SlideShare a Scribd company logo

Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes •

ContainerDay Security 2023
ContainerDay Security 2023

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. You’ve been hearing a lot about security best practices, but you’re not convinced they can really make a difference? Do you think your resources are safe only because nobody would notice your random IP address? If so – join my session! I’ll show you real-life attack scenarios to convince you that misconfigurations can have dire consequences.

Technology
1 of 48
Download to read offline
xebia.com Michał Brygidyn AWS Ambassador AWS Community Builder Cloud Hacking Scenarios ContainerDay Security 2023 Hamburg – 8.03.2023
xebia.com <HTML>
xebia.com Source code 1. Just view the source code J – Comments – JavaScript Step 1 HTML
Example
xebia.com Source code 1. Just view the source code J – Comments – JavaScript Step 1 HTML
xebia.com Source code 1. Just view the source code J – Comments – JavaScript Step 1 AWS ─ Administrator Access J Step 2 HTML – AWS
xebia.com What went wrong? Code, build, forget, repeat… Sensitive data left in code ─ “for the next team to let them know how it works” ─ “because that’s how I use variables in my JavaScript”
xebia.com GitHub
xebia.com Public GitHub repo 1. Config file with encrypted variables 2. Java class with a decrypt function and.. a secret key Step 1 GitHub
Example
xebia.com Public GitHub repo 1. Config file with encrypted variables 2. Java class with a decrypt function and.. a secret key Step 1 GitHub
xebia.com Public GitHub repo 1. Config file with encrypted variables 2. Java class with a decrypt function and.. a secret key Office365 1. Teams: ─ “Hello CxO J” 2. SharePoint: ─ PDF with a Jira configuration guide… ─ … including login and password Step 1 Step 2 GitHub – Office 365
xebia.com Public GitHub repo 1. Config file with encrypted variables 2. Java class with a decrypt function and.. a secret key Office365 1. Teams: ─ “Hello CxO J” 2. SharePoint: ─ PDF with a Jira configuration guide… ─ … including login and password Jira Project “AWS”: ─ Task to create IAM User for an external service ─ Plaintext AWS Access and Secret keys in comments Step 1 Step 2 Step 3 GitHub – Office 365 – Jira
xebia.com Public GitHub repo 1. Config file with encrypted variables 2. Java class with a decrypt function and.. a secret key Office365 1. Teams: ─ “Hello CxO J” 2. SharePoint: ─ PDF with a Jira configuration guide… ─ … including login and password Jira Project “AWS”: ─ Task to create IAM User for an external service ─ Plaintext AWS Access and Secret keys in comments AWS ─ Administrator Access J Step 1 Step 2 Step 3 Step 4 GitHub – Office 365 – Jira – AWS
xebia.com ─ Config files ─ Encryption keys ─ Git history Hardcoded sensitive data ─ To many viewers ─ Valid credentials in documentation ─ Using own personal/business account in scripts Lack of security awareness ─ Public repository ─ Risky credentials sharing Bad tools selection What went wrong?
xebia.com Symfony Profiler
xebia.com Symfony Profiler A publicly available development tool: ─ Plaintext credentials in Server Parameters ─ Plaintext credentials in Requests history ─ parameters.yml preview Step 1 Symfony Profiler
Examples
xebia.com Symfony Profiler A publicly available development tool: ─ Plaintext credentials in Server Parameters ─ Plaintext credentials in Requests history ─ parameters.yml preview Step 1 Symfony Profiler
xebia.com Symfony Profiler A publicly available development tool: ─ Plaintext credentials in Server Parameters ─ Plaintext credentials in Requests history ─ parameters.yml preview Internal app 1. Admin credentials: ─ Dev Environment ─ Prod Environment 2. SSO to multiple apps: ─ Production CRM ─ Webmail Step 1 Step 2 Symfony Profiler – Internal Apps
xebia.com Symfony Profiler A publicly available development tool: ─ Plaintext credentials in Server Parameters ─ Plaintext credentials in Requests history ─ parameters.yml preview Internal app 1. Admin credentials: ─ Dev Environment ─ Prod Environment 2. SSO to multiple apps: ─ Production CRM ─ Webmail Webmail 1. AWS Invoices & Trusted Advisor emails 2. Reset password for AWS Root account Step 1 Step 2 Step 3 Symfony Profiler – Internal Apps
xebia.com Symfony Profiler A publicly available development tool: ─ Plaintext credentials in Server Parameters ─ Plaintext credentials in Requests history ─ parameters.yml preview Internal app 1. Admin credentials: ─ Dev Environment ─ Prod Environment 2. SSO to multiple apps: ─ Production CRM ─ Webmail Webmail 1. AWS Invoices & Trusted Advisor emails 2. Reset password for AWS Root account AWS Root Account ─ No MFA ─ Organization Management Account ─ Administrator Access on all member accounts J Step 1 Step 2 Step 3 Step 4 Symfony Profiler – Internal Apps – AWS
