JV
Uploaded byJohn Varghese
312 views

AWS temporary credentials challenges in prevention detection mitigation

The document discusses challenges related to AWS temporary credentials, focusing on attack scenarios such as privilege escalation and data exfiltration following a compromised access key. It outlines the defender's perspective on detection, investigation, and remediation strategies, highlighting difficulties in managing and mitigating attacks using temporary tokens. The document emphasizes the need for improved monitoring, proactive measures, and updated incident response protocols for temporary credential management.

Technology
Related topics:
AWS Community Day

Embed presentation

Downloaded 17 times
1 jhwong@netskope.com @jenkohwong September 13, 2019 1 AWS Temporary Credentials Challenges in prevention, detection, mitigation
@jenkohwong • netskope threat research team • windows security, vulnerability scanning, routers/appliances, av/as, threat intel, exploits/pen-testing • product / engineering • science in space (ISS) 2
Agenda • Attack Scenario: Temporary Tokens • Defender Viewpoint: Challenges • Dos & Don’ts • Generalized Approach to the Problem 3
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B § AssumeRole § new temp token S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Attack Scenario: S3 (authenticated)
AWS Cloud compromised access key A Attacker 1 Compromised Credentials
AWS Cloud compromised access key A Attacker 1 Compromised Credentials
AWS Cloud compromised access key A Attacker 1 Compromised Credentials
AWS Cloud compromised access key A Attacker 1 generate temp token B temp token B AWS STS 2 Generate Temp Credentials
AWS Cloud compromised access key A Attacker 1 generate temp token B temp token B AWS STS 2 Generate Temp Credentials
Discovery
Discovery Account of the stolen access key User who owns the key Groups of the user other Users aws sts get-access-key-info --access-key-id <any key> (works for perm keys, temp keys, in and outside of your account) https://docs.aws.amazon.com/IAM/latest/UserGuide/document-history.html
Discovery Attached Policy of the user can Assume Role JenkoBucketRole
Discovery and JenkoBucketRole has a policy that can perform any action on jenko-bucket6
Discovery can AssumeRole belongs to compromised access key A jenko-bucket6 jenko_temp_user JenkoBucketRole can do Action: “s3:*” on
Discovery can AssumeRole belongs to compromised access key A jenko-bucket6 jenko_temp_user JenkoBucketRole can do Action: “s3:*” on?
Discovery can AssumeRole belongs to compromised access key A jenko-bucket6 jenko_temp_user JenkoBucketRole can do Action: “s3:*” on?
AWS Cloud access key A jenko-bucket6 AssumeRole JenkoBucketRole Privilege Escalation Details AWS STS temp token B temp token A’ temp token B’Attacker temp token A’ temp token B’ can AssumeRole belongs to compromised access key A jenko-bucket6 jenko_temp_user JenkoBucketRole can do Action: “s3:*” on
AWS Cloud access key A jenko-bucket6 AssumeRole JenkoBucketRole Privilege Escalation Details AWS STS temp token B temp token A’ temp token B’Attacker temp token A’ temp token B’
AWS Cloud compromised access key A Attacker 1 generate temp token B temp token B AWS STS 2 escalate privileges with compromised access key A or temp token B 3 Data Exfiltration
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Data Exfiltration
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Data Exfiltration
Defender Viewpoint 22
Defender Viewpoint • Assumptions • AWS experience • CloudTrail/CloudWatch • Less knowledge of temp credentials • Starting Point • External party re: leaked data • Events/Alarms 23
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Detect: 1.CloudTrail/Watch detects Data Exfil (action/destination) 2. Privilege Escalation? 3. Correlation / Anomaly detection?
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Investigate: 1. Logs: access key A AssumeRole
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Investigate: 1. Logs: access key A AssumeRole
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Investigate: 1. Logs: access key A AssumeRole 2. JenkoBucketRole valid, not overprivileged, assigned to correct users 3. user interview => compromised key
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Mitigate/Remediate: 1. Delete access key A 2. Key rotation 3. Change Console password 4. User training
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Mitigate/Remediate: 1. Delete access key A 2. Key rotation 3. Change Console password 4. User training
Defender Viewpoint: Challenges • GetSessionToken and the returned temp token B are troubling • We're seeing STS and temp tokens • A temp token is returned similar to AssumeRole • Reading up...we see we have another set of access keys floating around 30
