This document discusses cloud vulnerabilities and threats. It begins with an introduction to cloud computing benefits and AWS services. It then discusses common misconfigurations that can lead to data breaches, including issues with IAM, security groups, and storage access policies. Specific cases examined include exploiting metadata APIs, leaking API keys, and escalating IAM privileges. The document concludes with recommendations for securing services, restricting access, monitoring configurations, and using tools like Security Monkey and ScoutSuite to automate security checks.

1. DevSecOpsIndonesia
Cloud Vulnerabilities
&
Its Threats
Ari Apridana - 14 November 2019

2. DevSecOpsIndonesia
About Me
- Ari Apridana
- IT Security Engineer at Tiket.com
- https://www.linkedin.com/in/ariapridana/

3. DevSecOpsIndonesia
Cloud is Everywhere

4. DevSecOpsIndonesia
Benefit of Cloud Computing
Flexibility
Better Collaboration
Almost Unlimited
Storage
No Need to Guess
Capacity
Better Backup &
Recovery Easy to AccessSecurity ????
Cost Efficiency Scalability

5. DevSecOpsIndonesia
Overview of AWS Services

6. DevSecOpsIndonesia
IAM ( Identity & Access Management )
Source : https://www.cloudberrylab.com/resources/blog/aws-iam-policy/

7. DevSecOpsIndonesia
IAM ( Identity & Access Management )
IAM Roles could attached to EC2 Instances
Source : https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html

8. DevSecOpsIndonesia
Ok. How about the Security ?

9. DevSecOpsIndonesia
Data Breaches due to Cloud Misconfiguration #1

10. DevSecOpsIndonesia
Data Breaches due to Cloud Misconfiguration #2

11. DevSecOpsIndonesia
Data Breaches due to Cloud Misconfiguration #3

12. DevSecOpsIndonesia
Cloud Configuration is a Major Security Risk
93 %
Concerned for major security breach due to misconfiguration
Source : Fugue Security

13. DevSecOpsIndonesia
Cloud Configuration is a Major Security Risk
66 %
42 %
51 %
59 %IAM
Security Group
Rules
Storage Access
Policy
Encryption
Source: Fugue Security

14. DevSecOpsIndonesia
Instance Metadata : The another attacker’s target
http://169.254.169.254/latest/meta-
data/iam/security-credentials/
● Only accessible from ec2
instances

15. DevSecOpsIndonesia
Be Aware, Hackers Monitor your Organization
S3 Misconfiguration
IAM Misconfiguration
EC2 Misconfiguration
Security Group Misconfiguration
Lambda Misconfiguration
Roles Policy Misconfiguration
RDS Misconfiguration
EC2 Misconfiguration
S3 Misconfiguration
Security Group Misconfiguration
RDS Misconfiguration
Lambda Misconfiguration

16. DevSecOpsIndonesia
Who has responsibilities for the security ?

17. DevSecOpsIndonesia
Of course, its “Share Responsibilities”
Customers Provider
Security

18. DevSecOpsIndonesia
Shared Responsibility Model
Source : https://aws.amazon.com/compliance/shared-responsibility-model/

19. DevSecOpsIndonesia
How are the vulnerabilities and Threats ?

20. DevSecOpsIndonesia
Common Misconfigurations & Threats
1. Service & Application Vulnerability
2. AWS API Keys Leak
3. IAM Privileges Escalation
4. Security Group Public Accessible

21. DevSecOpsIndonesia
Labs for Cloud Exploitation
1. http://flaws.cloud/
2. https://github.com/RhinoSecurityLabs/cloudgoat
3. etc

22. DevSecOpsIndonesia
Case 1 : Service & Application Vulnerability
1. Abusing AWS Metadata using Reverse Proxy Misconfiguration
2. Abusing AWS Metadata using SSRF Vulnerability

23. DevSecOpsIndonesia
Case 1 : Abusing AWS Metadata using Reverse Proxy Misconfiguration -
Topology
Attacker
Proxy misconfiguration
Instance Metadata
http://169.254.169.254/
Web Server
Sensitive S3 Bucket
EC2

