Like all major public cloud providers, AWS allows users to expose managed resources like S3 buckets, SQS queues, RDS databases, and others publicly on the Internet. There are legitimate uses for making resources public, such as publishing non-sensitive data. However, we often find that this functionality is mistakenly used, often due to a lack of cloud security expertise, to erroneously expose sensitive data. News of exposed S3 buckets are sadly very frequent in the specialized media. It is important to note, however, that there are many other relevant kinds of AWS resources that can be equally dangerous when publicly exposed but that doesn't get nearly as much scrutiny as S3 buckets. In this talk we are going to describe some of the methods that researchers and attackers use to discover and exploit these publicly exposed resources, and how cloud providers and defenders can have taken action to monitor, prevent and respond to these activities. Presented at DEF CON 29 Cloud Village.

1. Hunting for AWS Exposed
Resources
By Felipe "Pr0teus" Espósito

2. About Me
Felipe "Pr0teus" Espósito
Senior Researcher @ Tenchi Security
@pr0teusbr
fesposito@tenchisecurity.com
Rio de Janeiro, Brazil 󰎙

3. Motivation

4. AWS has other services too

5. https://github.com/SummitRoute/aws_exposable_resourc
es
by Scott Piper

6. https://endgame.readthedocs.io/
In a completely unrelated note, Kinnaird McQuade is awesome.

7. https://www.youtube.com/watch?v=yO-tQ-byxno by Ben
Morris

8. Sorry
Obligatory slide for cloud security.

9. Shared Responsibility Model

10. Some Stats...

11. Data sources
OSINT Techniques as:
● Passive DNS
● Wayback machine
● Subdomain enumeration
● Code repos

13. Enumerating Subdomains
Ricardo Iramar wrote an article
with a good comparison of 9
subdomain enumeration tools.
Based on those findings, picked
the following for this research:
● Findomain
● Amass
https://ricardoiramar.medium.com/subdomain-enumeration-tools-evaluati
on-57d4ec02d69e

14. Shodan & Censys
We used Shodan and Censys on a few specific
cases. We'll show the results on slides to come.

15. Discarded data sources.
Certstream - AWS is using wildcard certificates for most services, which makes certstream of no use in
identifying individual hostnames.

16. Metrics:
Valid DNS - Means that the hostname resolves to an IP address.
Public IP - Means that the IP resolved from the previous URL are not in the RFC 1918 private IP ranges.

17. Amazon DocumentDB
URL:
<name>.cluster-<random>.<region>.docdb.amazonaws.com
Amass+Findomain 0
Censys 15
Historical Github 7
Github search 117
Security Trails 33
Passive Total 1

18. Amazon DocumentDB
True
(37.67%)
False
(62.33%)
SecurityTrails
GitHub query
PassiveTotal
Valid DNS
Valid DNS by Data Source
0 5 10 15 20 25 30

19. Amazon MQ
https://b-****-****-****-****-***.mq.<region>.amazonaws.com
Amazon expose the Amazon MQ through a DNS entry
Web console listen on port:8162
ActiveMQ uses Security Groups by
default.
Shodan 4433
Amass+Findomain 563
Historical Github 2
Github search 5
Security Trails 145
Passive Total 0

20. Amazon MQ

21. Amazon MQ
Security Trails
Amass +
Findomain
20
0 40 60 80 100 120 140 160
Unique Valid URLs

22. Amazon CloudSearch
<name>-<random>.<region>.cloudsearch.amazonaws.com
Shodan 38155
Amass+Findomain 119
Historical Github 48
Github search 15
Security Trails 49
Passive Total 15
Amazon implements an Elastic Load
Balancer V2 in front of Cloudsearch.
Tried to Search for letter E and A in order to find exposed
cloudsearch with resource policy to *.

23. Amazon CloudSearch
Security Trails
Amass +
Findomain
Passive Total
0 2 4 10 30
20

24. Amazon SQS
Amazon SQS are exposed by AWS as an URL:
https://sqs.<region>.amazonaws.com/<AccountID>/<Queue
Name>
That means that Passive URL and subdomain enumeration
techniques were ineffective.
Amass+Findomain 0
Historical Github 471
Github search 210
Security Trails 0
Passive Total 0

25. Amazon SQS
Github
Historical
Github
Query
50
0 100 150 200 250 300 350 400 450
Public writable &
Public Readable
Not Public
Public Writable
but not Public
Readable

26. Amazon RedShift
URL:
<name>.<random>.<region>.redshift.amazonaws.com
Amazon exposes RedShift database through DNS entries
To publicly expose a RedShift database you must:
1. Create an Elastic IP Address.
2. Configure Redshift to use the Elastic IP Address.
3. Change the Security Group to allow 0.0.0.0 inbound
Amass+Findomain 42
Historical Github 7
Github search 192
Security Trails 226
Passive Total 2

27. Amazon RedShift
Amass +
Findomain
(19.18%)
GitHub query
(7.53%)
Security Trails
(73.29%)
Security
Trails
Github
Query
Amass
+
Findomain
Github
Historical
Passivetotal
Unique DNS Valid
Invalid
Valid DNS by source

28. AWS Managed Elasticsearch.
https://search-[name]-[random].[region].es.amazonaws.com
Route53
ALBv2
Elasticsearch OpenDistro
https://vpc-[name]-[random].[region].es.amazonaws.com
You can also choose the
authentication type:
● Cognito
● Basic Auth
● IAM
● None

29. Public ElasticSearch Clusters

30. AWS Managed Elasticsearch.
Security Trails
Amass +
Findomain
Passive Total
Github query
Github historical
Valid DNS per source
Percentage of Valid DNS

31. AWS Managed Elasticsearch authentication
IAM
Auth
Open
Basic
Auth

32. AWS Managed Elasticsearch.
Security Trails
Amass +
Findomain
Passive Total
Github query
Github historical
Open Public by Source
Open Public Size of data by Source
Amass +
Findomain
Security Trails
Passive
Total
Github
query
30% (1.5TB)
40% (2TB)

33. Closing Thoughts
Take the shared responsibility model seriously, please! 󰚦
Find IAM resource policies that allow Principal "*" or equivalent. 😱
Use security tools to automatically detect and mitigate misconfigurations
(i.e. CSPM, SecurityHub, AWS Config rules). 🤖
The dynamic nature of the cloud makes historical Github data obsolete. We
spent US$ 250+ in Bigquery searches for almost no valid hits. 💸
Passive DNS has partial visibility of cloud infrastructure but it's a good
source for hunting for AWS Managed resources. 󰗨

34. Questions ?
@pr0teusbr
fesposito@tenchisecurity.com