Paweł Rzepa

1. AWS (in)security - the
devil is in the detail
Paweł Rzepa
OWASP Chapter Wroclaw
05.12.2017

2. • Senior Security Consultant in SecuRing
• OWASP member:
• Helping arrange meetups in Wroclaw
• Contributor in OWASP MSTG project
• OSCP, eMAPT holder
• @Rzepsky
Who am I

3. 1. Intro to cloud technology
2. S3 leaks
3. Access keys leaks
4. New life of old vulns in cloud
5. Final recommendations
Agenda

4. • Amazon Web Services (AWS) – cloud solution provider
• Identity and Access Management (IAM) – a service for
controlling access to AWS resources
• Simple Storage Service (S3) – storage service through web
services
• Bucket – a container to store objects via S3 service
• Amazon Elastic Compute Cloud (EC2) – a service allowing
users to rent a virtual machine instance
Terms we’re going to use today

5. AWS – a perfect scalable solution

6. AWS Share responsibility model
Source: https://s3-us-west-2.amazonaws.com/cloudtechnologyexperts/wp-content/uploads/2017/07/08152141/shared-model-21.png

7. Source: https://www.upguard.com/breaches/cloud-leak-chicago-voters

8. 7% of all S3 buckets have unrestricted public access*
* - based on https://www.skyhighnetworks.com/cloud-security-blog/verizon-data-breach-two-easy-steps-to-prevent-aws-s3-leaks/

9. https://[bucketname].s3.amazonaws.com
DIY, with AWSBucketDump:
S3 – how hard is to find a bucket?

10. …but remember: Internet never forgets

11. Demo time!

12. 3 ways to protect your bucket:
You shall not pass!
Access
Control
List
Bucket policy
IAM roles

13. Ask the audience

14. Story details: https://blog.sentry.io/2016/06/14/security-incident-june-12-2016

15. Setting AWS policies can be tricky

16. Story details: https://www.infoworld.com/article/2608076/data-center/murder-in-the-amazon-cloud.html

17. Story details: https://www.olindata.com/en/blog/2017/04/spending-100k-usd-45-days-amazon-web-services

18. Bots never sleep

19. Passwords vs Access Keys
Source: https://www.blackhat.com/docs/us-16/materials/us-16-Simon-Access-Keys-Will-Kill-You-Before-You-Kill-The-Password.pdf

20. • GitHub/Pastebin/etc.
• Configuration files
• ~/.aws/credentials
Access keys – where to look for?

21. • Some vulns can be much more dangerous in cloud:
 CWE-200: Information Exposure
 CWE-441: Unintended Proxy or Intermediary
 CWE-611: XXE
 CWE-918: SSRF
…because any of them may reveal your metadata.
Old vulns gain new life

22. SSRF in practice
Source: https://www.netsparker.com/statics/img/blogposts/exploiting_ssrf_vulnerability.png

23. Stories from HackerOne
SSRF reported, but
marked as “Won’t fix”,
because the risk was
marked as very low.
08.03.2015
Bounty granted: 0$ Bounty granted: 300$
Same bug reported,
but this time pointing
to exposure of
“meta-data”.
23.03.2015

24. • Data about your instance:
• Accessible only from within the instance
itself via link:
http://169.254.169.254/latest/meta-data/
What is “meta-data”

25. Demo time!

26.  Restrict access to your data (ACLs, bucket policies, IAM
roles)
 Audit your policies (e.g. cloudsploit)
 Whitelist IPs
 Define IAM roles
 Use MFA for each role (you may find helpful aws-recipes)
 Create an access keys management process
Sum up

27.  Use CloudTrail
 Set Billing Alarms
 And above all:
Sum up

28. Pawel.Rzepa@securing.pl
Thank you,
Contact me: