Hello CxO J” 2. SharePoint: ─ PDF with a Jira configuration guide… ─ … including login and password Jira Project “AWS”: ─ Task to create IAM User for an external service ─ Plaintext AWS Access and Secret keys in comments AWS ─ Administrator Access J Step 1 Step 2 Step 3 Step 4 GitHub – Office 365 – Jira – AWS
xebia.com ─ Config files ─ Encryption keys ─ Git history Hardcoded sensitive data ─ To many viewers ─ Valid credentials in documentation ─ Using own personal/business account in scripts Lack of security awareness ─ Public repository ─ Risky credentials sharing Bad tools selection What went wrong?
xebia.com Symfony Profiler
xebia.com Symfony Profiler A publicly available development tool: ─ Plaintext credentials in Server Parameters ─ Plaintext credentials in Requests history ─ parameters.yml preview Step 1 Symfony Profiler
Examples
xebia.com Symfony Profiler A publicly available development tool: ─ Plaintext credentials in Server Parameters ─ Plaintext credentials in Requests history ─ parameters.yml preview Step 1 Symfony Profiler
xebia.com Symfony Profiler A publicly available development tool: ─ Plaintext credentials in Server Parameters ─ Plaintext credentials in Requests history ─ parameters.yml preview Internal app 1. Admin credentials: ─ Dev Environment ─ Prod Environment 2. SSO to multiple apps: ─ Production CRM ─ Webmail Step 1 Step 2 Symfony Profiler – Internal Apps
xebia.com Symfony Profiler A publicly available development tool: ─ Plaintext credentials in Server Parameters ─ Plaintext credentials in Requests history ─ parameters.yml preview Internal app 1. Admin credentials: ─ Dev Environment ─ Prod Environment 2. SSO to multiple apps: ─ Production CRM ─ Webmail Webmail 1. AWS Invoices & Trusted Advisor emails 2. Reset password for AWS Root account Step 1 Step 2 Step 3 Symfony Profiler – Internal Apps
xebia.com Symfony Profiler A publicly available development tool: ─ Plaintext credentials in Server Parameters ─ Plaintext credentials in Requests history ─ parameters.yml preview Internal app 1. Admin credentials: ─ Dev Environment ─ Prod Environment 2. SSO to multiple apps: ─ Production CRM ─ Webmail Webmail 1. AWS Invoices & Trusted Advisor emails 2. Reset password for AWS Root account AWS Root Account ─ No MFA ─ Organization Management Account ─ Administrator Access on all member accounts J Step 1 Step 2 Step 3 Step 4 Symfony Profiler – Internal Apps – AWS
xebia.com ─ Prod database on a non-prod ─ Same credentials across multiple environments ─ A single cloud subscription for all envs / apps / clients Prod data on a non-prod env ─ Not enforced ─ Shared credentials No MFA ─ “All for one, and one for all” ─ Shared account/password ─ Very old passwords Critical services using the same shared email What went wrong?
xebia.com Kubernetes
xebia.com Kubernetes API A publicly exposed Kubernetes API with disabled RBAC: ─ Base64 Secrets ─ Plaintext ConfigMaps ─ Pods list and configuration Step 1 Kubernetes
Examples
xebia.com Kubernetes API A publicly exposed Kubernetes API with disabled RBAC: ─ Base64 Secrets ─ Plaintext ConfigMaps ─ Pods list and configuration Step 1 Kubernetes
xebia.com Kubernetes API A publicly exposed Kubernetes API with disabled RBAC: ─ Base64 Secrets ─ Plaintext ConfigMaps ─ Pods list and configuration K8s Secrets 1. AWS Access Keys: ─ S3 access only 2. Jenkins admin credentials Step 1 Step 2 Kubernetes