STS Temp Tokens • Expiration/Timing: • 15 minutes to 36 hours • +CloudTrail event latency (from API call to logging on S3) of at least 20 minutes • Temporary tokens generated by AWS (e.g. passing roles to services like EC2) usually have shorter time frames (1 hour). But automatically refreshed, so an attacker who’s gained control of an EC2 instance only needs to refresh their tokens every hour. • API Access • Can use any service that the original user has privileges for, except… • Sessions using temporary tokens cannot create more temporary tokens • Within STS, can only invoke AssumeRole • Many techniques for Privilege escalation (AssumeRole), not a barrier (follow rhino) 31
STS Temp Tokens Unmanaged • Untracked, no way to list current active ones or historically generated • Not in Console, no CLI/API command to ListGeneratedTokens • This does not exist for temporary tokens: 32 Logging • Creation/usage are logged but you would have to parse and persist from CloudTrail
Defensive Viewpoint: Temp Tokens 33 Detect Update CloudWatch/SIEM filters to detect • Creation: GetSessionToken AssumeRole actions • Usage: accessKeyId =~ ASIA*[1] [1]https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_access-keys-audit
AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 2 4 Defender Viewpoint: Temp Tokens Mitigate/Remediate: 1. Can’t delete temp token 2. a) Restrict Role[1] b) Delete User[2] 3. Update Remediation Playbook 4. Revoke Active Session for Role[3] AssumeRole JenkoBucketRole temp token B’ 1 belongs to all keys/tokens jenko_temp_user 2 [1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_access-keys-audit [2] https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/ [3] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html
[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_access-keys-audit [2] https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/ [3] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 2 4 Defender Viewpoint: Temp Tokens Mitigate/Remediate: 1. Can’t delete temp token 2. a) Restrict Role b) Delete User 3. Update Remediation Playbook 4. Revoke Active Session for Role AssumeRole JenkoBucketRole temp token B’ 1 belongs to all keys/tokens jenko_temp_user 2
AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 Defender Viewpoint: Temp Tokens Prevention: GetSessionToken 1. Can’t prevent[1] AssumeRole JenkoBucketRole temp token B’ generated from all keys/tokens jenko_temp_user[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_enable-create.html
Prevention: GetSessionToken 1. Can’t prevent[1] AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 AssumeRole JenkoBucketRole temp token B’ generated from all keys/tokens jenko_temp_user Defender Viewpoint: Temp Tokens [1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_enable-create.html
AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 Prevention: GetSessionToken 1. Can’t prevent[1] 2. Can’t MFA-protect 3. Can’t use IAM permissions boundaries AssumeRole JenkoBucketRole temp token B’ 2 3 generated from all keys/tokens jenko_temp_user max perms Defender Viewpoint: Temp Tokens [1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_enable-create.html [2] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html
AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 4 Prevention: GetSessionToken 1. Can’t prevent[1] 2. Can’t MFA-protect 3. Can’t use IAM permissions boundaries AssumeRole 4. Can restrict 5. Can Revoke active sessions for Role[2] AssumeRole JenkoBucketRole temp token B’ 2 5 3 generated from all keys/tokens jenko_temp_user max perms Defender Viewpoint: Temp Tokens [1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_enable-create.html [2] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html
RED - Generate temp credentials for backdoor access - Combine temp credentials with presigned-urls, lambdas, log attacks - Consider lambdas as a means to persist temp credentials - Assess whether logging/alerting for temp credentials is being done 40
BLUE • Plan ASAP • manage temp token usage especially remediation/recovery • Prevention • lockdown access keys (aws:sourceIp/aws:sourceVpc[1]/MFA) • isolate temp token usage in separate accounts • service-only IAMUsers in separate accounts • minimal privileges for AssumeRole and PassRole • Detection • alert on GetSessionToken • alert on temp tokens (ASIA*) • harden CloudTrail/CloudWatch/SIEM • AWS Config (IAM,Lambda) 41 [1] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html