xebia.com ─ Prod database on a non-prod ─ Same credentials across multiple environments ─ A single cloud subscription for all envs / apps / clients Prod data on a non-prod env ─ Not enforced ─ Shared credentials No MFA ─ “All for one, and one for all” ─ Shared account/password ─ Very old passwords Critical services using the same shared email What went wrong?
xebia.com Kubernetes
xebia.com Kubernetes API A publicly exposed Kubernetes API with disabled RBAC: ─ Base64 Secrets ─ Plaintext ConfigMaps ─ Pods list and configuration Step 1 Kubernetes
Examples
xebia.com Kubernetes API A publicly exposed Kubernetes API with disabled RBAC: ─ Base64 Secrets ─ Plaintext ConfigMaps ─ Pods list and configuration Step 1 Kubernetes
xebia.com Kubernetes API A publicly exposed Kubernetes API with disabled RBAC: ─ Base64 Secrets ─ Plaintext ConfigMaps ─ Pods list and configuration K8s Secrets 1. AWS Access Keys: ─ S3 access only 2. Jenkins admin credentials Step 1 Step 2 Kubernetes
xebia.com Kubernetes API A publicly exposed Kubernetes API with disabled RBAC: ─ Base64 Secrets ─ Plaintext ConfigMaps ─ Pods list and configuration K8s Secrets 1. AWS Access Keys: ─ S3 access only 2. Jenkins admin credentials Jenkins app 1. AWS Access Keys in different Workspaces: ─ SQS access ─ Lambda access 2. GitHub credentials in Jenkins Credentials 3. AWS CLI calls in jobs console logs Step 1 Step 2 Step 3 Kubernetes – Jenkins
xebia.com Kubernetes API A publicly exposed Kubernetes API with disabled RBAC: ─ Base64 Secrets ─ Plaintext ConfigMaps ─ Pods list and configuration K8s Secrets 1. AWS Access Keys: ─ S3 access only 2. Jenkins admin credentials Jenkins app 1. AWS Access Keys in different Workspaces: ─ SQS access ─ Lambda access 2. GitHub credentials in Jenkins Credentials 3. AWS CLI calls in jobs console logs Kubectl exec Bash on Jenkins pod: ─ AWS IAM Role with Administrator Access J Step 1 Step 2 Step 3 Step 4 Kubernetes – Jenkins – AWS
xebia.com ─ Lack of knowledge ─ Limited scope of penetration testing ─ Risky design Public resources ─ Admin access for all! ─ Unprotected CICD tools ─ Running apps as Root Principle of Least Privilege ─ No RBAC ─ Unencrypted data ─ No firewall Disabled security features What went wrong?
xebia.com And more… Slides still not ready J
xebia.com – Outdated software running on cloud servers (open proxy) Other ways “in”
Examples
xebia.com – Outdated software running on cloud servers (open proxy) – Admin credentials logged during the installation Other ways “in”
xebia.com – Outdated software running on cloud servers (open proxy) – Admin credentials logged during the installation – Misconfigured vhosts → Directory indexing Other ways “in”
Examples
xebia.com – Outdated software running on cloud servers (open proxy) – Admin credentials logged during the installation – Misconfigured vhosts → Directory indexing – Debug pages and connection strings (Python Django) Other ways “in”
Examples
xebia.com AWS Backdoors A small teaser of my next presentation
xebia.com - Create a public EC2 with IAM Role - Add a local user to any running public EC2 Group 1: EC2 AWS Backdoors – Ideas
xebia.com - Create a public EC2 with IAM Role - Add a local user to any running public EC2 - Create a new IAM User - Create an additional access/secret key for any existing IAM User Group 1: EC2 Group 2: IAM User AWS Backdoors – Ideas
xebia.com - Create a public EC2 with IAM Role - Add a local user to any running public EC2 - Create a new IAM User - Create an additional access/secret key for any existing IAM User - Trust relation with an external account - Create new policy version - Replace a role for any service Group 1: EC2 Group 2: IAM User Group 3: IAM Role AWS Backdoors – Ideas
xebia.com - Create a public EC2 with IAM Role - Add a local user to any running public EC2 - Create a new IAM User - Create an additional access/secret key for any existing IAM User - Trust relation with an external account - Create new policy version - Replace a role for any service - Change / Remove Security Group rule(s) - VPC Peering with a rogue external VPC - Transit gateway attachment Group 1: EC2 Group 2: IAM User Group 3: IAM Role Group 4: Network access AWS Backdoors – Ideas
xebia.com ― Lambda + CloudWatch / API Gateway / direct link ― Step Functions ― CodeBuild ― PowerUser + IAMFull instead of AdministratorAccess ― Same context (EC2 keys used on the EC2 only) AWS Backdoors – Survival Self-Healing Detection prevention
xebia.com Q&A
xebia.com Thank you! michal.brygidyn@xebia.com LinkedIn.com /in/michalbrygidyn/

