SlideShare a Scribd company logo

DIVING INTO COMMON AWS MISCONFIGURATIONS

N
Nikhil Sahoo

The document provides an overview of common AWS misconfigurations and exploitation techniques. It begins with an introduction of the speaker and their background and expertise in AWS security. It then covers popular AWS services like S3, IAM, and EC2 and common misconfigurations like publicly accessible S3 buckets, excessive permissions in IAM policies, and using SSRF to access EC2 instance metadata. Tools demonstrated include Bucket-Flaws and IAM-Flaws for scanning AWS environments, and Pacu for post-exploitation of AWS accounts. The document emphasizes that while cloud providers secure infrastructure, misconfigurations of services within the cloud can still lead to breaches.

Technology
1 of 39
Download to read offline
DIVING INTO COMMON AWS MISCONFIGURATIONS BY NIKHIL SAHOO
@WHOAMI • Nikhil Sahoo (@nikhilsahoo1232) • Undergrad (BTECH final year) • Cyber Risk Intern @Deloitte. • Application security and Network PT guy • Acknowledged and received HOFs from many renowned companies like Microsoft, Oracle, Sony, Apple, AT&T, Adobe, SAP, Dell etc. • AWS Security Tools: Bucket-Flaws and IAM-Flaws • Blog : https://theblocksec.com • LinkedIn : https://www.linkedin.com/in/nikhil-sahoo- 87204b106/
AGENDA • Why Cloud? • Why target AWS? • S3 Bucket Misconfigurations • AWS IAM Enumeration and Privilege Escalation • EC2 SSRF • Pacu – AWS Exploitation Framework
WHY CLOUD? • Migrating to cloud reduces the risk of being exploited up to a certain extent and is sometimes better than a traditional architecture approach. • The cloud provider is responsible for providing powerful servers and patching all the servers to protect against known exploits. • But what about stuffs inside the cloud? • Do they have proper access control set? • Are all the services configured in a secure manner? • You sure you’re not disclosing any api keys or bucket names publicly?
REAL EVENTS • Capital One Breach : EC2 SSRF > S3 Bucket Access • FedEx : S3 Public Access • Imperva : Access to Database snapshot (RDS) via leaked AWS API key • Tesla : Unprotected Kubernetes Console to AWS S3 Access key and secret key disclosure • BHIM UPI : S3 Public Access And Many More !!
WHAT IS AWS? • Amazon Web Services (AWS) provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered pay-as-you-go basis. In aggregate, these cloud computing web services provide a set of primitive abstract technical infrastructure and distributed computing building blocks and tools. (Source : Wikipedia) • Popular Services include: • S3 – Simple Storage Service • IAM – Identity and Access Management • EC2 : Elastic Compute Cloud • RDS : Relational Database Service • VPC : Virtual Private Cloud • Currently one of the leading cloud computing providers in the market. • Easy to learn and deploy.
AWS S3(SIMPLE STORAGE SERVICE) Amazon S3 is object storage built to store and retrieve any amount of data from anywhere on the Internet. It’s a simple storage service that offers an extremely durable, highly available, and infinitely scalable data storage infrastructure at very low costs. It provides a simple web service interface that you can use to store and retrieve any amount of data. Since Amazon S3 is highly scalable and you only pay for what you use. (Source : https://aws.amazon.com/s3/faqs/)
AWS S3(SIMPLE STORAGE SERVICE) All the bucket names are unique worldwide and the same bucket name can’t be used by some other account until and unless the bucket is deleted by the user. The S3 buckets are also associated with the regions where the user needs to specify the region in which he/she would like the create the bucket. Few of the URL formats using which you could view your bucket over your browser: • http://bucket_name.s3-aws-region.amazonaws.com • http://bucket_name.s3.amazonaws.com • http://s3.aws-region.amazonaws.com/bucket_name • http://s3.amazonaws.com/bucket_name
FINDING BUCKET NAMES • Read JavaScript files and search keywords like ‘amazonaws’ in your Burp History. Plugins like Asset Discovery and AWS Security Checks might help as well. • Try to generate errors in the target application and sometimes the bucket name might get revealed within the error. • Download as torrent files by appending ?torrent after the file name and view the torrent file in some text editor, you should get the bucket name there itself. (Source : https://docs.aws.amazon.com/AmazonS3/latest/dev/S3Torrent.html) (Note: Amazon S3 does not support the Bit Torrent protocol in AWS Regions launched after May 30, 2016.)
FINDING BUCKET NAMES • Many static websites use the domain name as their bucket name. Try appending s3.amazonaws.com after the URL or try something like this https://s3.amazonaws.com/domain_name • Check the DNS records of the target to view it’s CNAME or Canonical name which species a domain is an alias of another domain.
FINDING BUCKET NAMES • Try using tools like lazys3, bucket finder, s3recon, etc. • Try appending %c0 or any valid hex values more than two digits like %aa, %b4 etc. after the file name. This trick was given by Daniel Matviyiv. But this would only work if the domain is pointing to s3.amazonaws.com/bucketname and not bucketname.s3.amazonaws.com. (Source : https://twitter.com/0xdabbad00/status/1065668988577828864)
FINDING BUCKET NAMES • Grayhat Warfare (https://buckets.grayhatwarfare.com/): A very well created tool or an open searchable database that contains around 70,000 open S3 buckets containing interesting files. Bucket names or files could be easily searched using different keywords.
SETTING BUCKET PERMISSIONS • IAM Policies : Policies applied over users/groups/roles specifying what kind of permissions are allowed or denied to a particular aws service.