xebia.com Kubernetes API A publicly exposed Kubernetes API with disabled RBAC: ─ Base64 Secrets ─ Plaintext ConfigMaps ─ Pods list and configuration K8s Secrets 1. AWS Access Keys: ─ S3 access only 2. Jenkins admin credentials Jenkins app 1. AWS Access Keys in different Workspaces: ─ SQS access ─ Lambda access 2. GitHub credentials in Jenkins Credentials 3. AWS CLI calls in jobs console logs Step 1 Step 2 Step 3 Kubernetes – Jenkins
xebia.com Kubernetes API A publicly exposed Kubernetes API with disabled RBAC: ─ Base64 Secrets ─ Plaintext ConfigMaps ─ Pods list and configuration K8s Secrets 1. AWS Access Keys: ─ S3 access only 2. Jenkins admin credentials Jenkins app 1. AWS Access Keys in different Workspaces: ─ SQS access ─ Lambda access 2. GitHub credentials in Jenkins Credentials 3. AWS CLI calls in jobs console logs Kubectl exec Bash on Jenkins pod: ─ AWS IAM Role with Administrator Access J Step 1 Step 2 Step 3 Step 4 Kubernetes – Jenkins – AWS
xebia.com ─ Lack of knowledge ─ Limited scope of penetration testing ─ Risky design Public resources ─ Admin access for all! ─ Unprotected CICD tools ─ Running apps as Root Principle of Least Privilege ─ No RBAC ─ Unencrypted data ─ No firewall Disabled security features What went wrong?
xebia.com And more… Slides still not ready J
xebia.com – Outdated software running on cloud servers (open proxy) Other ways “in”
Examples
xebia.com – Outdated software running on cloud servers (open proxy) – Admin credentials logged during the installation Other ways “in”
xebia.com – Outdated software running on cloud servers (open proxy) – Admin credentials logged during the installation – Misconfigured vhosts → Directory indexing Other ways “in”
Examples
xebia.com – Outdated software running on cloud servers (open proxy) – Admin credentials logged during the installation – Misconfigured vhosts → Directory indexing – Debug pages and connection strings (Python Django) Other ways “in”
Examples
xebia.com AWS Backdoors A small teaser of my next presentation
xebia.com - Create a public EC2 with IAM Role - Add a local user to any running public EC2 Group 1: EC2 AWS Backdoors – Ideas
xebia.com - Create a public EC2 with IAM Role - Add a local user to any running public EC2 - Create a new IAM User - Create an additional access/secret key for any existing IAM User Group 1: EC2 Group 2: IAM User AWS Backdoors – Ideas
xebia.com - Create a public EC2 with IAM Role - Add a local user to any running public EC2 - Create a new IAM User - Create an additional access/secret key for any existing IAM User - Trust relation with an external account - Create new policy version - Replace a role for any service Group 1: EC2 Group 2: IAM User Group 3: IAM Role AWS Backdoors – Ideas
xebia.com - Create a public EC2 with IAM Role - Add a local user to any running public EC2 - Create a new IAM User - Create an additional access/secret key for any existing IAM User - Trust relation with an external account - Create new policy version - Replace a role for any service - Change / Remove Security Group rule(s) - VPC Peering with a rogue external VPC - Transit gateway attachment Group 1: EC2 Group 2: IAM User Group 3: IAM Role Group 4: Network access AWS Backdoors – Ideas
xebia.com ― Lambda + CloudWatch / API Gateway / direct link ― Step Functions ― CodeBuild ― PowerUser + IAMFull instead of AdministratorAccess ― Same context (EC2 keys used on the EC2 only) AWS Backdoors – Survival Self-Healing Detection prevention
xebia.com Q&A
xebia.com Thank you! michal.brygidyn@xebia.com LinkedIn.com /in/michalbrygidyn/