Recommended

Michal Brygidyn_CloudHackingScenarios.pdf
Michal Brygidyn_CloudHackingScenarios.pdfMichal Brygidyn_CloudHackingScenarios.pdf
Michal Brygidyn_CloudHackingScenarios.pdf
AWS Chicago
 
Creating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APICreating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services API
David Keener
 
[OpenInfra Days Korea 2018] Day 2 - E4 - 핸즈온 워크샵: 서버리스가 컨테이너를 만났을 때
[OpenInfra Days Korea 2018] Day 2 - E4 - 핸즈온 워크샵: 서버리스가 컨테이너를 만났을 때 [OpenInfra Days Korea 2018] Day 2 - E4 - 핸즈온 워크샵: 서버리스가 컨테이너를 만났을 때
[OpenInfra Days Korea 2018] Day 2 - E4 - 핸즈온 워크샵: 서버리스가 컨테이너를 만났을 때
OpenStack Korea Community
 
Serverless Application Development with SAM
Serverless Application Development with SAMServerless Application Development with SAM
Serverless Application Development with SAM
Amazon Web Services
 
Deep Dive on Serverless Stack
Deep Dive on Serverless StackDeep Dive on Serverless Stack
Deep Dive on Serverless Stack
Amazon Web Services
 
Application Lifecycle Management in a Serverless World
Application Lifecycle Management in a Serverless WorldApplication Lifecycle Management in a Serverless World
Application Lifecycle Management in a Serverless World
Amazon Web Services
 
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Amazon Web Services
 
(SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive (SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive
Amazon Web Services
 

Recommended

Michal Brygidyn_CloudHackingScenarios.pdf
Michal Brygidyn_CloudHackingScenarios.pdfMichal Brygidyn_CloudHackingScenarios.pdf
Michal Brygidyn_CloudHackingScenarios.pdf
AWS Chicago
 
Creating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APICreating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services API
David Keener
 