SETTING BUCKET PERMISSIONS • Bucket Policy : Policies applied over S3 Buckets directly specifying what kind of permissions are allowed or denied to a particular aws user account. (Principal variable in the policy document holds the list of all aws users that have access to the particular bucket)
SETTING BUCKET PERMISSIONS • Bucket ACL: This is the old way of managing S3 buckets and can control access level of not only buckets but also of an object. • Access could be given to specific AWS accounts using canonical id/email id or to multiple pre-defined AWS groups: - All Users : Everyone - Authenticated Users : All AWS users - Log Delivery : group that has the permission to write access logs objects to the bucket • Different ACLs include: - read - read_acp - write - write_acp - full_control
SETTING BUCKET PERMISSIONS • Bucket ACL:
MISCONFIGURATIONS • Wildcard set as principal or action unintentionally : would lead to a bucket being exposed publicly or could lead to giving administrative access to the whole bucket • S3:ListBucket permission set along with S3:GetObject : would lead to directory listing of the bucket. • AllUsers and AuthenticatedUsers group given full-control or write_acp access : all the users would be getting administrative access on the whole bucket directly or indirectly • Bucket Permissions = Union of IAM policies, Bucket Policies & Bucket ACLs (Explicit deny will always override allow no matter in whatever order it is defined) : might create confusion • Flawed Group names like AuthenticatedUsers creates confusion : would lead to giving full access to all the users indirectly.
AWS-CLI • Installation: apt-get install awscli • Configuration: aws configure (Enter your access key and the secret key of your aws account) • Formats: aws ec2 …. aws s3api …. aws iam ….
BUCKET-FLAWS • Lightweight bash script that scans for aws s3 bucket misconfigurations and tries to exploit it with some additional features • Performs both authenticated and unauthenticated checks • Scans at bucket and object level • Uses the aws inbuilt cli • Can check for a single bucket as well as list of buckets • GitHub Link: https://github.com/nikhil1232/Bucket-Flaws
DEMO
AWS IAM • AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. (Source : https://aws.amazon.com/iam/) • Simply put, AWS IAM ( Identity and Access Management ) is a web service that allows handling authorization mechanism in the AWS environment/console. It is used to set users, groups, roles, policies in order to give different permissions to different entities. • The AWS IAM consists of identities and resources where the identities include the users, groups, roles and the resources include services like S3, EC2, RDS, etc.
AWS IAM : IDENTITIES • User : A user is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. A user in AWS consists of a name and credentials. • Group : A group is an entity that you can create in AWS in order to manage multiple users with ease. Groups help in assigning and managing permissions of multiple users sharing the same needs. • Roles : An IAM role is similar to an IAM user, however, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. They are used to grant specific permission to specific actors for a set of duration of time.
AWS IAM : POLICIES • Policies: A policy is simply an entity/object in AWS which is applied to identities and resources wherein you could specify what permissions are allowed and denied to a specific set of resources/identities. • AWS Managed Policies: These are a set of pre-built policies that are managed by AWS itself and each of the policies is associated with their specific ARNs and could be attached to any of the AWS identities. • Custom Managed Policies: These policies are created and managed by the customer/user and is also associated with ARNs. They could be attached to any of the AWS identities. • Inline Polices: Inline policies are the policies that are specific to a particular specified identity and are not associated with an ARN. All users, groups, roles could have their own inline policies containing a set of permissions applied on certain resources. These policies can’t be attached or reused with any other identity
MISCONFIGURATIONS = EXCESSIVE PERMISSIONS • Pre-Requisites : AWS Keys (Access Keys and Secret keys) • Post Exploitation Approach • Rhino labs had come up with a list of 21 possible privilege escalation ways through excessive permissions in AWS IAM. (https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods- mitigation/) • This includes escalation to an existing policy, creation of another policy, gaining administrator privileges and a lot more. • How to check for misconfigurations/privilege escalation? = ENUMERATION • Enumeration of all the permissions associated directly or indirectly with the given user. • We will be discussing 4 possible ways in this session because of the time limit ☺
GETTING AWS KEYS • Since this is a POST Exploitation approach you would need the AWS keys to begin with your scanning. • AWS keys could be leaked in number of places due to various different scenarios so there is no particular approach to search for leaked keys. • Although GitHub is a great place to search for these and maximum amount of leaked credentials are usually found over GitHub. • Eg: “anything.com” aws_access_key_id “anything.com” secret_key “anything.com” aws_key • If you are performing an application security assessment, try going through the JavaScript files as the developers sometimes leave the AWS keys in the comments.
FEW MISCONFIGURATIONS SCENARIOS • New Policy Version Creation: This leads to creation of a new version of the policy and setting it as the default version. Permission Required: iam:CreatePolicyVersion Command: aws iam create-policy-version –policy-arn <ARN of the policy> –policy-document file:///<path to the json document> –set-as-default • Policy Attachment to a User: This would allow a user to attach a managed policy to itself. Permission Required: iam:AttachUserPolicy Command: aws iam attach-user-policy –user-name <username> –policy-arn <arn of the policy to attach>