Recommended

Michal Brygidyn_CloudHackingScenarios.pdf
Michal Brygidyn_CloudHackingScenarios.pdfMichal Brygidyn_CloudHackingScenarios.pdf
Michal Brygidyn_CloudHackingScenarios.pdfAWS Chicago
 
Creating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APICreating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APIDavid Keener
 
[OpenInfra Days Korea 2018] Day 2 - E4 - 핸즈온 워크샵: 서버리스가 컨테이너를 만났을 때
[OpenInfra Days Korea 2018] Day 2 - E4 - 핸즈온 워크샵: 서버리스가 컨테이너를 만났을 때 [OpenInfra Days Korea 2018] Day 2 - E4 - 핸즈온 워크샵: 서버리스가 컨테이너를 만났을 때
[OpenInfra Days Korea 2018] Day 2 - E4 - 핸즈온 워크샵: 서버리스가 컨테이너를 만났을 때 OpenStack Korea Community
 
Serverless Application Development with SAM
Serverless Application Development with SAMServerless Application Development with SAM
Serverless Application Development with SAMAmazon Web Services
 
Deep Dive on Serverless Stack
Deep Dive on Serverless StackDeep Dive on Serverless Stack
Deep Dive on Serverless StackAmazon Web Services
 
Application Lifecycle Management in a Serverless World
Application Lifecycle Management in a Serverless WorldApplication Lifecycle Management in a Serverless World
Application Lifecycle Management in a Serverless WorldAmazon Web Services
 
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017Amazon Web Services
 
(SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive (SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive Amazon Web Services
 

Recommended

Michal Brygidyn_CloudHackingScenarios.pdf
Michal Brygidyn_CloudHackingScenarios.pdfMichal Brygidyn_CloudHackingScenarios.pdf
Michal Brygidyn_CloudHackingScenarios.pdfAWS Chicago
 
Creating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APICreating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APIDavid Keener
 
[OpenInfra Days Korea 2018] Day 2 - E4 - 핸즈온 워크샵: 서버리스가 컨테이너를 만났을 때
[OpenInfra Days Korea 2018] Day 2 - E4 - 핸즈온 워크샵: 서버리스가 컨테이너를 만났을 때 [OpenInfra Days Korea 2018] Day 2 - E4 - 핸즈온 워크샵: 서버리스가 컨테이너를 만났을 때
[OpenInfra Days Korea 2018] Day 2 - E4 - 핸즈온 워크샵: 서버리스가 컨테이너를 만났을 때 OpenStack Korea Community
 
Serverless Application Development with SAM
Serverless Application Development with SAMServerless Application Development with SAM
Serverless Application Development with SAMAmazon Web Services
 
Deep Dive on Serverless Stack
Deep Dive on Serverless StackDeep Dive on Serverless Stack
Deep Dive on Serverless StackAmazon Web Services
 
Application Lifecycle Management in a Serverless World
Application Lifecycle Management in a Serverless WorldApplication Lifecycle Management in a Serverless World
Application Lifecycle Management in a Serverless WorldAmazon Web Services
 
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017Amazon Web Services
 
(SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive (SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive Amazon Web Services
 
AWS Code Services
AWS Code ServicesAWS Code Services
AWS Code ServicesAmazon Web Services
 
Build a RESTful API with the Serverless Framework
Build a RESTful API with the Serverless FrameworkBuild a RESTful API with the Serverless Framework
Build a RESTful API with the Serverless Frameworkmasahitojp
 
Meetup callback
Meetup callbackMeetup callback
Meetup callbackWayne Scarano
 
Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiRita Zhang
 
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018Amazon Web Services
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Amazon Web Services
 
Externalized Spring Boot App Configuration
Externalized Spring Boot App ConfigurationExternalized Spring Boot App Configuration
Externalized Spring Boot App ConfigurationHaufe-Lexware GmbH & Co KG
 
End-to-End CI/CD at scale with Infrastructure-as-Code on AWS
End-to-End CI/CD at scale with Infrastructure-as-Code on AWSEnd-to-End CI/CD at scale with Infrastructure-as-Code on AWS
End-to-End CI/CD at scale with Infrastructure-as-Code on AWSBhuvaneswari Subramani
 
Why your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncWhy your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncYan Cui
 
Containerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS LambdaContainerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS LambdaRyan Cuprak
 
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...Amazon Web Services
 
Supercharge Your Product Development with Continuous Delivery & Serverless Co...
Supercharge Your Product Development with Continuous Delivery & Serverless Co...Supercharge Your Product Development with Continuous Delivery & Serverless Co...
Supercharge Your Product Development with Continuous Delivery & Serverless Co...Amazon Web Services
 
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code DeployAWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code DeployAdam Book
 