BLUE • Mitigation/Remediation • review/revise remediation playbook • do not use GetSessionToken, use AssumeRole • maybe don’t use temp tokens at all…permanent access keys • use revoke active sessions for role(aws:TokenIssueTime[1]) • create/test a recovery plan from compromised temp tokens • AWS Config (IAM,Lambda) • Provisioning/Inventory • track temp tokens that are created in a datastore • use wrapper code for custom apps that need temp tokens • for AWS-generated tokens (IoT, AssumeRole) have to parse logs 42 [1] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B § AssumeRole § new temp token S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Never…we have #1 and #3 locked down…
44
Services that work with Temp Credentials (AssumeRole) 45 https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
46 https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html Services that work with Temp Credentials (AssumeRole)
47 https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html Services that work with Temp Credentials (AssumeRole)
48 https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html Services that work with Temp Credentials (AssumeRole)
49 https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html Services that work with Temp Credentials (AssumeRole)
50 https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html Services that work with Temp Credentials (AssumeRole)
51 https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html AWS Cloud AssumeRole AWS STS temp token Attacker X.509 certificate GET curl --cert cert.pem --key private.key -H "x-amzn-iot- thingname: vacuum-iot-thing" -- cacert AmazonRootCA1.pem https://d6juort4q58376.credentia ls.iot.us-east- 2.amazonaws.com/role- aliases/IoTRoleAlias/credentials Services that work with Temp Credentials (AssumeRole)
AWS Cloud compromised access key A Attacker AWS STS S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Attack Scenario: EC2 (authenticated) EC2 escalate privileges with compromised access key A § PassRole § RunInstance § metadata svc § temp token
AWS Cloud compromised access key A Attacker AWS STS S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Attack Scenario: EC2 (authenticated) EC2 escalate privileges with compromised access key A § PassRole § RunInstance § metadata svc § temp token Metadata Service: curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role> { "Code" : "Success", "LastUpdated" : "2012-04-26T16:39:16Z", … "Expiration" : "2017-05-17T15:09:54Z" }, "AccessKeyId" : "ASIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
AWS Cloud AWS STS S3 Bucket access S3 Bucket data exfiltration 1 2 3 4 Attack Scenario: EC2 (network) EC2 Network service exploit EC2 § metadata svc § temp token Attacker Metadata Service: curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role> { "Code" : "Success", "LastUpdated" : "2012-04-26T16:39:16Z", … "Expiration" : "2017-05-17T15:09:54Z" }, "AccessKeyId" : "ASIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
Mitigation Active Defense - Dynamically Locking AWS Credentials to Your Environment 55Netflix: https://medium.com/swlh/active-defense-dynamically-locking-aws-credentials-to-your-environment-47a9c920e704
What’s the big deal? • Doesn’t this boil down to: • “Don’t be stupid about security and don’t allow GetSessionToken.” • Temporary access keys ~ Permanent keys • Except • AssumeRole is ubiquitous and EC2 Privilege attacks leverage this • Any ”user” can create temporary access keys (GetSessionToken) and you can’t stop it • what if sudo returned a temporary username/password? • Surface Area • Blue techniques for prevention, detection, mitigation/remediation, provisioning/inventory of temp keys are different enough that you need to review => complicated, different, distracting, and bad. • Red techniques using temp keys can make prevention, detection, mitigation/remediation, provisioning/inventory more complicated, confusing at the minimum => different, distracting, and an opportunity. 56
Generalized Approach 57 ATTACKER Tactics [1] Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact Techniques Stolen Credentials in Cloud (e.g. github, Pastebin) GetSession Token AssumeRole <elevated role> Use Temp Tokens Copy temporary credentials from Privilege Escalation <many> AssumeRole <any role> Bucket Object Copy / Replication Destroy Buckets or Objects DEFENDER Prevent • IP/VPC whitelist • MFA n/a IP/VPC whitelist role policy conditions • IP/VPC whitelist role policy conditions • metadata proxy with secret header MFA MFA Detect Filter on failed auth Filter on GetSession Token Anomaly Detection / UBA? Filter on “ASIA*” and GetToken • Filter on API calls • Correlate • UBA Anomaly Detection / UBA? Anomaly Detection / UBA? Mitigate / Remediate Delete and recreate user using CFT Delete and recreate user using CFT Revoke Role Sessions Conditions Revoke Role Sessions Conditions [1] Mitre Att&ck: https://attack.mitre.org
Thank you Slides: https://drive.google.com/file/d/1E7- WV9wLEZ8IGRZGhE6BAyrUCcbR 9yd4/view?usp=sharing 58 jhwong@netskope.com @jenkohwong