[OpenInfra Days Korea 2018] Day 2 - E4 - 핸즈온 워크샵: 서버리스가 컨테이너를 만났을 때
[OpenInfra Days Korea 2018] Day 2 - E4 - 핸즈온 워크샵: 서버리스가 컨테이너를 만났을 때 [OpenInfra Days Korea 2018] Day 2 - E4 - 핸즈온 워크샵: 서버리스가 컨테이너를 만났을 때
[OpenInfra Days Korea 2018] Day 2 - E4 - 핸즈온 워크샵: 서버리스가 컨테이너를 만났을 때
OpenStack Korea Community
 
Serverless Application Development with SAM
Serverless Application Development with SAMServerless Application Development with SAM
Serverless Application Development with SAM
Amazon Web Services
 
Deep Dive on Serverless Stack
Deep Dive on Serverless StackDeep Dive on Serverless Stack
Deep Dive on Serverless Stack
Amazon Web Services
 
Application Lifecycle Management in a Serverless World
Application Lifecycle Management in a Serverless WorldApplication Lifecycle Management in a Serverless World
Application Lifecycle Management in a Serverless World
Amazon Web Services
 
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Amazon Web Services
 
(SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive (SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive
Amazon Web Services
 
AWS Code Services
AWS Code ServicesAWS Code Services
AWS Code Services
Amazon Web Services
 
Build a RESTful API with the Serverless Framework
Build a RESTful API with the Serverless FrameworkBuild a RESTful API with the Serverless Framework
Build a RESTful API with the Serverless Framework
masahitojp
 
Meetup callback
Meetup callbackMeetup callback
Meetup callback
Wayne Scarano
 
Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csi
Rita Zhang
 
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
Amazon Web Services
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
Amazon Web Services
 
Externalized Spring Boot App Configuration
Externalized Spring Boot App ConfigurationExternalized Spring Boot App Configuration
Externalized Spring Boot App Configuration
Haufe-Lexware GmbH & Co KG
 
End-to-End CI/CD at scale with Infrastructure-as-Code on AWS
End-to-End CI/CD at scale with Infrastructure-as-Code on AWSEnd-to-End CI/CD at scale with Infrastructure-as-Code on AWS
End-to-End CI/CD at scale with Infrastructure-as-Code on AWS
Bhuvaneswari Subramani
 
Why your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncWhy your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSync
Yan Cui
 
Containerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS LambdaContainerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS Lambda
Ryan Cuprak
 
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...
Amazon Web Services
 
Supercharge Your Product Development with Continuous Delivery & Serverless Co...
Supercharge Your Product Development with Continuous Delivery & Serverless Co...Supercharge Your Product Development with Continuous Delivery & Serverless Co...
Supercharge Your Product Development with Continuous Delivery & Serverless Co...
Amazon Web Services
 
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code DeployAWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
Adam Book
 
Workshop: We love APIs
Workshop: We love APIsWorkshop: We love APIs
Workshop: We love APIs
Amazon Web Services
 
Lessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at ScaleLessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at Scale
Sidhartha Mani
 
muCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless ApplicationsmuCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless Applications
Chris Munns
 
Code review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief KarfiantoCode review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief Karfianto
idsecconf
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
Amazon Web Services
 
DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...
DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...
DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...
Amazon Web Services
 
2020.02.15 DelEx - CI/CD in AWS Cloud
2020.02.15 DelEx - CI/CD in AWS Cloud2020.02.15 DelEx - CI/CD in AWS Cloud
2020.02.15 DelEx - CI/CD in AWS Cloud
Peter Salnikov
 
Constellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertConstellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz Eckert
ContainerDay Security 2023
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlHow to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
ContainerDay Security 2023
 

More Related Content

Similar to Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes •

AWS Code Services
AWS Code ServicesAWS Code Services
AWS Code Services
Amazon Web Services
 
Build a RESTful API with the Serverless Framework
Build a RESTful API with the Serverless FrameworkBuild a RESTful API with the Serverless Framework
Build a RESTful API with the Serverless Framework
masahitojp
 
Meetup callback
Meetup callbackMeetup callback
Meetup callback
Wayne Scarano
 
Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csi
Rita Zhang
 
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
Amazon Web Services
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
Amazon Web Services
 