Workshop: We love APIs
Workshop: We love APIsWorkshop: We love APIs
Workshop: We love APIsAmazon Web Services
 
Lessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at ScaleLessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at ScaleSidhartha Mani
 
muCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless ApplicationsmuCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless ApplicationsChris Munns
 
Code review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief KarfiantoCode review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief Karfiantoidsecconf
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudAmazon Web Services
 
DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...
DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...
DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...Amazon Web Services
 
2020.02.15 DelEx - CI/CD in AWS Cloud
2020.02.15 DelEx - CI/CD in AWS Cloud2020.02.15 DelEx - CI/CD in AWS Cloud
2020.02.15 DelEx - CI/CD in AWS CloudPeter Salnikov
 
Constellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertConstellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertContainerDay Security 2023
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlHow to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlContainerDay Security 2023
 

More Related Content

Similar to Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes •

Build a RESTful API with the Serverless Framework
Build a RESTful API with the Serverless FrameworkBuild a RESTful API with the Serverless Framework
Build a RESTful API with the Serverless Frameworkmasahitojp
 
Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiRita Zhang
 
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018Amazon Web Services
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Amazon Web Services
 
End-to-End CI/CD at scale with Infrastructure-as-Code on AWS
End-to-End CI/CD at scale with Infrastructure-as-Code on AWSEnd-to-End CI/CD at scale with Infrastructure-as-Code on AWS
End-to-End CI/CD at scale with Infrastructure-as-Code on AWSBhuvaneswari Subramani
 
Why your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncWhy your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncYan Cui
 
Containerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS LambdaContainerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS LambdaRyan Cuprak
 
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...Amazon Web Services
 
Supercharge Your Product Development with Continuous Delivery & Serverless Co...
Supercharge Your Product Development with Continuous Delivery & Serverless Co...Supercharge Your Product Development with Continuous Delivery & Serverless Co...
Supercharge Your Product Development with Continuous Delivery & Serverless Co...Amazon Web Services
 
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code DeployAWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code DeployAdam Book
 
Lessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at ScaleLessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at ScaleSidhartha Mani
 
muCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless ApplicationsmuCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless ApplicationsChris Munns
 
Code review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief KarfiantoCode review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief Karfiantoidsecconf
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudAmazon Web Services
 
DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...
DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...
DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...Amazon Web Services
 
2020.02.15 DelEx - CI/CD in AWS Cloud
2020.02.15 DelEx - CI/CD in AWS Cloud2020.02.15 DelEx - CI/CD in AWS Cloud
2020.02.15 DelEx - CI/CD in AWS CloudPeter Salnikov
 

Similar to Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes • (20)

AWS Code Services
AWS Code ServicesAWS Code Services
AWS Code Services
 
Build a RESTful API with the Serverless Framework
Build a RESTful API with the Serverless FrameworkBuild a RESTful API with the Serverless Framework
Build a RESTful API with the Serverless Framework
 
Meetup callback
Meetup callbackMeetup callback
Meetup callback
 
Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csi
 
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
Externalized Spring Boot App Configuration
Externalized Spring Boot App ConfigurationExternalized Spring Boot App Configuration
Externalized Spring Boot App Configuration
 
End-to-End CI/CD at scale with Infrastructure-as-Code on AWS
End-to-End CI/CD at scale with Infrastructure-as-Code on AWSEnd-to-End CI/CD at scale with Infrastructure-as-Code on AWS
End-to-End CI/CD at scale with Infrastructure-as-Code on AWS
 
Why your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncWhy your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSync
 
Containerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS LambdaContainerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS Lambda
 
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...
 
Supercharge Your Product Development with Continuous Delivery & Serverless Co...
Supercharge Your Product Development with Continuous Delivery & Serverless Co...Supercharge Your Product Development with Continuous Delivery & Serverless Co...
Supercharge Your Product Development with Continuous Delivery & Serverless Co...
 