More Related Content

PPTX
Native cloud security monitoring
byJohn Varghese
 
PPTX
Of CORS thats a thing how CORS in the cloud still kills security
byJohn Varghese
 
PPTX
EKS security best practices
byJohn Varghese
 
PDF
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
byCloudVillage
 
PDF
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
byCloudVillage
 
PPTX
Scaling Security in the Cloud With Open Source
byCloudVillage
 
PDF
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
byCloudVillage
 
PDF
Pragmatic Cloud Security Automation
byCloudVillage
 
Native cloud security monitoring
byJohn Varghese
 
Of CORS thats a thing how CORS in the cloud still kills security
byJohn Varghese
 
EKS security best practices
byJohn Varghese
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
byCloudVillage
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
byCloudVillage
 
Scaling Security in the Cloud With Open Source
byCloudVillage
 
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
byCloudVillage
 
Pragmatic Cloud Security Automation
byCloudVillage
 

What's hot

PDF
MozDef Workshop slide
byCloudVillage
 
PDF
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
byJose Hernandez
 
PDF
AWS Re:Invent - Securing HIPAA Compliant Apps in AWS
byControl Group
 
PDF
Aptible, AWS, and Telepharm: Architecting HIPAA compliance for the cloud
byAptible
 
PPTX
Crypto Miners in the Cloud
by2nd Sight Lab
 
PDF
Build to Hack, Hack to Build
byCloudVillage
 
PPTX
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
byCloudVillage
 
PDF
Policy as code what helm developers need to know about security
byLibbySchulze
 
PPTX
Building A Cloud Security Strategy for Scale
byChris Farris
 
PDF
Practical Guide to Securing Kubernetes
byLacework
 
PDF
Security threats with Kubernetes - Igor Khoroshchenko
byKuberton
 
PPTX
Packet Capture on AWS
by2nd Sight Lab
 
PDF
PyCon 2019 - A Snake in the Bits: Security Automation with Python
byMoses Schwartz
 
PDF
Phishing in the cloud era
byCloudVillage
 
PPTX
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
byLacework
 
PPTX
Lacework | Top 10 Cloud Security Threats
byLacework
 
PPTX
Red Team vs Blue Team on AWS - RSA 2018
by2nd Sight Lab
 
PPTX
Automating the VMware Virtual Datacenter
byJosh Atwell
 
PDF
Battle in the Clouds - Attacker vs Defender on AWS
byCloudVillage
 
MozDef Workshop slide
byCloudVillage
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
byJose Hernandez
 
AWS Re:Invent - Securing HIPAA Compliant Apps in AWS
byControl Group
 
Aptible, AWS, and Telepharm: Architecting HIPAA compliance for the cloud
byAptible
 
Crypto Miners in the Cloud
by2nd Sight Lab
 
Build to Hack, Hack to Build
byCloudVillage
 
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
byCloudVillage
 
Policy as code what helm developers need to know about security
byLibbySchulze
 
Building A Cloud Security Strategy for Scale
byChris Farris
 
Practical Guide to Securing Kubernetes
byLacework
 
Security threats with Kubernetes - Igor Khoroshchenko
byKuberton
 
Packet Capture on AWS
by2nd Sight Lab
 
PyCon 2019 - A Snake in the Bits: Security Automation with Python
byMoses Schwartz
 
Phishing in the cloud era
byCloudVillage
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
byLacework
 
Lacework | Top 10 Cloud Security Threats
byLacework
 
Red Team vs Blue Team on AWS - RSA 2018
by2nd Sight Lab
 
Automating the VMware Virtual Datacenter
byJosh Atwell
 
Battle in the Clouds - Attacker vs Defender on AWS
byCloudVillage
 

Similar to AWS temporary credentials challenges in prevention detection mitigation

PPTX
DEF CON 27 - Exploiting AWS Loopholes
byNetskope
 
PPTX
Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities f...
byCloud Village
 
PPTX
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
byGarth Boyd
 
PDF
Detecting Credential Compromise in AWS (Black Hat Conference 2018)
byPriyanka Aash
 
PPTX
001 - Get acquainted with the AWS platform -- hide01.ir.pptx
bynitinscribd
 
PDF
Attacking AWS: the full cyber kill chain
bySecuRing
 
PDF
A guide on Aws Security Token Service
byBlazeclan Technologies Private Limited
 
PPTX
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
byPROIDEA
 
PDF
Security @ (Cloud) Scale Deep Dive
byKristana Kane
 
PPTX
[Wroclaw #7] AWS (in)security - the devil is in the detail
byOWASP
 
PPTX
It's 10pm, Do You Know Where Your Access Keys Are?
byKen Johnson
 
PDF
Automated security analysis of aws clouds v1.0
byCSA Argentina
 
PDF
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
byJean-François LOMBARDO
 
PDF
Taking Security Responsibility in the AWS Cloud
byFranklin Mosley
 
PDF
Security Best Practices_John Hildebrandt
byHelen Rogers
 
PPTX
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
byBrian Andrzejewski
 
PPTX
Introduction to 2FA on AWS
byOlinData
 
PDF
AWS Identity Access Management
byRichard Harvey
 
PPTX
Automate or die! Rootedcon 2017
byToni de la Fuente
 
PPTX
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
byRootedCON
 
DEF CON 27 - Exploiting AWS Loopholes
byNetskope
 
Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities f...
byCloud Village
 
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
byGarth Boyd
 
Detecting Credential Compromise in AWS (Black Hat Conference 2018)
byPriyanka Aash
 