FEW MISCONFIGURATIONS SCENARIOS • Adding a user to a group: This would allow a user to add themselves to a group of which they are not a part of. Permission Required: iam:AddUserToGroup Command: aws iam add-user-to-group –group-name <group name> –user-name <username> • Setting an Inline Policy for a User: This would allow to either create a new inline policy or update an old inline policy for a user. Permission Required: iam:PutUserPolicy Command: aws iam put-user-policy –user-name <username> –policy-name <policy name> –policy-document <Path to Json Document>
IAM-FLAWS • Lightweight bash script that performs enumeration, scans for aws iam misconfigurations and tries to elevate privileges along with some additional features. • Performs enumeration of AWS IAM User, Groups and it’s associated Policies. • Performs privilege escalation scanning and exploitation based on the enumeration results. • AWS IAM related CIS Benchmarks checks. • GitHub Link: https://github.com/nikhil1232/IAM-Flaws
DEMO
AWS EC2 • Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) cloud. Using Amazon EC2 eliminates your need to invest in hardware up front, so you can develop and deploy applications faster. You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage. Amazon EC2 enables you to scale up or down to handle changes in requirements or spikes in popularity, reducing your need to forecast traffic. (Source: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html)
SSRF TO EC2 METADATA • What is SSRF? : Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization's infrastructure, or to external third-party systems. (Source: https://portswigger.net/web-security/ssrf) • What is Instance Metadata? : Instance metadata is data about your instance that you can use to configure or manage the running instance like public and private IP address, security groups, ami-id, instance profile keys and etc. • Instance Metadata can be fetched by calling http://169.254.169.254/latest/meta-data which is a link- local address and can be called only from an EC2 instance.
SSRF TO EC2 METADATA • However if an IAM Role is assigned to an EC2 instance, the access keys of the instance profile can be fetched by making a web request to http://169.254.169.254/latest/meta-data/iam/security- credentials/<name of the role}>. • Thus a successful SSRF attack over a web hosted on an EC2 Instance by calling the above URL would fetch the access credentials of the IAM role attached to that instance. This would let the attacker to impersonate the role attached to the instance and perform any operations as specified in the role.
NEW SECURITY FIX: IMDS V2 • The new Instance Metadata Service v2 (IMDSv2) acts as a layer of defense against these kind of SSRF attacks relying on GET requests. • With this new version you have to set up a session with the metadata service before you can retrieve anything. • A PUT request to http://169.254.169.254/latest/api/token needs to be made with the custom header “x-aws- ec2-metadata-token-ttl-seconds” with the number of seconds for which the token needs to be active. This generates a token that would be needed in the next step. • The token generated would then be supplied as a header value for “x-aws-ec2-metadata-token” in the next GET request. • However this is an optional security fix and many organizations that use automated scripts to perform actions over an EC2 instance would still be relying on the IMDS v1. • So there is a high chance that the IMDS v1 would still be used by a lot of organizations and won’t be updated very soon. More On This : https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf- vulnerabilities-ec2-instance-metadata-service/
DEMO
PACU – AWS EXPLOITATION FRAMEWORK • Pacu by Rhino Security Labs is a comprehensive AWS security-testing toolkit designed for offensive security practitioners. • While several AWS security scanners currently serve as the proverbial “Nessus” of the cloud, Pacu is designed to be the “Metasploit” equivalent. Written in Python 3 with a modular architecture, Pacu has tools for every step of the pentesting process, covering the full cyber kill chain. • GitHub Link: https://github.com/RhinoSecurityLabs/pacu
ENDING NOTE “The blunt realities of public cloud security is that, to date, almost all of the cloud security failures have been attributed to customer actions. There’s been lots of breaches where people have just left stuff on the cloud, open to everyone. This is actually the elephant in the room when it comes to cloud security as we are opening ourselves up to the naked internet with no controls.” - Craig Lawson, Gartner
PRACTICE LABS • Flaws.cloud • Cloudgoat • Cloudgoat-2 • Ctf.live • Flaws2.cloud
REFERENCES • https://medium.com/@localh0t/unveiling-amazon-s3-bucket-names-e1420ceaf4fa • https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-access-controls-taking-full-control-over-your- assets/ • https://auth0.com/blog/fantastic-public-s3-buckets-and-how-to-find-them/ • https://theblocksec.com/2019/11/26/a-tale-of-an-s3-bucket-misconfiguration/ • https://cloudacademy.com/blog/amazon-s3-security-master-bucket-polices-acls/ • https://dominicbreuker.com/post/flaws_cloud_5/ • https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ • https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws • https://github.com/appsecco/attacking-cloudgoat2 • https://blog.appsecco.com/server-side-request-forgery-ssrf-and-aws-ec2-instances-after-instance-meta-data- service-version-38fc1ba1a28a • https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2- 2ad03a1f3650 • https://www.cyberbit.com/blog/uncategorized/aws-imds-v2-secures-ssrf-vulnerability/
THANK YOU !!

