SlideShare a Scribd company logo

SaaSpocalypse - The Complexity and Power of AWS Cross Account Access

Download as PPTX, PDF
Tenchi Security
Tenchi Security

Slide deck of the presentation at DEF CON 28 "Safe Mode" Cloud Village by Alexandre Sieira. In this talk we will present in detail the policy-fu needed in order to securely allow principals from one account to perform actions on another, both inside different accounts in an organization but especially from the perspective of a SaaS provider that needs to access hundreds or thousands of customer accounts. Existing research on defenses and possible attacks will be presented and demonstrated to illustrate the concepts. SaaS vendors like ""single pane of glass"" offerings, multi-cloud solutions and CSPM offerings are huge concentrators of risk since they have access to potentially thousands of customer AWS accounts. By exploring how this access can be uniquely secured due to capabilities only AWS provides and how vendors can fail at this we hope to allow attendees to better understand the risks of using these services, and also help service providers mitigate them.

Technology
1 of 24
SaaSpocalypse The Complexity and Power of AWS Cross-Account Access
arn:aws:iam:sa-east-1:*:user/AlexandreSieira ● Founder @ Tenchi Security ● Cloud Security Posture Chiropractor (h/t @swagitda_) ● Previously: ● Manager of the Product Management Team for the MSS Detect Portfolio @ Verizon ● Co-Founder and CTO @ Niddel ● Co-Founder and CTO @ CIPHER Security ● São Paulo, Brazil 🇧🇷 sts:GetCallerIdentity asieira@tenchisecurity.com @AlexandreSieira
Motivation Why should you care? https://attack.mitre.org/techniques/T1199/
● AWS accounts are self-contained entities with resources, identities and policies. ● Some resources can be shared with other accounts or publicly: S3 buckets, EBS snapshots and EC2 AMIs are common examples. ○ https://github.com/SummitRoute/aws_exposab le_resources by Scott Piper ● Most operations require an identity with privileges, so that’s what SaaS vendors will use. AWS IAM Overview Identities and Resources Theme song of people that do all their work logged in as root…
AWS IAM Overview Assuming Roles ● Root and IAM user credentials last indefinitely. ● AWS Security Token Service (STS) generates temporary credentials from roles. ● Roles have three key settings: ○ Trust policy – who can assume the role. ○ Permissions policy – what privileges this role has. ○ Maximum session duration. ● Trust policy is not enough, caller also needs privileges to the sts:AssumeRole action.
Cross Account Access Option 1: Stored Credentials Customer ● Creates an IAM user: ○ Identity policy assigns privileges needed by SaaS / MSP. ○ Creates long-lived access keys. ● Sends credentials to SaaS / MSP via a trusted channel. SaaS / MSP ● Gives workers access to IAM user credentials to perform necessary API calls on customer account. State stored: ● IAM long-lived credentials (access key ID, secret access key).
Cross Account Access Option 1: Stored Credentials SaaS / MSP ● Gives workers access to IAM user credentials to perform necessary API calls on customer account. State stored: ● IAM long-lived credentials (access key ID, secret access key). SECRET!!!