Externalized Spring Boot App Configuration
Externalized Spring Boot App ConfigurationExternalized Spring Boot App Configuration
Externalized Spring Boot App Configuration
Haufe-Lexware GmbH & Co KG
 
End-to-End CI/CD at scale with Infrastructure-as-Code on AWS
End-to-End CI/CD at scale with Infrastructure-as-Code on AWSEnd-to-End CI/CD at scale with Infrastructure-as-Code on AWS
End-to-End CI/CD at scale with Infrastructure-as-Code on AWS
Bhuvaneswari Subramani
 
Why your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncWhy your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSync
Yan Cui
 
Containerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS LambdaContainerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS Lambda
Ryan Cuprak
 
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...
Amazon Web Services
 
Supercharge Your Product Development with Continuous Delivery & Serverless Co...
Supercharge Your Product Development with Continuous Delivery & Serverless Co...Supercharge Your Product Development with Continuous Delivery & Serverless Co...
Supercharge Your Product Development with Continuous Delivery & Serverless Co...
Amazon Web Services
 
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code DeployAWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
Adam Book
 
Workshop: We love APIs
Workshop: We love APIsWorkshop: We love APIs
Workshop: We love APIs
Amazon Web Services
 
Lessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at ScaleLessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at Scale
Sidhartha Mani
 
muCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless ApplicationsmuCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless Applications
Chris Munns
 
Code review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief KarfiantoCode review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief Karfianto
idsecconf
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
Amazon Web Services
 
DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...
DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...
DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...
Amazon Web Services
 
2020.02.15 DelEx - CI/CD in AWS Cloud
2020.02.15 DelEx - CI/CD in AWS Cloud2020.02.15 DelEx - CI/CD in AWS Cloud
2020.02.15 DelEx - CI/CD in AWS Cloud
Peter Salnikov
 

Similar to Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes • (20)

AWS Code Services
AWS Code ServicesAWS Code Services
AWS Code Services
 
Build a RESTful API with the Serverless Framework
Build a RESTful API with the Serverless FrameworkBuild a RESTful API with the Serverless Framework
Build a RESTful API with the Serverless Framework
 
Meetup callback
Meetup callbackMeetup callback
Meetup callback
 
Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csi
 
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
Externalized Spring Boot App Configuration
Externalized Spring Boot App ConfigurationExternalized Spring Boot App Configuration
Externalized Spring Boot App Configuration
 
End-to-End CI/CD at scale with Infrastructure-as-Code on AWS
End-to-End CI/CD at scale with Infrastructure-as-Code on AWSEnd-to-End CI/CD at scale with Infrastructure-as-Code on AWS
End-to-End CI/CD at scale with Infrastructure-as-Code on AWS
 
Why your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncWhy your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSync
 
Containerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS LambdaContainerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS Lambda
 
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...
 
Supercharge Your Product Development with Continuous Delivery & Serverless Co...
Supercharge Your Product Development with Continuous Delivery & Serverless Co...Supercharge Your Product Development with Continuous Delivery & Serverless Co...
Supercharge Your Product Development with Continuous Delivery & Serverless Co...
 
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code DeployAWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
 
Workshop: We love APIs
Workshop: We love APIsWorkshop: We love APIs
Workshop: We love APIs
 
Lessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at ScaleLessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at Scale
 
muCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless ApplicationsmuCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless Applications
 
Code review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief KarfiantoCode review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief Karfianto
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
 
DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...
DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...
DEV315_Automating Lambda Deployments with GitHub, Jenkins, AWS CodePipeline a...
 