Recommended

Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSMike Felch
 
Announcing AWS Shield - Protect Web Applications from DDoS Attacks
Announcing AWS Shield - Protect Web Applications from DDoS AttacksAnnouncing AWS Shield - Protect Web Applications from DDoS Attacks
Announcing AWS Shield - Protect Web Applications from DDoS AttacksAmazon Web Services
 
Aws Architecture Fundamentals | Dallas
Aws Architecture Fundamentals | DallasAws Architecture Fundamentals | Dallas
Aws Architecture Fundamentals | DallasNicole Maus
 
AWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsAWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsShiva Narayanaswamy
 
AWS Power Tools: Advanced AWS CloudFormation and CLI
AWS Power Tools: Advanced AWS CloudFormation and CLIAWS Power Tools: Advanced AWS CloudFormation and CLI
AWS Power Tools: Advanced AWS CloudFormation and CLIAmazon Web Services
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...Amazon Web Services
 
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)Amazon Web Services
 

Recommended

Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSMike Felch
 
Announcing AWS Shield - Protect Web Applications from DDoS Attacks
Announcing AWS Shield - Protect Web Applications from DDoS AttacksAnnouncing AWS Shield - Protect Web Applications from DDoS Attacks
Announcing AWS Shield - Protect Web Applications from DDoS AttacksAmazon Web Services
 
Aws Architecture Fundamentals | Dallas
Aws Architecture Fundamentals | DallasAws Architecture Fundamentals | Dallas
Aws Architecture Fundamentals | DallasNicole Maus
 
AWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsAWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsShiva Narayanaswamy
 
AWS Power Tools: Advanced AWS CloudFormation and CLI
AWS Power Tools: Advanced AWS CloudFormation and CLIAWS Power Tools: Advanced AWS CloudFormation and CLI
AWS Power Tools: Advanced AWS CloudFormation and CLIAmazon Web Services
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...Amazon Web Services
 
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
AWS WAF
AWS WAFAWS WAF
AWS WAFAmazon Web Services
 
AWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
AWS Networking Fundamentals - SVC304 - Anaheim AWS SummitAWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
AWS Networking Fundamentals - SVC304 - Anaheim AWS SummitAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
IAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsIAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsBryant Poush
 
AWS Cloud Security
AWS Cloud SecurityAWS Cloud Security
AWS Cloud SecurityAWS Riyadh User Group
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
Amazon's Simple Storage Service (S3)
Amazon's Simple Storage Service (S3)Amazon's Simple Storage Service (S3)
Amazon's Simple Storage Service (S3)James Gray
 
Amazon S3 Masterclass
Amazon S3 MasterclassAmazon S3 Masterclass
Amazon S3 MasterclassAmazon Web Services
 
Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelDavid J Rosenthal
 
Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)Amazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
Wi-FI Hacking
Wi-FI Hacking Wi-FI Hacking
Wi-FI Hacking Mehul Jariwala
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at RestAmazon Web Services
 
The Rise of Secrets Management
The Rise of Secrets ManagementThe Rise of Secrets Management
The Rise of Secrets ManagementAkeyless
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWSAmazon Web Services
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
Network Security and Access Control within AWS
Network Security and Access Control within AWSNetwork Security and Access Control within AWS
Network Security and Access Control within AWSAmazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM IntroductionAmazon Web Services
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM IntroductionAmazon Web Services
 

More Related Content

What's hot

AWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
AWS Networking Fundamentals - SVC304 - Anaheim AWS SummitAWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
AWS Networking Fundamentals - SVC304 - Anaheim AWS SummitAmazon Web Services
 
IAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsIAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsBryant Poush
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
Amazon's Simple Storage Service (S3)
Amazon's Simple Storage Service (S3)Amazon's Simple Storage Service (S3)
Amazon's Simple Storage Service (S3)James Gray
 
Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelDavid J Rosenthal
 
Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)Amazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at RestAmazon Web Services
 
The Rise of Secrets Management
The Rise of Secrets ManagementThe Rise of Secrets Management
The Rise of Secrets ManagementAkeyless
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
Network Security and Access Control within AWS
Network Security and Access Control within AWSNetwork Security and Access Control within AWS
Network Security and Access Control within AWSAmazon Web Services
 

What's hot (20)

OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
AWS WAF
AWS WAFAWS WAF
AWS WAF
 
AWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
AWS Networking Fundamentals - SVC304 - Anaheim AWS SummitAWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
AWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
IAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsIAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with Conditions
 
AWS Cloud Security
AWS Cloud SecurityAWS Cloud Security
AWS Cloud Security
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
Amazon's Simple Storage Service (S3)
Amazon's Simple Storage Service (S3)Amazon's Simple Storage Service (S3)
Amazon's Simple Storage Service (S3)
 
Amazon S3 Masterclass
Amazon S3 MasterclassAmazon S3 Masterclass
Amazon S3 Masterclass
 
Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure Sentinel
 
Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
 
Wi-FI Hacking
Wi-FI Hacking Wi-FI Hacking
Wi-FI Hacking
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
 
The Rise of Secrets Management
The Rise of Secrets ManagementThe Rise of Secrets Management
The Rise of Secrets Management
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 
Network Security and Access Control within AWS
Network Security and Access Control within AWSNetwork Security and Access Control within AWS
Network Security and Access Control within AWS
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 

Similar to DIVING INTO COMMON AWS MISCONFIGURATIONS

Owning aws infrastructure services
Owning aws infrastructure servicesOwning aws infrastructure services
Owning aws infrastructure servicesSuraj Khetani
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your ResourcesAmazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...Amazon Web Services
 
Security Best Practices - Hebrew Webinar
Security Best Practices - Hebrew WebinarSecurity Best Practices - Hebrew Webinar
Security Best Practices - Hebrew WebinarAmazon Web Services
 
AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityLalitMohanSharma8
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesIan Massingham
 
Security Best Practices: AWS AWSome Day Management Track
Security Best Practices: AWS AWSome Day Management TrackSecurity Best Practices: AWS AWSome Day Management Track
Security Best Practices: AWS AWSome Day Management TrackIan Massingham
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 

Similar to DIVING INTO COMMON AWS MISCONFIGURATIONS (20)

AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
 
Owning aws infrastructure services
Owning aws infrastructure servicesOwning aws infrastructure services
Owning aws infrastructure services
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your Resources
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
 
Amazon s3
Amazon s3Amazon s3
Amazon s3
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
 
Security Best Practices - Hebrew Webinar
Security Best Practices - Hebrew WebinarSecurity Best Practices - Hebrew Webinar
Security Best Practices - Hebrew Webinar
 
AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview
 
Security best practices
Security best practices Security best practices
Security best practices
 
Security & Compliance (Part 1)
Security & Compliance (Part 1)Security & Compliance (Part 1)
Security & Compliance (Part 1)
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Demystifying identity on AWS
Demystifying identity on AWSDemystifying identity on AWS
Demystifying identity on AWS
 
Intro to AWS Security
Intro to AWS SecurityIntro to AWS Security
Intro to AWS Security
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Security Best Practices: AWS AWSome Day Management Track
Security Best Practices: AWS AWSome Day Management TrackSecurity Best Practices: AWS AWSome Day Management Track
Security Best Practices: AWS AWSome Day Management Track
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and security
 

Recently uploaded

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 

Recently uploaded (20)