Cross Account Access Option 2: naïve cross-account access Customer ● Creates a cross-account access role: ○ Trust policy allows SaaS / MSP account ID to assume it. ○ Permissions policy assigns privileges needed by SaaS / MSP. SaaS / MSP ● Grants workers sts:AssumeRole privileges on the customer role. ● Uses temporary credentials to perform necessary API calls on customer account. State stored: ● Customer role ARN (arn:aws:iam::account-id:role/role- name-with-path)
Cross Account Access Option 2: naïve cross-account access SaaS / MSP ● Grants workers sts:AssumeRole privileges on the customer role ● Uses temporary credentials to perform necessary API calls on customer account. State stored: ● Customer role ARN (arn:aws:iam::account-id:role/role- name-with-path) NOT A SECRET!!!
Cross Account Access Confused Deputy Problem ● Pre-requisites: ○ Attackers obtain account ID of target. ○ Customer has naïve cross-account access to SaaS / MSP. ● Attack: 1. Attacker on-boards target account on SaaS / MSP claiming to own it. 2. SaaS / MSP accesses target account through cross- account access. 3. Attacker obtains information or functionality intended exclusively for target via SaaS / MSP.
Cross Account Access External ID
Cross Account Access Option 3: External ID as Proof of Ownership SaaS / MSP ● Assigns unique external ID to customer and ensures it is required in the trust policy. ● Grants workers access to external ID and sts:AssumeRole privileges to the customer role. State stored: ● Customer role ARN. ● External ID. Customer ● Creates a cross-account access role: ○ Trust policy allows SaaS / MSP account ID to assume it if correct external ID is provided. ○ Permissions policy assigns privileges needed by SaaS / MSP.
Cross Account Access SaaS / MSP ● Assigns unique external ID to customer and ensures it is required in the trust policy. ● Grants workers access to external ID and sts:AssumeRole privileges to the customer role. State stored: ● Customer role ARN. ● External ID. STILL NO SECRETS!!! Option 3: External ID as Proof of Ownership
Cross Account Access RoleRequiresExternalID? NoYes Correct External ID passed to sts:AssumeRole? Yes No ✅ ✅ ✅ 🛑
Cross Account Access Vendor Worker Privileges
Cross Account Access SCP Fail
Cross Account Access CloudTrail is Your Friend
Cross Account Access Incorrect Implementations ● Kesten Broughton from Praetorian published amazing research on this: https://bit.ly/xacct_assume_role ● Out of 200 vendors tested: ○ 50% only work with IAM user credentials; ○ 50% use assumed roles, and of those: ■ 98% don’t check whether customers actually added external ID as a condition on the trust policy. ■ 37% allow use of arbitrary external IDs on the UI. ■ 15% unwittingly allow use of arbitrary external IDs through various other means. @kestenb
Cross Account Access PRIVILEGES
Cross Account Access
Cross Account Access
Cross Account Access ● Prior and regular review of new 3rd party access to AWS accounts: ○ Ensure business need and least privilege. ○ Use CloudSplaining (https://github.com/salesforce/clo udsplaining) by Kinnaird McQuade. ○ Use Parliament (https://github.com/duo- labs/parliament ) by Scott Piper. ● Monitor using CloudTrail. Recommendations for Customers
Cross Account Access Recommendations for SaaS / MSP ● Minimize privileges asked of customers. ● Impose unique external IDs chosen by your back-end (random UUIDs also an option). ● Ensure customers correctly implemented the trust policy. ● Use CloudFormation to automate customer setup. ● Limit attack surface and blast radius at the account customers trust. ● Monitor using CloudTrail.
Questions? asieira@tenchisecurity.com @AlexandreSieira