001 - Get acquainted with the AWS platform -- hide01.ir.pptx
bynitinscribd
 
Attacking AWS: the full cyber kill chain
bySecuRing
 
A guide on Aws Security Token Service
byBlazeclan Technologies Private Limited
 
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
byPROIDEA
 
Security @ (Cloud) Scale Deep Dive
byKristana Kane
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
byOWASP
 
It's 10pm, Do You Know Where Your Access Keys Are?
byKen Johnson
 
Automated security analysis of aws clouds v1.0
byCSA Argentina
 
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
byJean-François LOMBARDO
 
Taking Security Responsibility in the AWS Cloud
byFranklin Mosley
 
Security Best Practices_John Hildebrandt
byHelen Rogers
 
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
byBrian Andrzejewski
 
Introduction to 2FA on AWS
byOlinData
 
AWS Identity Access Management
byRichard Harvey
 
Automate or die! Rootedcon 2017
byToni de la Fuente
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
byRootedCON
 

More from John Varghese

PPTX
Lessons Learned From Cloud Migrations: Planning is Everything
byJohn Varghese
 
PPTX
Leveraging AWS Cloudfront & S3 Services to Deliver Static Assets of a SPA
byJohn Varghese
 
PPTX
AWS Transit Gateway-Benefits and Best Practices
byJohn Varghese
 
PPTX
Bridging Operations and Development With Observabilty
byJohn Varghese
 
PPTX
Security Observability for Cloud Based Applications
byJohn Varghese
 
PPTX
Who Broke My Crypto
byJohn Varghese
 
PPTX
Building an IoT System to Protect My Lunch
byJohn Varghese
 
PPTX
Building a Highly Secure S3 Bucket
byJohn Varghese
 
PPTX
Reduce Amazon RDS Costs up to 50% with Proxies
byJohn Varghese
 
PPTX
Keynote - Lead the change around you
byJohn Varghese
 
PDF
AWS Systems manager 2019
byJohn Varghese
 
PDF
Acd19 kubertes cluster at scale on aws at intuit
byJohn Varghese
 
PPTX
Emerging job trends and best practices in the aws community
byJohn Varghese
 
PDF
Automating security in aws with divvy cloud
byJohn Varghese
 
PDF
Securing aws workloads with embedded application security
byJohn Varghese
 
PDF
Last year in AWS - 2019
byJohn Varghese
 
PDF
Gpu accelerated BERT deployment on aws
byJohn Varghese
 
PPTX
Cruising in data lake from zero to scale
byJohn Varghese
 
PPTX
Best practices on building data lakes and lake formation
byJohn Varghese
 
PPTX
Automating AWS security and compliance
byJohn Varghese
 
Lessons Learned From Cloud Migrations: Planning is Everything
byJohn Varghese
 
Leveraging AWS Cloudfront & S3 Services to Deliver Static Assets of a SPA
byJohn Varghese
 
AWS Transit Gateway-Benefits and Best Practices
byJohn Varghese
 
Bridging Operations and Development With Observabilty
byJohn Varghese
 
Security Observability for Cloud Based Applications
byJohn Varghese
 
Who Broke My Crypto
byJohn Varghese
 
Building an IoT System to Protect My Lunch
byJohn Varghese
 
Building a Highly Secure S3 Bucket
byJohn Varghese
 
Reduce Amazon RDS Costs up to 50% with Proxies
byJohn Varghese
 
Keynote - Lead the change around you
byJohn Varghese
 
AWS Systems manager 2019
byJohn Varghese
 
Acd19 kubertes cluster at scale on aws at intuit
byJohn Varghese
 
Emerging job trends and best practices in the aws community
byJohn Varghese
 
Automating security in aws with divvy cloud
byJohn Varghese
 
Securing aws workloads with embedded application security
byJohn Varghese
 
Last year in AWS - 2019
byJohn Varghese
 
Gpu accelerated BERT deployment on aws
byJohn Varghese
 
Cruising in data lake from zero to scale
byJohn Varghese
 
Best practices on building data lakes and lake formation
byJohn Varghese
 
Automating AWS security and compliance
byJohn Varghese
 

Recently uploaded

PDF
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
PDF
Implementing A Data Lakehouse Using Iceberg & Spark
byAnass Nabil
 
PDF
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
PPTX
Microsoft Azure News - January 2026 - BAUG
byDaniel Toomey
 
PDF
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfortable, Stable Mobility for Every...
byTopmate
 
PPTX
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
PDF
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
PDF
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
PDF
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
PDF
2006 IEEE International Solid-State Circuits Conference
bySlide_N
 