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 

DIVING INTO COMMON AWS MISCONFIGURATIONS

  • 1. DIVING INTO COMMON AWS MISCONFIGURATIONS BY NIKHIL SAHOO
  • 2. @WHOAMI • Nikhil Sahoo (@nikhilsahoo1232) • Undergrad (BTECH final year) • Cyber Risk Intern @Deloitte. • Application security and Network PT guy • Acknowledged and received HOFs from many renowned companies like Microsoft, Oracle, Sony, Apple, AT&T, Adobe, SAP, Dell etc. • AWS Security Tools: Bucket-Flaws and IAM-Flaws • Blog : https://theblocksec.com • LinkedIn : https://www.linkedin.com/in/nikhil-sahoo- 87204b106/
  • 3. AGENDA • Why Cloud? • Why target AWS? • S3 Bucket Misconfigurations • AWS IAM Enumeration and Privilege Escalation • EC2 SSRF • Pacu – AWS Exploitation Framework
  • 4. WHY CLOUD? • Migrating to cloud reduces the risk of being exploited up to a certain extent and is sometimes better than a traditional architecture approach. • The cloud provider is responsible for providing powerful servers and patching all the servers to protect against known exploits. • But what about stuffs inside the cloud? • Do they have proper access control set? • Are all the services configured in a secure manner? • You sure you’re not disclosing any api keys or bucket names publicly?
  • 5. REAL EVENTS • Capital One Breach : EC2 SSRF > S3 Bucket Access • FedEx : S3 Public Access • Imperva : Access to Database snapshot (RDS) via leaked AWS API key • Tesla : Unprotected Kubernetes Console to AWS S3 Access key and secret key disclosure • BHIM UPI : S3 Public Access And Many More !!
  • 6. WHAT IS AWS? • Amazon Web Services (AWS) provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered pay-as-you-go basis. In aggregate, these cloud computing web services provide a set of primitive abstract technical infrastructure and distributed computing building blocks and tools. (Source : Wikipedia) • Popular Services include: • S3 – Simple Storage Service • IAM – Identity and Access Management • EC2 : Elastic Compute Cloud • RDS : Relational Database Service • VPC : Virtual Private Cloud • Currently one of the leading cloud computing providers in the market. • Easy to learn and deploy.
  • 7. AWS S3(SIMPLE STORAGE SERVICE) Amazon S3 is object storage built to store and retrieve any amount of data from anywhere on the Internet. It’s a simple storage service that offers an extremely durable, highly available, and infinitely scalable data storage infrastructure at very low costs. It provides a simple web service interface that you can use to store and retrieve any amount of data. Since Amazon S3 is highly scalable and you only pay for what you use. (Source : https://aws.amazon.com/s3/faqs/)
  • 8. AWS S3(SIMPLE STORAGE SERVICE) All the bucket names are unique worldwide and the same bucket name can’t be used by some other account until and unless the bucket is deleted by the user. The S3 buckets are also associated with the regions where the user needs to specify the region in which he/she would like the create the bucket. Few of the URL formats using which you could view your bucket over your browser: • http://bucket_name.s3-aws-region.amazonaws.com • http://bucket_name.s3.amazonaws.com • http://s3.aws-region.amazonaws.com/bucket_name • http://s3.amazonaws.com/bucket_name
  • 9. FINDING BUCKET NAMES • Read JavaScript files and search keywords like ‘amazonaws’ in your Burp History. Plugins like Asset Discovery and AWS Security Checks might help as well. • Try to generate errors in the target application and sometimes the bucket name might get revealed within the error. • Download as torrent files by appending ?torrent after the file name and view the torrent file in some text editor, you should get the bucket name there itself. (Source : https://docs.aws.amazon.com/AmazonS3/latest/dev/S3Torrent.html) (Note: Amazon S3 does not support the Bit Torrent protocol in AWS Regions launched after May 30, 2016.)
  • 10. FINDING BUCKET NAMES • Many static websites use the domain name as their bucket name. Try appending s3.amazonaws.com after the URL or try something like this https://s3.amazonaws.com/domain_name • Check the DNS records of the target to view it’s CNAME or Canonical name which species a domain is an alias of another domain.
  • 11. FINDING BUCKET NAMES • Try using tools like lazys3, bucket finder, s3recon, etc. • Try appending %c0 or any valid hex values more than two digits like %aa, %b4 etc. after the file name. This trick was given by Daniel Matviyiv. But this would only work if the domain is pointing to s3.amazonaws.com/bucketname and not bucketname.s3.amazonaws.com. (Source : https://twitter.com/0xdabbad00/status/1065668988577828864)
  • 12. FINDING BUCKET NAMES • Grayhat Warfare (https://buckets.grayhatwarfare.com/): A very well created tool or an open searchable database that contains around 70,000 open S3 buckets containing interesting files. Bucket names or files could be easily searched using different keywords.
  • 13. SETTING BUCKET PERMISSIONS • IAM Policies : Policies applied over users/groups/roles specifying what kind of permissions are allowed or denied to a particular aws service.
  • 14. SETTING BUCKET PERMISSIONS • Bucket Policy : Policies applied over S3 Buckets directly specifying what kind of permissions are allowed or denied to a particular aws user account. (Principal variable in the policy document holds the list of all aws users that have access to the particular bucket)