Recommended

The Fault in Our Stars - Attack Vectors for APIs Using Amazon API Gateway Lam...
The Fault in Our Stars - Attack Vectors for APIs Using Amazon API Gateway Lam...The Fault in Our Stars - Attack Vectors for APIs Using Amazon API Gateway Lam...
The Fault in Our Stars - Attack Vectors for APIs Using Amazon API Gateway Lam...Tenchi Security
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Adam Englander
 
Hunting for AWS Exposed Resources
Hunting for AWS Exposed ResourcesHunting for AWS Exposed Resources
Hunting for AWS Exposed ResourcesTenchi Security
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 
Building Secure Apps in the Cloud
Building Secure Apps in the CloudBuilding Secure Apps in the Cloud
Building Secure Apps in the CloudAtlassian
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Serverless Authentication and Authorisation
Serverless Authentication and AuthorisationServerless Authentication and Authorisation
Serverless Authentication and AuthorisationAmazon Web Services
 

Recommended

The Fault in Our Stars - Attack Vectors for APIs Using Amazon API Gateway Lam...
The Fault in Our Stars - Attack Vectors for APIs Using Amazon API Gateway Lam...The Fault in Our Stars - Attack Vectors for APIs Using Amazon API Gateway Lam...
The Fault in Our Stars - Attack Vectors for APIs Using Amazon API Gateway Lam...Tenchi Security
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Adam Englander
 
Hunting for AWS Exposed Resources
Hunting for AWS Exposed ResourcesHunting for AWS Exposed Resources
Hunting for AWS Exposed ResourcesTenchi Security
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 
Building Secure Apps in the Cloud
Building Secure Apps in the CloudBuilding Secure Apps in the Cloud
Building Secure Apps in the CloudAtlassian
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Serverless Authentication and Authorisation
Serverless Authentication and AuthorisationServerless Authentication and Authorisation
Serverless Authentication and AuthorisationAmazon Web Services
 
ThreatResponse
ThreatResponseThreatResponse
ThreatResponseAmazon Web Services
 
Exposing Salesforce REST Services Using Swagger
Exposing Salesforce REST Services Using SwaggerExposing Salesforce REST Services Using Swagger
Exposing Salesforce REST Services Using SwaggerSalesforce Developers
 
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...Bhavin Desai, CCIE Security
 
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftIntro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftAmazon Web Services
 
Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Amazon Web Services
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
Modernizing on EKS (Keynote)- AWS Container Day 2019 Barcelona
Modernizing on EKS (Keynote)- AWS Container Day 2019 BarcelonaModernizing on EKS (Keynote)- AWS Container Day 2019 Barcelona
Modernizing on EKS (Keynote)- AWS Container Day 2019 BarcelonaAmazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...Amazon Web Services
 
Building Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyBuilding Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyAmazon Web Services
 
Mobile Application Development and Testing on AWS
Mobile Application Development and Testing on AWSMobile Application Development and Testing on AWS
Mobile Application Development and Testing on AWSAmazon Web Services
 
Real World Cloud Compromise
Real World Cloud CompromiseReal World Cloud Compromise
Real World Cloud CompromiseTeri Radichel
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
Become an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaBecome an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaAmazon Web Services
 
API for Beginners
API for BeginnersAPI for Beginners
API for BeginnersGustavo De Vita
 
Building Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyBuilding Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyAmazon Web Services
 
Building CICD Pipelines for Serverless Applications
Building CICD Pipelines for Serverless ApplicationsBuilding CICD Pipelines for Serverless Applications
Building CICD Pipelines for Serverless ApplicationsAmazon Web Services
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019 Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019 Amazon Web Services
 
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014Amazon Web Services
 
IAM Recommended Practices
IAM Recommended PracticesIAM Recommended Practices
IAM Recommended PracticesAmazon Web Services
 

More Related Content

What's hot

Exposing Salesforce REST Services Using Swagger
Exposing Salesforce REST Services Using SwaggerExposing Salesforce REST Services Using Swagger
Exposing Salesforce REST Services Using SwaggerSalesforce Developers
 
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...Bhavin Desai, CCIE Security
 
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftIntro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftAmazon Web Services
 
Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Amazon Web Services
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
Modernizing on EKS (Keynote)- AWS Container Day 2019 Barcelona
Modernizing on EKS (Keynote)- AWS Container Day 2019 BarcelonaModernizing on EKS (Keynote)- AWS Container Day 2019 Barcelona
Modernizing on EKS (Keynote)- AWS Container Day 2019 BarcelonaAmazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...Amazon Web Services
 
Building Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyBuilding Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyAmazon Web Services
 
Mobile Application Development and Testing on AWS
Mobile Application Development and Testing on AWSMobile Application Development and Testing on AWS
Mobile Application Development and Testing on AWSAmazon Web Services
 
Real World Cloud Compromise
Real World Cloud CompromiseReal World Cloud Compromise
Real World Cloud CompromiseTeri Radichel
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
Building Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyBuilding Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyAmazon Web Services
 
Building CICD Pipelines for Serverless Applications
Building CICD Pipelines for Serverless ApplicationsBuilding CICD Pipelines for Serverless Applications
Building CICD Pipelines for Serverless ApplicationsAmazon Web Services
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019 Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019 Amazon Web Services
 

What's hot (20)

ThreatResponse
ThreatResponseThreatResponse
ThreatResponse
 
Exposing Salesforce REST Services Using Swagger
Exposing Salesforce REST Services Using SwaggerExposing Salesforce REST Services Using Swagger
Exposing Salesforce REST Services Using Swagger
 
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...
 