2020.02.15 DelEx - CI/CD in AWS Cloud
2020.02.15 DelEx - CI/CD in AWS Cloud2020.02.15 DelEx - CI/CD in AWS Cloud
2020.02.15 DelEx - CI/CD in AWS Cloud
 

More from ContainerDay Security 2023

Constellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertConstellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz Eckert
ContainerDay Security 2023
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlHow to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
ContainerDay Security 2023
 
Container Security Scanning by Timo Pagel
Container Security Scanning by Timo PagelContainer Security Scanning by Timo Pagel
Container Security Scanning by Timo Pagel
ContainerDay Security 2023
 
Container Security Scanning by Timo Pagel
Container Security Scanning by Timo PagelContainer Security Scanning by Timo Pagel
Container Security Scanning by Timo Pagel
ContainerDay Security 2023
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlHow to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
ContainerDay Security 2023
 
Hardening automation with Kubespray by Alessio Greggi
Hardening automation with Kubespray by Alessio GreggiHardening automation with Kubespray by Alessio Greggi
Hardening automation with Kubespray by Alessio Greggi
ContainerDay Security 2023
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
ContainerDay Security 2023
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
ContainerDay Security 2023
 
Constellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertConstellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz Eckert
ContainerDay Security 2023
 
Cloud Hacking Scenarios by Michał Brygidyn
Cloud Hacking Scenarios by Michał BrygidynCloud Hacking Scenarios by Michał Brygidyn
Cloud Hacking Scenarios by Michał Brygidyn
ContainerDay Security 2023
 
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
Lines of Defense - Securing your Kubernetes Clusters by Koray OksayLines of Defense - Securing your Kubernetes Clusters by Koray Oksay
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
ContainerDay Security 2023
 

More from ContainerDay Security 2023 (11)

Constellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertConstellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz Eckert
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlHow to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
 
Container Security Scanning by Timo Pagel
Container Security Scanning by Timo PagelContainer Security Scanning by Timo Pagel
Container Security Scanning by Timo Pagel
 
Container Security Scanning by Timo Pagel
Container Security Scanning by Timo PagelContainer Security Scanning by Timo Pagel
Container Security Scanning by Timo Pagel
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlHow to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
 
Hardening automation with Kubespray by Alessio Greggi
Hardening automation with Kubespray by Alessio GreggiHardening automation with Kubespray by Alessio Greggi
Hardening automation with Kubespray by Alessio Greggi
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
 
Constellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertConstellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz Eckert
 
Cloud Hacking Scenarios by Michał Brygidyn
Cloud Hacking Scenarios by Michał BrygidynCloud Hacking Scenarios by Michał Brygidyn
Cloud Hacking Scenarios by Michał Brygidyn
 
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
Lines of Defense - Securing your Kubernetes Clusters by Koray OksayLines of Defense - Securing your Kubernetes Clusters by Koray Oksay
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
 

Recently uploaded

To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 

Recently uploaded (20)