  • 15. SETTING BUCKET PERMISSIONS • Bucket ACL: This is the old way of managing S3 buckets and can control access level of not only buckets but also of an object. • Access could be given to specific AWS accounts using canonical id/email id or to multiple pre-defined AWS groups: - All Users : Everyone - Authenticated Users : All AWS users - Log Delivery : group that has the permission to write access logs objects to the bucket • Different ACLs include: - read - read_acp - write - write_acp - full_control
  • 17. MISCONFIGURATIONS • Wildcard set as principal or action unintentionally : would lead to a bucket being exposed publicly or could lead to giving administrative access to the whole bucket • S3:ListBucket permission set along with S3:GetObject : would lead to directory listing of the bucket. • AllUsers and AuthenticatedUsers group given full-control or write_acp access : all the users would be getting administrative access on the whole bucket directly or indirectly • Bucket Permissions = Union of IAM policies, Bucket Policies & Bucket ACLs (Explicit deny will always override allow no matter in whatever order it is defined) : might create confusion • Flawed Group names like AuthenticatedUsers creates confusion : would lead to giving full access to all the users indirectly.
  • 18. AWS-CLI • Installation: apt-get install awscli • Configuration: aws configure (Enter your access key and the secret key of your aws account) • Formats: aws ec2 …. aws s3api …. aws iam ….
  • 19. BUCKET-FLAWS • Lightweight bash script that scans for aws s3 bucket misconfigurations and tries to exploit it with some additional features • Performs both authenticated and unauthenticated checks • Scans at bucket and object level • Uses the aws inbuilt cli • Can check for a single bucket as well as list of buckets • GitHub Link: https://github.com/nikhil1232/Bucket-Flaws
  • 20. DEMO
  • 21. AWS IAM • AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. (Source : https://aws.amazon.com/iam/) • Simply put, AWS IAM ( Identity and Access Management ) is a web service that allows handling authorization mechanism in the AWS environment/console. It is used to set users, groups, roles, policies in order to give different permissions to different entities. • The AWS IAM consists of identities and resources where the identities include the users, groups, roles and the resources include services like S3, EC2, RDS, etc.
  • 22. AWS IAM : IDENTITIES • User : A user is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. A user in AWS consists of a name and credentials. • Group : A group is an entity that you can create in AWS in order to manage multiple users with ease. Groups help in assigning and managing permissions of multiple users sharing the same needs. • Roles : An IAM role is similar to an IAM user, however, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. They are used to grant specific permission to specific actors for a set of duration of time.
  • 23. AWS IAM : POLICIES • Policies: A policy is simply an entity/object in AWS which is applied to identities and resources wherein you could specify what permissions are allowed and denied to a specific set of resources/identities. • AWS Managed Policies: These are a set of pre-built policies that are managed by AWS itself and each of the policies is associated with their specific ARNs and could be attached to any of the AWS identities. • Custom Managed Policies: These policies are created and managed by the customer/user and is also associated with ARNs. They could be attached to any of the AWS identities. • Inline Polices: Inline policies are the policies that are specific to a particular specified identity and are not associated with an ARN. All users, groups, roles could have their own inline policies containing a set of permissions applied on certain resources. These policies can’t be attached or reused with any other identity
  • 24. MISCONFIGURATIONS = EXCESSIVE PERMISSIONS • Pre-Requisites : AWS Keys (Access Keys and Secret keys) • Post Exploitation Approach • Rhino labs had come up with a list of 21 possible privilege escalation ways through excessive permissions in AWS IAM. (https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods- mitigation/) • This includes escalation to an existing policy, creation of another policy, gaining administrator privileges and a lot more. • How to check for misconfigurations/privilege escalation? = ENUMERATION • Enumeration of all the permissions associated directly or indirectly with the given user. • We will be discussing 4 possible ways in this session because of the time limit ☺
  • 25. GETTING AWS KEYS • Since this is a POST Exploitation approach you would need the AWS keys to begin with your scanning. • AWS keys could be leaked in number of places due to various different scenarios so there is no particular approach to search for leaked keys. • Although GitHub is a great place to search for these and maximum amount of leaked credentials are usually found over GitHub. • Eg: “anything.com” aws_access_key_id “anything.com” secret_key “anything.com” aws_key • If you are performing an application security assessment, try going through the JavaScript files as the developers sometimes leave the AWS keys in the comments.
  • 26. FEW MISCONFIGURATIONS SCENARIOS • New Policy Version Creation: This leads to creation of a new version of the policy and setting it as the default version. Permission Required: iam:CreatePolicyVersion Command: aws iam create-policy-version –policy-arn <ARN of the policy> –policy-document file:///<path to the json document> –set-as-default • Policy Attachment to a User: This would allow a user to attach a managed policy to itself. Permission Required: iam:AttachUserPolicy Command: aws iam attach-user-policy –user-name <username> –policy-arn <arn of the policy to attach>