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftIntro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
 
Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
Modernizing on EKS (Keynote)- AWS Container Day 2019 Barcelona
Modernizing on EKS (Keynote)- AWS Container Day 2019 BarcelonaModernizing on EKS (Keynote)- AWS Container Day 2019 Barcelona
Modernizing on EKS (Keynote)- AWS Container Day 2019 Barcelona
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
 
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
 
Building Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyBuilding Mobile Apps with AWS Amplify
Building Mobile Apps with AWS Amplify
 
Mobile Application Development and Testing on AWS
Mobile Application Development and Testing on AWSMobile Application Development and Testing on AWS
Mobile Application Development and Testing on AWS
 
Real World Cloud Compromise
Real World Cloud CompromiseReal World Cloud Compromise
Real World Cloud Compromise
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your Applications
 
Become an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaBecome an AWS IAM Policy Ninja
Become an AWS IAM Policy Ninja
 
API for Beginners
API for BeginnersAPI for Beginners
API for Beginners
 
Building Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyBuilding Mobile Apps with AWS Amplify
Building Mobile Apps with AWS Amplify
 
Building CICD Pipelines for Serverless Applications
Building CICD Pipelines for Serverless ApplicationsBuilding CICD Pipelines for Serverless Applications
Building CICD Pipelines for Serverless Applications
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019 Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019
 

Similar to SaaSpocalypse - The Complexity and Power of AWS Cross Account Access

(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014Amazon Web Services
 
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Amazon Web Services
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...Amazon Web Services
 
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Amazon Web Services
 
Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...FIWARE
 
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Amazon Web Services
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended PracticesAmazon Web Services
 
Governance and Security Solution Patterns
Governance and Security Solution Patterns Governance and Security Solution Patterns
Governance and Security Solution Patterns WSO2
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...Amazon Web Services
 
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...Amazon Web Services
 
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...Amazon Web Services
 
i4Trust IAM Components
i4Trust IAM Componentsi4Trust IAM Components
i4Trust IAM ComponentsFIWARE
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Amazon Web Services
 
Understanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and GovernanceUnderstanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and GovernanceAmazon Web Services
 
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...😸 Richard Spindler
 
GPSTEC310_IAM Best Practices and Becoming an IAM Ninja
GPSTEC310_IAM Best Practices and Becoming an IAM NinjaGPSTEC310_IAM Best Practices and Becoming an IAM Ninja
GPSTEC310_IAM Best Practices and Becoming an IAM NinjaAmazon Web Services
 
Five New Security Automations Using AWS Security Services & Open Source (SEC4...
Five New Security Automations Using AWS Security Services & Open Source (SEC4...Five New Security Automations Using AWS Security Services & Open Source (SEC4...
Five New Security Automations Using AWS Security Services & Open Source (SEC4...Amazon Web Services
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Amazon Web Services
 

Similar to SaaSpocalypse - The Complexity and Power of AWS Cross Account Access (20)

(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
 
IAM Recommended Practices
IAM Recommended PracticesIAM Recommended Practices
IAM Recommended Practices
 
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
 
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
 
Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...
 