To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 

Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes •

  • 1.
  • 2. xebia.com Michał Brygidyn AWS Ambassador AWS Community Builder Cloud Hacking Scenarios ContainerDay Security 2023 Hamburg – 8.03.2023
  • 4. xebia.com Source code 1. Just view the source code J – Comments – JavaScript Step 1 HTML
  • 6. xebia.com Source code 1. Just view the source code J – Comments – JavaScript Step 1 HTML
  • 7. xebia.com Source code 1. Just view the source code J – Comments – JavaScript Step 1 AWS ─ Administrator Access J Step 2 HTML – AWS
  • 8. xebia.com What went wrong? Code, build, forget, repeat… Sensitive data left in code ─ “for the next team to let them know how it works” ─ “because that’s how I use variables in my JavaScript”
  • 10. xebia.com Public GitHub repo 1. Config file with encrypted variables 2. Java class with a decrypt function and.. a secret key Step 1 GitHub
  • 12. xebia.com Public GitHub repo 1. Config file with encrypted variables 2. Java class with a decrypt function and.. a secret key Step 1 GitHub
  • 13. xebia.com Public GitHub repo 1. Config file with encrypted variables 2. Java class with a decrypt function and.. a secret key Office365 1. Teams: ─ “Hello CxO J” 2. SharePoint: ─ PDF with a Jira configuration guide… ─ … including login and password Step 1 Step 2 GitHub – Office 365
  • 14. xebia.com Public GitHub repo 1. Config file with encrypted variables 2. Java class with a decrypt function and.. a secret key Office365 1. Teams: ─ “Hello CxO J” 2. SharePoint: ─ PDF with a Jira configuration guide… ─ … including login and password Jira Project “AWS”: ─ Task to create IAM User for an external service ─ Plaintext AWS Access and Secret keys in comments Step 1 Step 2 Step 3 GitHub – Office 365 – Jira
  • 15. xebia.com Public GitHub repo 1. Config file with encrypted variables 2. Java class with a decrypt function and.. a secret key Office365 1. Teams: ─ “Hello CxO J” 2. SharePoint: ─ PDF with a Jira configuration guide… ─ … including login and password Jira Project “AWS”: ─ Task to create IAM User for an external service ─ Plaintext AWS Access and Secret keys in comments AWS ─ Administrator Access J Step 1 Step 2 Step 3 Step 4 GitHub – Office 365 – Jira – AWS
  • 16. xebia.com ─ Config files ─ Encryption keys ─ Git history Hardcoded sensitive data ─ To many viewers ─ Valid credentials in documentation ─ Using own personal/business account in scripts Lack of security awareness ─ Public repository ─ Risky credentials sharing Bad tools selection What went wrong?
  • 18. xebia.com Symfony Profiler A publicly available development tool: ─ Plaintext credentials in Server Parameters ─ Plaintext credentials in Requests history ─ parameters.yml preview Step 1 Symfony Profiler
  • 20. xebia.com Symfony Profiler A publicly available development tool: ─ Plaintext credentials in Server Parameters ─ Plaintext credentials in Requests history ─ parameters.yml preview Step 1 Symfony Profiler
  • 21. xebia.com Symfony Profiler A publicly available development tool: ─ Plaintext credentials in Server Parameters ─ Plaintext credentials in Requests history ─ parameters.yml preview Internal app 1. Admin credentials: ─ Dev Environment ─ Prod Environment 2. SSO to multiple apps: ─ Production CRM ─ Webmail Step 1 Step 2 Symfony Profiler – Internal Apps
  • 22. xebia.com Symfony Profiler A publicly available development tool: ─ Plaintext credentials in Server Parameters ─ Plaintext credentials in Requests history ─ parameters.yml preview Internal app 1. Admin credentials: ─ Dev Environment ─ Prod Environment 2. SSO to multiple apps: ─ Production CRM ─ Webmail Webmail 1. AWS Invoices & Trusted Advisor emails 2. Reset password for AWS Root account Step 1 Step 2 Step 3 Symfony Profiler – Internal Apps
  • 23. xebia.com Symfony Profiler A publicly available development tool: ─ Plaintext credentials in Server Parameters ─ Plaintext credentials in Requests history ─ parameters.yml preview Internal app 1. Admin credentials: ─ Dev Environment ─ Prod Environment 2. SSO to multiple apps: ─ Production CRM ─ Webmail Webmail 1. AWS Invoices & Trusted Advisor emails 2. Reset password for AWS Root account AWS Root Account ─ No MFA ─ Organization Management Account ─ Administrator Access on all member accounts J Step 1 Step 2 Step 3 Step 4 Symfony Profiler – Internal Apps – AWS