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code DeployAWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
 
Workshop: We love APIs
Workshop: We love APIsWorkshop: We love APIs
Workshop: We love APIs
 
Lessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at ScaleLessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at Scale
 
muCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless ApplicationsmuCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless Applications
 
Code review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief KarfiantoCode review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief Karfianto
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
 
DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...
DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...
DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...
 
2020.02.15 DelEx - CI/CD in AWS Cloud
2020.02.15 DelEx - CI/CD in AWS Cloud2020.02.15 DelEx - CI/CD in AWS Cloud
2020.02.15 DelEx - CI/CD in AWS Cloud
 

More from ContainerDay Security 2023

Constellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertConstellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertContainerDay Security 2023
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlHow to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlContainerDay Security 2023
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlHow to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlContainerDay Security 2023
 
Hardening automation with Kubespray by Alessio Greggi
Hardening automation with Kubespray by Alessio GreggiHardening automation with Kubespray by Alessio Greggi
Hardening automation with Kubespray by Alessio GreggiContainerDay Security 2023
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...ContainerDay Security 2023
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn ContainerDay Security 2023
 
Constellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertConstellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertContainerDay Security 2023
 
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
Lines of Defense - Securing your Kubernetes Clusters by Koray OksayLines of Defense - Securing your Kubernetes Clusters by Koray Oksay
Lines of Defense - Securing your Kubernetes Clusters by Koray OksayContainerDay Security 2023
 

More from ContainerDay Security 2023 (11)

Constellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertConstellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz Eckert
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlHow to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
 
Container Security Scanning by Timo Pagel
Container Security Scanning by Timo PagelContainer Security Scanning by Timo Pagel
Container Security Scanning by Timo Pagel
 
Container Security Scanning by Timo Pagel
Container Security Scanning by Timo PagelContainer Security Scanning by Timo Pagel
Container Security Scanning by Timo Pagel
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlHow to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
 
Hardening automation with Kubespray by Alessio Greggi
Hardening automation with Kubespray by Alessio GreggiHardening automation with Kubespray by Alessio Greggi
Hardening automation with Kubespray by Alessio Greggi
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
 
Constellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertConstellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz Eckert
 
Cloud Hacking Scenarios by Michał Brygidyn
Cloud Hacking Scenarios by Michał BrygidynCloud Hacking Scenarios by Michał Brygidyn
Cloud Hacking Scenarios by Michał Brygidyn
 
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
Lines of Defense - Securing your Kubernetes Clusters by Koray OksayLines of Defense - Securing your Kubernetes Clusters by Koray Oksay
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
 

Recently uploaded

Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxMasterG
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...ScyllaDB
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistandanishmna97
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...panagenda
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdfMuhammad Subhan
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTopCSSGallery
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxjbellis
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهMohamed Sweelam
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 

Recently uploaded (20)

Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistan
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 

Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes •

  • 1.
  • 2. xebia.com Michał Brygidyn AWS Ambassador AWS Community Builder Cloud Hacking Scenarios ContainerDay Security 2023 Hamburg – 8.03.2023
  • 4. xebia.com Source code 1. Just view the source code J – Comments – JavaScript Step 1 HTML
  • 6. xebia.com Source code 1. Just view the source code J – Comments – JavaScript Step 1 HTML
  • 7. xebia.com Source code 1. Just view the source code J – Comments – JavaScript Step 1 AWS ─ Administrator Access J Step 2 HTML – AWS
  • 8. xebia.com What went wrong? Code, build, forget, repeat… Sensitive data left in code ─ “for the next team to let them know how it works” ─ “because that’s how I use variables in my JavaScript”
  • 10. xebia.com Public GitHub repo 1. Config file with encrypted variables 2. Java class with a decrypt function and.. a secret key Step 1 GitHub
  • 12. xebia.com Public GitHub repo 1. Config file with encrypted variables 2. Java class with a decrypt function and.. a secret key Step 1 GitHub
  • 13. xebia.com Public GitHub repo 1. Config file with encrypted variables 2. Java class with a decrypt function and.. a secret key Office365 1. Teams: ─ “Hello CxO J” 2. SharePoint: ─ PDF with a Jira configuration guide… ─ … including login and password Step 1 Step 2 GitHub – Office 365
  • 14. xebia.com Public GitHub repo 1. Config file with encrypted variables 2. Java class with a decrypt function and.. a secret key Office365 1. Teams: ─ “Hello CxO J” 2. SharePoint: ─ PDF with a Jira configuration guide… ─ … including login and password Jira Project “AWS”: ─ Task to create IAM User for an external service ─ Plaintext AWS Access and Secret keys in comments Step 1 Step 2 Step 3 GitHub – Office 365 – Jira
  • 15. xebia.com Public GitHub repo 1. Config file with encrypted variables 2. Java class with a decrypt function and.. a secret key Office365 1. Teams: ─ “Hello CxO J” 2. SharePoint: ─ PDF with a Jira configuration guide… ─ … including login and password Jira Project “AWS”: ─ Task to create IAM User for an external service ─ Plaintext AWS Access and Secret keys in comments AWS ─ Administrator Access J Step 1 Step 2 Step 3 Step 4 GitHub – Office 365 – Jira – AWS
  • 16. xebia.com ─ Config files ─ Encryption keys ─ Git history Hardcoded sensitive data ─ To many viewers ─ Valid credentials in documentation ─ Using own personal/business account in scripts Lack of security awareness ─ Public repository ─ Risky credentials sharing Bad tools selection What went wrong?
  • 18. xebia.com Symfony Profiler A publicly available development tool: ─ Plaintext credentials in Server Parameters ─ Plaintext credentials in Requests history ─ parameters.yml preview Step 1 Symfony Profiler
  • 20. xebia.com Symfony Profiler A publicly available development tool: ─ Plaintext credentials in Server Parameters ─ Plaintext credentials in Requests history ─ parameters.yml preview Step 1 Symfony Profiler
  • 21. xebia.com Symfony Profiler A publicly available development tool: ─ Plaintext credentials in Server Parameters ─ Plaintext credentials in Requests history ─ parameters.yml preview Internal app 1. Admin credentials: ─ Dev Environment ─ Prod Environment 2. SSO to multiple apps: ─ Production CRM ─ Webmail Step 1 Step 2 Symfony Profiler – Internal Apps
  • 22. xebia.com Symfony Profiler A publicly available development tool: ─ Plaintext credentials in Server Parameters ─ Plaintext credentials in Requests history ─ parameters.yml preview Internal app 1. Admin credentials: ─ Dev Environment ─ Prod Environment 2. SSO to multiple apps: ─ Production CRM ─ Webmail Webmail 1. AWS Invoices & Trusted Advisor emails 2. Reset password for AWS Root account Step 1 Step 2 Step 3 Symfony Profiler – Internal Apps
  • 23. xebia.com Symfony Profiler A publicly available development tool: ─ Plaintext credentials in Server Parameters ─ Plaintext credentials in Requests history ─ parameters.yml preview Internal app 1. Admin credentials: ─ Dev Environment ─ Prod Environment 2. SSO to multiple apps: ─ Production CRM ─ Webmail Webmail 1. AWS Invoices & Trusted Advisor emails 2. Reset password for AWS Root account AWS Root Account ─ No MFA ─ Organization Management Account ─ Administrator Access on all member accounts J Step 1 Step 2 Step 3 Step 4 Symfony Profiler – Internal Apps – AWS