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
 
Governance and Security Solution Patterns
Governance and Security Solution Patterns Governance and Security Solution Patterns
Governance and Security Solution Patterns
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
 
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
 
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
 
i4Trust IAM Components
i4Trust IAM Componentsi4Trust IAM Components
i4Trust IAM Components
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
 
Understanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and GovernanceUnderstanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and Governance
 
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
 
GPSTEC310_IAM Best Practices and Becoming an IAM Ninja
GPSTEC310_IAM Best Practices and Becoming an IAM NinjaGPSTEC310_IAM Best Practices and Becoming an IAM Ninja
GPSTEC310_IAM Best Practices and Becoming an IAM Ninja
 
Five New Security Automations Using AWS Security Services & Open Source (SEC4...
Five New Security Automations Using AWS Security Services & Open Source (SEC4...Five New Security Automations Using AWS Security Services & Open Source (SEC4...
Five New Security Automations Using AWS Security Services & Open Source (SEC4...
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
 

More from Tenchi Security

us-east-1 Shuffle_ Lateral Movement and other Creative Steps Attackers Take i...
us-east-1 Shuffle_ Lateral Movement and other Creative Steps Attackers Take i...us-east-1 Shuffle_ Lateral Movement and other Creative Steps Attackers Take i...
us-east-1 Shuffle_ Lateral Movement and other Creative Steps Attackers Take i...Tenchi Security
 
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Tenchi Security
 
Detecting AWS control plane abuse in an actionable way using Det{R}ails
Detecting AWS control plane abuse in an actionable way using Det{R}ailsDetecting AWS control plane abuse in an actionable way using Det{R}ails
Detecting AWS control plane abuse in an actionable way using Det{R}ailsTenchi Security
 
Aprendizados da Gestão de Riscos e Conformidade Regulatória de sua Organizaçã...
Aprendizados da Gestão de Riscos e Conformidade Regulatória de sua Organizaçã...Aprendizados da Gestão de Riscos e Conformidade Regulatória de sua Organizaçã...
Aprendizados da Gestão de Riscos e Conformidade Regulatória de sua Organizaçã...Tenchi Security
 
Mapeando problemas de privilégios no AWS IAM (Identity & Access Management)
Mapeando problemas de privilégios no AWS IAM (Identity & Access Management)Mapeando problemas de privilégios no AWS IAM (Identity & Access Management)
Mapeando problemas de privilégios no AWS IAM (Identity & Access Management)Tenchi Security
 
Novos Paradigmas de Segurança com adoção de Nuvem (AWS)
Novos Paradigmas de Segurança com adoção de Nuvem (AWS)Novos Paradigmas de Segurança com adoção de Nuvem (AWS)
Novos Paradigmas de Segurança com adoção de Nuvem (AWS)Tenchi Security
 
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CTPalestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CTTenchi Security
 
Introdução à Segurança de Containers e Kubernetes
Introdução à Segurança de Containers e KubernetesIntrodução à Segurança de Containers e Kubernetes
Introdução à Segurança de Containers e KubernetesTenchi Security
 
Webinar Segurança de DevOps
Webinar Segurança de DevOpsWebinar Segurança de DevOps
Webinar Segurança de DevOpsTenchi Security
 
Latinoware 2019 - Securing Clouds Wide Open
Latinoware 2019 - Securing Clouds Wide OpenLatinoware 2019 - Securing Clouds Wide Open
Latinoware 2019 - Securing Clouds Wide OpenTenchi Security
 

More from Tenchi Security (10)

us-east-1 Shuffle_ Lateral Movement and other Creative Steps Attackers Take i...
us-east-1 Shuffle_ Lateral Movement and other Creative Steps Attackers Take i...us-east-1 Shuffle_ Lateral Movement and other Creative Steps Attackers Take i...
us-east-1 Shuffle_ Lateral Movement and other Creative Steps Attackers Take i...
 
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
 
Detecting AWS control plane abuse in an actionable way using Det{R}ails
Detecting AWS control plane abuse in an actionable way using Det{R}ailsDetecting AWS control plane abuse in an actionable way using Det{R}ails
Detecting AWS control plane abuse in an actionable way using Det{R}ails
 
Aprendizados da Gestão de Riscos e Conformidade Regulatória de sua Organizaçã...
Aprendizados da Gestão de Riscos e Conformidade Regulatória de sua Organizaçã...Aprendizados da Gestão de Riscos e Conformidade Regulatória de sua Organizaçã...
Aprendizados da Gestão de Riscos e Conformidade Regulatória de sua Organizaçã...
 