  • 24. xebia.com ─ Prod database on a non-prod ─ Same credentials across multiple environments ─ A single cloud subscription for all envs / apps / clients Prod data on a non-prod env ─ Not enforced ─ Shared credentials No MFA ─ “All for one, and one for all” ─ Shared account/password ─ Very old passwords Critical services using the same shared email What went wrong?
  • 26. xebia.com Kubernetes API A publicly exposed Kubernetes API with disabled RBAC: ─ Base64 Secrets ─ Plaintext ConfigMaps ─ Pods list and configuration Step 1 Kubernetes
  • 28. xebia.com Kubernetes API A publicly exposed Kubernetes API with disabled RBAC: ─ Base64 Secrets ─ Plaintext ConfigMaps ─ Pods list and configuration Step 1 Kubernetes
  • 29. xebia.com Kubernetes API A publicly exposed Kubernetes API with disabled RBAC: ─ Base64 Secrets ─ Plaintext ConfigMaps ─ Pods list and configuration K8s Secrets 1. AWS Access Keys: ─ S3 access only 2. Jenkins admin credentials Step 1 Step 2 Kubernetes
  • 30. xebia.com Kubernetes API A publicly exposed Kubernetes API with disabled RBAC: ─ Base64 Secrets ─ Plaintext ConfigMaps ─ Pods list and configuration K8s Secrets 1. AWS Access Keys: ─ S3 access only 2. Jenkins admin credentials Jenkins app 1. AWS Access Keys in different Workspaces: ─ SQS access ─ Lambda access 2. GitHub credentials in Jenkins Credentials 3. AWS CLI calls in jobs console logs Step 1 Step 2 Step 3 Kubernetes – Jenkins
  • 31. xebia.com Kubernetes API A publicly exposed Kubernetes API with disabled RBAC: ─ Base64 Secrets ─ Plaintext ConfigMaps ─ Pods list and configuration K8s Secrets 1. AWS Access Keys: ─ S3 access only 2. Jenkins admin credentials Jenkins app 1. AWS Access Keys in different Workspaces: ─ SQS access ─ Lambda access 2. GitHub credentials in Jenkins Credentials 3. AWS CLI calls in jobs console logs Kubectl exec Bash on Jenkins pod: ─ AWS IAM Role with Administrator Access J Step 1 Step 2 Step 3 Step 4 Kubernetes – Jenkins – AWS
  • 32. xebia.com ─ Lack of knowledge ─ Limited scope of penetration testing ─ Risky design Public resources ─ Admin access for all! ─ Unprotected CICD tools ─ Running apps as Root Principle of Least Privilege ─ No RBAC ─ Unencrypted data ─ No firewall Disabled security features What went wrong?
  • 34. xebia.com – Outdated software running on cloud servers (open proxy) Other ways “in”
  • 36. xebia.com – Outdated software running on cloud servers (open proxy) – Admin credentials logged during the installation Other ways “in”
  • 37. xebia.com – Outdated software running on cloud servers (open proxy) – Admin credentials logged during the installation – Misconfigured vhosts → Directory indexing Other ways “in”
  • 39. xebia.com – Outdated software running on cloud servers (open proxy) – Admin credentials logged during the installation – Misconfigured vhosts → Directory indexing – Debug pages and connection strings (Python Django) Other ways “in”
  • 41. xebia.com AWS Backdoors A small teaser of my next presentation
  • 42. xebia.com - Create a public EC2 with IAM Role - Add a local user to any running public EC2 Group 1: EC2 AWS Backdoors – Ideas
  • 43. xebia.com - Create a public EC2 with IAM Role - Add a local user to any running public EC2 - Create a new IAM User - Create an additional access/secret key for any existing IAM User Group 1: EC2 Group 2: IAM User AWS Backdoors – Ideas
  • 44. xebia.com - Create a public EC2 with IAM Role - Add a local user to any running public EC2 - Create a new IAM User - Create an additional access/secret key for any existing IAM User - Trust relation with an external account - Create new policy version - Replace a role for any service Group 1: EC2 Group 2: IAM User Group 3: IAM Role AWS Backdoors – Ideas
  • 45. xebia.com - Create a public EC2 with IAM Role - Add a local user to any running public EC2 - Create a new IAM User - Create an additional access/secret key for any existing IAM User - Trust relation with an external account - Create new policy version - Replace a role for any service - Change / Remove Security Group rule(s) - VPC Peering with a rogue external VPC - Transit gateway attachment Group 1: EC2 Group 2: IAM User Group 3: IAM Role Group 4: Network access AWS Backdoors – Ideas
  • 46. xebia.com ― Lambda + CloudWatch / API Gateway / direct link ― Step Functions ― CodeBuild ― PowerUser + IAMFull instead of AdministratorAccess ― Same context (EC2 keys used on the EC2 only) AWS Backdoors – Survival Self-Healing Detection prevention