  • 24. xebia.com ─ Prod database on a non-prod ─ Same credentials across multiple environments ─ A single cloud subscription for all envs / apps / clients Prod data on a non-prod env ─ Not enforced ─ Shared credentials No MFA ─ “All for one, and one for all” ─ Shared account/password ─ Very old passwords Critical services using the same shared email What went wrong?
  • 26. xebia.com Kubernetes API A publicly exposed Kubernetes API with disabled RBAC: ─ Base64 Secrets ─ Plaintext ConfigMaps ─ Pods list and configuration Step 1 Kubernetes
  • 28. xebia.com Kubernetes API A publicly exposed Kubernetes API with disabled RBAC: ─ Base64 Secrets ─ Plaintext ConfigMaps ─ Pods list and configuration Step 1 Kubernetes
  • 29. xebia.com Kubernetes API A publicly exposed Kubernetes API with disabled RBAC: ─ Base64 Secrets ─ Plaintext ConfigMaps ─ Pods list and configuration K8s Secrets 1. AWS Access Keys: ─ S3 access only 2. Jenkins admin credentials Step 1 Step 2 Kubernetes
  • 30. xebia.com Kubernetes API A publicly exposed Kubernetes API with disabled RBAC: ─ Base64 Secrets ─ Plaintext ConfigMaps ─ Pods list and configuration K8s Secrets 1. AWS Access Keys: ─ S3 access only 2. Jenkins admin credentials Jenkins app 1. AWS Access Keys in different Workspaces: ─ SQS access ─ Lambda access 2. GitHub credentials in Jenkins Credentials 3. AWS CLI calls in jobs console logs Step 1 Step 2 Step 3 Kubernetes – Jenkins
  • 31. xebia.com Kubernetes API A publicly exposed Kubernetes API with disabled RBAC: ─ Base64 Secrets ─ Plaintext ConfigMaps ─ Pods list and configuration K8s Secrets 1. AWS Access Keys: ─ S3 access only 2. Jenkins admin credentials Jenkins app 1. AWS Access Keys in different Workspaces: ─ SQS access ─ Lambda access 2. GitHub credentials in Jenkins Credentials 3. AWS CLI calls in jobs console logs Kubectl exec Bash on Jenkins pod: ─ AWS IAM Role with Administrator Access J Step 1 Step 2 Step 3 Step 4 Kubernetes – Jenkins – AWS
  • 32. xebia.com ─ Lack of knowledge ─ Limited scope of penetration testing ─ Risky design Public resources ─ Admin access for all! ─ Unprotected CICD tools ─ Running apps as Root Principle of Least Privilege ─ No RBAC ─ Unencrypted data ─ No firewall Disabled security features What went wrong?
  • 34. xebia.com – Outdated software running on cloud servers (open proxy) Other ways “in”
  • 36. xebia.com – Outdated software running on cloud servers (open proxy) – Admin credentials logged during the installation Other ways “in”
  • 37. xebia.com – Outdated software running on cloud servers (open proxy) – Admin credentials logged during the installation – Misconfigured vhosts → Directory indexing Other ways “in”
  • 39. xebia.com – Outdated software running on cloud servers (open proxy) – Admin credentials logged during the installation – Misconfigured vhosts → Directory indexing – Debug pages and connection strings (Python Django) Other ways “in”
  • 41. xebia.com AWS Backdoors A small teaser of my next presentation
  • 42. xebia.com - Create a public EC2 with IAM Role - Add a local user to any running public EC2 Group 1: EC2 AWS Backdoors – Ideas
  • 43. xebia.com - Create a public EC2 with IAM Role - Add a local user to any running public EC2 - Create a new IAM User - Create an additional access/secret key for any existing IAM User Group 1: EC2 Group 2: IAM User AWS Backdoors – Ideas
  • 44. xebia.com - Create a public EC2 with IAM Role - Add a local user to any running public EC2 - Create a new IAM User - Create an additional access/secret key for any existing IAM User - Trust relation with an external account - Create new policy version - Replace a role for any service Group 1: EC2 Group 2: IAM User Group 3: IAM Role AWS Backdoors – Ideas
  • 45. xebia.com - Create a public EC2 with IAM Role - Add a local user to any running public EC2 - Create a new IAM User - Create an additional access/secret key for any existing IAM User - Trust relation with an external account - Create new policy version - Replace a role for any service - Change / Remove Security Group rule(s) - VPC Peering with a rogue external VPC - Transit gateway attachment Group 1: EC2 Group 2: IAM User Group 3: IAM Role Group 4: Network access AWS Backdoors – Ideas
  • 46. xebia.com ― Lambda + CloudWatch / API Gateway / direct link ― Step Functions ― CodeBuild ― PowerUser + IAMFull instead of AdministratorAccess ― Same context (EC2 keys used on the EC2 only) AWS Backdoors – Survival Self-Healing Detection prevention