Mapeando problemas de privilégios no AWS IAM (Identity & Access Management)
Mapeando problemas de privilégios no AWS IAM (Identity & Access Management)Mapeando problemas de privilégios no AWS IAM (Identity & Access Management)
Mapeando problemas de privilégios no AWS IAM (Identity & Access Management)
 
Novos Paradigmas de Segurança com adoção de Nuvem (AWS)
Novos Paradigmas de Segurança com adoção de Nuvem (AWS)Novos Paradigmas de Segurança com adoção de Nuvem (AWS)
Novos Paradigmas de Segurança com adoção de Nuvem (AWS)
 
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CTPalestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
 
Introdução à Segurança de Containers e Kubernetes
Introdução à Segurança de Containers e KubernetesIntrodução à Segurança de Containers e Kubernetes
Introdução à Segurança de Containers e Kubernetes
 
Webinar Segurança de DevOps
Webinar Segurança de DevOpsWebinar Segurança de DevOps
Webinar Segurança de DevOps
 
Latinoware 2019 - Securing Clouds Wide Open
Latinoware 2019 - Securing Clouds Wide OpenLatinoware 2019 - Securing Clouds Wide Open
Latinoware 2019 - Securing Clouds Wide Open
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 

SaaSpocalypse - The Complexity and Power of AWS Cross Account Access

  • 1. SaaSpocalypse The Complexity and Power of AWS Cross-Account Access
  • 2. arn:aws:iam:sa-east-1:*:user/AlexandreSieira ● Founder @ Tenchi Security ● Cloud Security Posture Chiropractor (h/t @swagitda_) ● Previously: ● Manager of the Product Management Team for the MSS Detect Portfolio @ Verizon ● Co-Founder and CTO @ Niddel ● Co-Founder and CTO @ CIPHER Security ● São Paulo, Brazil 🇧🇷 sts:GetCallerIdentity asieira@tenchisecurity.com @AlexandreSieira
  • 3. Motivation Why should you care? https://attack.mitre.org/techniques/T1199/
  • 4. ● AWS accounts are self-contained entities with resources, identities and policies. ● Some resources can be shared with other accounts or publicly: S3 buckets, EBS snapshots and EC2 AMIs are common examples. ○ https://github.com/SummitRoute/aws_exposab le_resources by Scott Piper ● Most operations require an identity with privileges, so that’s what SaaS vendors will use. AWS IAM Overview Identities and Resources Theme song of people that do all their work logged in as root…
  • 5. AWS IAM Overview Assuming Roles ● Root and IAM user credentials last indefinitely. ● AWS Security Token Service (STS) generates temporary credentials from roles. ● Roles have three key settings: ○ Trust policy – who can assume the role. ○ Permissions policy – what privileges this role has. ○ Maximum session duration. ● Trust policy is not enough, caller also needs privileges to the sts:AssumeRole action.
  • 6. Cross Account Access Option 1: Stored Credentials Customer ● Creates an IAM user: ○ Identity policy assigns privileges needed by SaaS / MSP. ○ Creates long-lived access keys. ● Sends credentials to SaaS / MSP via a trusted channel. SaaS / MSP ● Gives workers access to IAM user credentials to perform necessary API calls on customer account. State stored: ● IAM long-lived credentials (access key ID, secret access key).
  • 7. Cross Account Access Option 1: Stored Credentials SaaS / MSP ● Gives workers access to IAM user credentials to perform necessary API calls on customer account. State stored: ● IAM long-lived credentials (access key ID, secret access key). SECRET!!!
  • 8. Cross Account Access Option 2: naïve cross-account access Customer ● Creates a cross-account access role: ○ Trust policy allows SaaS / MSP account ID to assume it. ○ Permissions policy assigns privileges needed by SaaS / MSP. SaaS / MSP ● Grants workers sts:AssumeRole privileges on the customer role. ● Uses temporary credentials to perform necessary API calls on customer account. State stored: ● Customer role ARN (arn:aws:iam::account-id:role/role- name-with-path)