PDF
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
PPTX
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
PDF
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
PPT
Telecommunication system introduction to wireless communication
by143irha
 
PDF
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
PPTX
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
Implementing A Data Lakehouse Using Iceberg & Spark
byAnass Nabil
 
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
Microsoft Azure News - January 2026 - BAUG
byDaniel Toomey
 
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
TopMate ES11 3-Wheel Electric Scooter: Comfortable, Stable Mobility for Every...
byTopmate
 
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
2006 IEEE International Solid-State Circuits Conference
bySlide_N
 
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
Telecommunication system introduction to wireless communication
by143irha
 
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 

AWS temporary credentials challenges in prevention detection mitigation

  • 1.
    1 jhwong@netskope.com @jenkohwong September 13, 2019 1 AWSTemporary Credentials Challenges in prevention, detection, mitigation
  • 2.
    @jenkohwong • netskope threatresearch team • windows security, vulnerability scanning, routers/appliances, av/as, threat intel, exploits/pen-testing • product / engineering • science in space (ISS) 2
  • 3.
    Agenda • Attack Scenario:Temporary Tokens • Defender Viewpoint: Challenges • Dos & Don’ts • Generalized Approach to the Problem 3
  • 4.
    AWS Cloud compromised access keyA Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B § AssumeRole § new temp token S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Attack Scenario: S3 (authenticated)
  • 5.
    AWS Cloud compromised access keyA Attacker 1 Compromised Credentials
  • 6.
    AWS Cloud compromised access keyA Attacker 1 Compromised Credentials
  • 7.
    AWS Cloud compromised access keyA Attacker 1 Compromised Credentials
  • 8.
    AWS Cloud compromised access keyA Attacker 1 generate temp token B temp token B AWS STS 2 Generate Temp Credentials
  • 9.
    AWS Cloud compromised access keyA Attacker 1 generate temp token B temp token B AWS STS 2 Generate Temp Credentials
  • 10.
  • 11.
    Discovery Account of the stolen accesskey User who owns the key Groups of the user other Users aws sts get-access-key-info --access-key-id <any key> (works for perm keys, temp keys, in and outside of your account) https://docs.aws.amazon.com/IAM/latest/UserGuide/document-history.html
  • 12.
    Discovery Attached Policy of theuser can Assume Role JenkoBucketRole
  • 13.
    Discovery and JenkoBucketRole hasa policy that can perform any action on jenko-bucket6
  • 14.
  • 15.
  • 16.
  • 17.
    AWS Cloud access keyA jenko-bucket6 AssumeRole JenkoBucketRole Privilege Escalation Details AWS STS temp token B temp token A’ temp token B’Attacker temp token A’ temp token B’ can AssumeRole belongs to compromised access key A jenko-bucket6 jenko_temp_user JenkoBucketRole can do Action: “s3:*” on
  • 18.
    AWS Cloud access keyA jenko-bucket6 AssumeRole JenkoBucketRole Privilege Escalation Details AWS STS temp token B temp token A’ temp token B’Attacker temp token A’ temp token B’
  • 19.
    AWS Cloud compromised access keyA Attacker 1 generate temp token B temp token B AWS STS 2 escalate privileges with compromised access key A or temp token B 3 Data Exfiltration
  • 20.
    AWS Cloud compromised access keyA Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Data Exfiltration
  • 21.
    AWS Cloud compromised access keyA Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Data Exfiltration
  • 22.
  • 23.
    Defender Viewpoint • Assumptions •AWS experience • CloudTrail/CloudWatch • Less knowledge of temp credentials • Starting Point • External party re: leaked data • Events/Alarms 23
  • 24.
    AWS Cloud compromised access keyA Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Detect: 1.CloudTrail/Watch detects Data Exfil (action/destination) 2. Privilege Escalation? 3. Correlation / Anomaly detection?
  • 25.
    AWS Cloud compromised access keyA Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Investigate: 1. Logs: access key A AssumeRole
  • 26.
    AWS Cloud compromised access keyA Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Investigate: 1. Logs: access key A AssumeRole
  • 27.
    AWS Cloud compromised access keyA Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Investigate: 1. Logs: access key A AssumeRole 2. JenkoBucketRole valid, not overprivileged, assigned to correct users 3. user interview => compromised key
  • 28.
    AWS Cloud compromised access keyA Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Mitigate/Remediate: 1. Delete access key A 2. Key rotation 3. Change Console password 4. User training
  • 29.