24. DevSecOpsIndonesia
Case 1 : Abusing AWS Metadata using Reverse Proxy Misconfiguration -
Scenario
Start ec2 instance
Exploit Misconfigured
reverse proxy to query
EC2 Instance Metadata
Assume attached EC2
Instance Profile
List S3 Buckets
& Get sensitive s3 bucket
data

25. DevSecOpsIndonesia
Case 1 : Abusing AWS Metadata using Proxy Misconfiguration - Nginx
Reverse Proxy

26. DevSecOpsIndonesia
Case 1 : Abusing AWS Metadata using Proxy Misconfiguration - DEMO

27. DevSecOpsIndonesia
Case 1 : Abusing AWS Metadata using SSRF Vulnerability
Attacker
SSRF Vulnerability
Instance Metadata
http://169.254.169.254/
Sensitive S3 Bucket
EC2

28. DevSecOpsIndonesia
Case 1 : Abusing AWS Metadata using Proxy Misconfiguration - Scenario
Start ec2 instance
Exploit Misconfigured
reverse proxy to query
EC2 Instance Metadata
Assume attached EC2
Instance Profile
List S3 Buckets
& Get sensitive s3 bucket
data

29. DevSecOpsIndonesia
Case 1 : Abusing AWS Metadata using SSRF Vulnerability -DEMO

30. DevSecOpsIndonesia
Mitigation : Service & Application Vulnerability
1. Securing your Service & Application ( Refer to Owasp & NIST )
2. For IAM, use least privileges

31. DevSecOpsIndonesia
Case 2: AWS Api key Leak

32. DevSecOpsIndonesia
Case 2 : AWS Api key Leak
From Github

33. DevSecOpsIndonesia
Mitigation: AWS Api key Leak
1. Don’t store aws key directly on source code
2. Monitor your Organization Public Repository
3. Better to restrict api call using specific ip address

34. DevSecOpsIndonesia
Case 3 : IAM Privileges Escalation
Using iam:SetDefaultPolicyVersion
Start with “Budi” IAM
Profile
Review previous version of
Budi’s IAM Policy
Use SetDefaultPolicyVersion
to restore full admin policy
version
Achieve full admin power
Note : Many IAM roles could lead to privileges escalation attack, for more information :
https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/

35. DevSecOpsIndonesia
Case 2 : IAM Privileges Escalation - DEMO

36. DevSecOpsIndonesia
Mitigation: IAM Privileges Escalation
1. Using Pacu ( open source AWS exploitation framework ) to check privileges escalation
possibility
https://github.com/RhinoSecurityLabs/pacu
1. Use IAM Best Practice
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
1. Better to restrict api call using specific ip address

37. DevSecOpsIndonesia
Mitigation: IAM Privileges Escalation - Pacu

38. DevSecOpsIndonesia
Mitigation: IAM Privileges Escalation - Pacu

39. DevSecOpsIndonesia
Mitigation: IAM Privileges Escalation - Restrict Policy to specific IP

40. DevSecOpsIndonesia
Case 4 : Security Group (VPC) Public Accessible -Mongodb
Many Mongodb No Auth
Accessible from Public

41. DevSecOpsIndonesia
Case 4 : Security Group (VPC) Public Accessible - Mongodb

42. DevSecOpsIndonesia
Case 4 : Security Group (VPC) Public Accessible - Elasticsearch
Many Elasticsearch DB No
Auth Accessible from
Public

43. DevSecOpsIndonesia
Case 4 : Security Group (VPC) Public Accessible - Elasticsearch

44. DevSecOpsIndonesia
Mitigation : Security Group (VPC) Public Accessible
1. Using Proper Security Group
Configuration(VPC)
2. Monitor Your Public IP
3. Using CloudTrail to audit
Resource Configuration

45. DevSecOpsIndonesia
Tools Option for Cloud Monitoring - Security Monkey

46. DevSecOpsIndonesia
Tools Option for Cloud Monitoring - ScoutSuite

47. DevSecOpsIndonesia
Conclusion
It’s not only about what the best cloud provider you have,
but how can you optimize the security within.

48. DevSecOpsIndonesia
Thank you, Any Question ?