  • 9. Cross Account Access Option 2: naïve cross-account access SaaS / MSP ● Grants workers sts:AssumeRole privileges on the customer role ● Uses temporary credentials to perform necessary API calls on customer account. State stored: ● Customer role ARN (arn:aws:iam::account-id:role/role- name-with-path) NOT A SECRET!!!
  • 10. Cross Account Access Confused Deputy Problem ● Pre-requisites: ○ Attackers obtain account ID of target. ○ Customer has naïve cross-account access to SaaS / MSP. ● Attack: 1. Attacker on-boards target account on SaaS / MSP claiming to own it. 2. SaaS / MSP accesses target account through cross- account access. 3. Attacker obtains information or functionality intended exclusively for target via SaaS / MSP.
  • 12. Cross Account Access Option 3: External ID as Proof of Ownership SaaS / MSP ● Assigns unique external ID to customer and ensures it is required in the trust policy. ● Grants workers access to external ID and sts:AssumeRole privileges to the customer role. State stored: ● Customer role ARN. ● External ID. Customer ● Creates a cross-account access role: ○ Trust policy allows SaaS / MSP account ID to assume it if correct external ID is provided. ○ Permissions policy assigns privileges needed by SaaS / MSP.
  • 13. Cross Account Access SaaS / MSP ● Assigns unique external ID to customer and ensures it is required in the trust policy. ● Grants workers access to external ID and sts:AssumeRole privileges to the customer role. State stored: ● Customer role ARN. ● External ID. STILL NO SECRETS!!! Option 3: External ID as Proof of Ownership
  • 14. Cross Account Access RoleRequiresExternalID? NoYes Correct External ID passed to sts:AssumeRole? Yes No ✅ ✅ ✅ 🛑
  • 15. Cross Account Access Vendor Worker Privileges
  • 18. Cross Account Access Incorrect Implementations ● Kesten Broughton from Praetorian published amazing research on this: https://bit.ly/xacct_assume_role ● Out of 200 vendors tested: ○ 50% only work with IAM user credentials; ○ 50% use assumed roles, and of those: ■ 98% don’t check whether customers actually added external ID as a condition on the trust policy. ■ 37% allow use of arbitrary external IDs on the UI. ■ 15% unwittingly allow use of arbitrary external IDs through various other means. @kestenb
  • 22. Cross Account Access ● Prior and regular review of new 3rd party access to AWS accounts: ○ Ensure business need and least privilege. ○ Use CloudSplaining (https://github.com/salesforce/clo udsplaining) by Kinnaird McQuade. ○ Use Parliament (https://github.com/duo- labs/parliament ) by Scott Piper. ● Monitor using CloudTrail. Recommendations for Customers
  • 23. Cross Account Access Recommendations for SaaS / MSP ● Minimize privileges asked of customers. ● Impose unique external IDs chosen by your back-end (random UUIDs also an option). ● Ensure customers correctly implemented the trust policy. ● Use CloudFormation to automate customer setup. ● Limit attack surface and blast radius at the account customers trust. ● Monitor using CloudTrail.

Editor's Notes

  1. Migration to the cloud at a frantic pace. SaaS has great business benefits: Easier to scale and manage for vendors side. Easier to setup (often self-service) and maintain for customers. IT management, CSPM, “single pane of glass”, IdP, backup and more. Concentrates risk on vendors.
  2. Azure is different (AD tenant, assign permissions to several subscriptions).
  3. Credentials are secret, can be leaked anywhere they are used. Credential need to be rotated regularly. Mass rotation if leaked.
  4. ***QUANTOS CLIENTES