  • 27. FEW MISCONFIGURATIONS SCENARIOS • Adding a user to a group: This would allow a user to add themselves to a group of which they are not a part of. Permission Required: iam:AddUserToGroup Command: aws iam add-user-to-group –group-name <group name> –user-name <username> • Setting an Inline Policy for a User: This would allow to either create a new inline policy or update an old inline policy for a user. Permission Required: iam:PutUserPolicy Command: aws iam put-user-policy –user-name <username> –policy-name <policy name> –policy-document <Path to Json Document>
  • 28. IAM-FLAWS • Lightweight bash script that performs enumeration, scans for aws iam misconfigurations and tries to elevate privileges along with some additional features. • Performs enumeration of AWS IAM User, Groups and it’s associated Policies. • Performs privilege escalation scanning and exploitation based on the enumeration results. • AWS IAM related CIS Benchmarks checks. • GitHub Link: https://github.com/nikhil1232/IAM-Flaws
  • 29. DEMO
  • 30. AWS EC2 • Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) cloud. Using Amazon EC2 eliminates your need to invest in hardware up front, so you can develop and deploy applications faster. You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage. Amazon EC2 enables you to scale up or down to handle changes in requirements or spikes in popularity, reducing your need to forecast traffic. (Source: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html)
  • 31. SSRF TO EC2 METADATA • What is SSRF? : Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization's infrastructure, or to external third-party systems. (Source: https://portswigger.net/web-security/ssrf) • What is Instance Metadata? : Instance metadata is data about your instance that you can use to configure or manage the running instance like public and private IP address, security groups, ami-id, instance profile keys and etc. • Instance Metadata can be fetched by calling http://169.254.169.254/latest/meta-data which is a link- local address and can be called only from an EC2 instance.
  • 32. SSRF TO EC2 METADATA • However if an IAM Role is assigned to an EC2 instance, the access keys of the instance profile can be fetched by making a web request to http://169.254.169.254/latest/meta-data/iam/security- credentials/<name of the role}>. • Thus a successful SSRF attack over a web hosted on an EC2 Instance by calling the above URL would fetch the access credentials of the IAM role attached to that instance. This would let the attacker to impersonate the role attached to the instance and perform any operations as specified in the role.
  • 33. NEW SECURITY FIX: IMDS V2 • The new Instance Metadata Service v2 (IMDSv2) acts as a layer of defense against these kind of SSRF attacks relying on GET requests. • With this new version you have to set up a session with the metadata service before you can retrieve anything. • A PUT request to http://169.254.169.254/latest/api/token needs to be made with the custom header “x-aws- ec2-metadata-token-ttl-seconds” with the number of seconds for which the token needs to be active. This generates a token that would be needed in the next step. • The token generated would then be supplied as a header value for “x-aws-ec2-metadata-token” in the next GET request. • However this is an optional security fix and many organizations that use automated scripts to perform actions over an EC2 instance would still be relying on the IMDS v1. • So there is a high chance that the IMDS v1 would still be used by a lot of organizations and won’t be updated very soon. More On This : https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf- vulnerabilities-ec2-instance-metadata-service/
  • 34. DEMO
  • 35. PACU – AWS EXPLOITATION FRAMEWORK • Pacu by Rhino Security Labs is a comprehensive AWS security-testing toolkit designed for offensive security practitioners. • While several AWS security scanners currently serve as the proverbial “Nessus” of the cloud, Pacu is designed to be the “Metasploit” equivalent. Written in Python 3 with a modular architecture, Pacu has tools for every step of the pentesting process, covering the full cyber kill chain. • GitHub Link: https://github.com/RhinoSecurityLabs/pacu
  • 36. ENDING NOTE “The blunt realities of public cloud security is that, to date, almost all of the cloud security failures have been attributed to customer actions. There’s been lots of breaches where people have just left stuff on the cloud, open to everyone. This is actually the elephant in the room when it comes to cloud security as we are opening ourselves up to the naked internet with no controls.” - Craig Lawson, Gartner
  • 37. PRACTICE LABS • Flaws.cloud • Cloudgoat • Cloudgoat-2 • Ctf.live • Flaws2.cloud
  • 38. REFERENCES • https://medium.com/@localh0t/unveiling-amazon-s3-bucket-names-e1420ceaf4fa • https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-access-controls-taking-full-control-over-your- assets/ • https://auth0.com/blog/fantastic-public-s3-buckets-and-how-to-find-them/ • https://theblocksec.com/2019/11/26/a-tale-of-an-s3-bucket-misconfiguration/ • https://cloudacademy.com/blog/amazon-s3-security-master-bucket-polices-acls/ • https://dominicbreuker.com/post/flaws_cloud_5/ • https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ • https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws • https://github.com/appsecco/attacking-cloudgoat2 • https://blog.appsecco.com/server-side-request-forgery-ssrf-and-aws-ec2-instances-after-instance-meta-data- service-version-38fc1ba1a28a • https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2- 2ad03a1f3650 • https://www.cyberbit.com/blog/uncategorized/aws-imds-v2-secures-ssrf-vulnerability/