    AWS Cloud compromised access keyA Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Mitigate/Remediate: 1. Delete access key A 2. Key rotation 3. Change Console password 4. User training
  • 30.
    Defender Viewpoint: Challenges •GetSessionToken and the returned temp token B are troubling • We're seeing STS and temp tokens • A temp token is returned similar to AssumeRole • Reading up...we see we have another set of access keys floating around 30
  • 31.
    STS Temp Tokens •Expiration/Timing: • 15 minutes to 36 hours • +CloudTrail event latency (from API call to logging on S3) of at least 20 minutes • Temporary tokens generated by AWS (e.g. passing roles to services like EC2) usually have shorter time frames (1 hour). But automatically refreshed, so an attacker who’s gained control of an EC2 instance only needs to refresh their tokens every hour. • API Access • Can use any service that the original user has privileges for, except… • Sessions using temporary tokens cannot create more temporary tokens • Within STS, can only invoke AssumeRole • Many techniques for Privilege escalation (AssumeRole), not a barrier (follow rhino) 31
  • 32.
    STS Temp Tokens Unmanaged •Untracked, no way to list current active ones or historically generated • Not in Console, no CLI/API command to ListGeneratedTokens • This does not exist for temporary tokens: 32 Logging • Creation/usage are logged but you would have to parse and persist from CloudTrail
  • 33.
    Defensive Viewpoint: TempTokens 33 Detect Update CloudWatch/SIEM filters to detect • Creation: GetSessionToken AssumeRole actions • Usage: accessKeyId =~ ASIA*[1] [1]https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_access-keys-audit
  • 34.
    AWS Cloud Attacker generate temp tokenB temp token B AWS STS sessions temp token B’ S3 Bucket 1 2 4 Defender Viewpoint: Temp Tokens Mitigate/Remediate: 1. Can’t delete temp token 2. a) Restrict Role[1] b) Delete User[2] 3. Update Remediation Playbook 4. Revoke Active Session for Role[3] AssumeRole JenkoBucketRole temp token B’ 1 belongs to all keys/tokens jenko_temp_user 2 [1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_access-keys-audit [2] https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/ [3] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html
  • 35.
    [1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_access-keys-audit [2] https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/ [3]https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 2 4 Defender Viewpoint: Temp Tokens Mitigate/Remediate: 1. Can’t delete temp token 2. a) Restrict Role b) Delete User 3. Update Remediation Playbook 4. Revoke Active Session for Role AssumeRole JenkoBucketRole temp token B’ 1 belongs to all keys/tokens jenko_temp_user 2
  • 36.
    AWS Cloud Attacker generate temp tokenB temp token B AWS STS sessions temp token B’ S3 Bucket 1 Defender Viewpoint: Temp Tokens Prevention: GetSessionToken 1. Can’t prevent[1] AssumeRole JenkoBucketRole temp token B’ generated from all keys/tokens jenko_temp_user[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_enable-create.html
  • 37.
    Prevention: GetSessionToken 1. Can’t prevent[1] AWSCloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 AssumeRole JenkoBucketRole temp token B’ generated from all keys/tokens jenko_temp_user Defender Viewpoint: Temp Tokens [1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_enable-create.html
  • 38.
    AWS Cloud Attacker generate temp tokenB temp token B AWS STS sessions temp token B’ S3 Bucket 1 Prevention: GetSessionToken 1. Can’t prevent[1] 2. Can’t MFA-protect 3. Can’t use IAM permissions boundaries AssumeRole JenkoBucketRole temp token B’ 2 3 generated from all keys/tokens jenko_temp_user max perms Defender Viewpoint: Temp Tokens [1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_enable-create.html [2] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html
  • 39.
    AWS Cloud Attacker generate temp tokenB temp token B AWS STS sessions temp token B’ S3 Bucket 1 4 Prevention: GetSessionToken 1. Can’t prevent[1] 2. Can’t MFA-protect 3. Can’t use IAM permissions boundaries AssumeRole 4. Can restrict 5. Can Revoke active sessions for Role[2] AssumeRole JenkoBucketRole temp token B’ 2 5 3 generated from all keys/tokens jenko_temp_user max perms Defender Viewpoint: Temp Tokens [1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_enable-create.html [2] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html
  • 40.
    RED - Generate tempcredentials for backdoor access - Combine temp credentials with presigned-urls, lambdas, log attacks - Consider lambdas as a means to persist temp credentials - Assess whether logging/alerting for temp credentials is being done 40
  • 41.
    BLUE • Plan ASAP •manage temp token usage especially remediation/recovery • Prevention • lockdown access keys (aws:sourceIp/aws:sourceVpc[1]/MFA) • isolate temp token usage in separate accounts • service-only IAMUsers in separate accounts • minimal privileges for AssumeRole and PassRole • Detection • alert on GetSessionToken • alert on temp tokens (ASIA*) • harden CloudTrail/CloudWatch/SIEM • AWS Config (IAM,Lambda) 41 [1] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html
  • 42.
    BLUE • Mitigation/Remediation • review/reviseremediation playbook • do not use GetSessionToken, use AssumeRole • maybe don’t use temp tokens at all…permanent access keys • use revoke active sessions for role(aws:TokenIssueTime[1]) • create/test a recovery plan from compromised temp tokens • AWS Config (IAM,Lambda) • Provisioning/Inventory • track temp tokens that are created in a datastore • use wrapper code for custom apps that need temp tokens • for AWS-generated tokens (IoT, AssumeRole) have to parse logs 42 [1] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html
  • 43.
    AWS Cloud compromised access keyA Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B § AssumeRole § new temp token S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Never…we have #1 and #3 locked down…
  • 44.
  • 45.
    Services that work withTemp Credentials (AssumeRole) 45 https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
    51 https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html AWS Cloud AssumeRole AWS STS temptoken Attacker X.509 certificate GET curl --cert cert.pem --key private.key -H "x-amzn-iot- thingname: vacuum-iot-thing" -- cacert AmazonRootCA1.pem https://d6juort4q58376.credentia ls.iot.us-east- 2.amazonaws.com/role- aliases/IoTRoleAlias/credentials Services that work with Temp Credentials (AssumeRole)
  • 52.
    AWS Cloud compromised access keyA Attacker AWS STS S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Attack Scenario: EC2 (authenticated) EC2 escalate privileges with compromised access key A § PassRole § RunInstance § metadata svc § temp token
  • 53.
    AWS Cloud compromised access keyA Attacker AWS STS S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Attack Scenario: EC2 (authenticated) EC2 escalate privileges with compromised access key A § PassRole § RunInstance § metadata svc § temp token Metadata Service: curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role> { "Code" : "Success", "LastUpdated" : "2012-04-26T16:39:16Z", … "Expiration" : "2017-05-17T15:09:54Z" }, "AccessKeyId" : "ASIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
  • 54.
    AWS Cloud AWS STS S3Bucket access S3 Bucket data exfiltration 1 2 3 4 Attack Scenario: EC2 (network) EC2 Network service exploit EC2 § metadata svc § temp token Attacker Metadata Service: curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role> { "Code" : "Success", "LastUpdated" : "2012-04-26T16:39:16Z", … "Expiration" : "2017-05-17T15:09:54Z" }, "AccessKeyId" : "ASIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
  • 55.
    Mitigation Active Defense -Dynamically Locking AWS Credentials to Your Environment 55Netflix: https://medium.com/swlh/active-defense-dynamically-locking-aws-credentials-to-your-environment-47a9c920e704
  • 56.
    What’s the bigdeal? • Doesn’t this boil down to: • “Don’t be stupid about security and don’t allow GetSessionToken.” • Temporary access keys ~ Permanent keys • Except • AssumeRole is ubiquitous and EC2 Privilege attacks leverage this • Any ”user” can create temporary access keys (GetSessionToken) and you can’t stop it • what if sudo returned a temporary username/password? • Surface Area • Blue techniques for prevention, detection, mitigation/remediation, provisioning/inventory of temp keys are different enough that you need to review => complicated, different, distracting, and bad. • Red techniques using temp keys can make prevention, detection, mitigation/remediation, provisioning/inventory more complicated, confusing at the minimum => different, distracting, and an opportunity. 56
  • 57.
    Generalized Approach 57 ATTACKER Tactics [1] Initial Access Execution PersistencePrivilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact Techniques Stolen Credentials in Cloud (e.g. github, Pastebin) GetSession Token AssumeRole <elevated role> Use Temp Tokens Copy temporary credentials from Privilege Escalation <many> AssumeRole <any role> Bucket Object Copy / Replication Destroy Buckets or Objects DEFENDER Prevent • IP/VPC whitelist • MFA n/a IP/VPC whitelist role policy conditions • IP/VPC whitelist role policy conditions • metadata proxy with secret header MFA MFA Detect Filter on failed auth Filter on GetSession Token Anomaly Detection / UBA? Filter on “ASIA*” and GetToken • Filter on API calls • Correlate • UBA Anomaly Detection / UBA? Anomaly Detection / UBA? Mitigate / Remediate Delete and recreate user using CFT Delete and recreate user using CFT Revoke Role Sessions Conditions Revoke Role Sessions Conditions [1] Mitre Att&ck: https://attack.mitre.org
  • 58.