Like all major public cloud providers, AWS allows users to expose managed resources like S3 buckets, SQS queues, RDS databases, and others publicly on the Internet. There are legitimate uses for making resources public, such as publishing non-sensitive data. However, we often find that this functionality is mistakenly used, often due to a lack of cloud security expertise, to erroneously expose sensitive data. News of exposed S3 buckets are sadly very frequent in the specialized media. It is important to note, however, that there are many other relevant kinds of AWS resources that can be equally dangerous when publicly exposed but that doesn't get nearly as much scrutiny as S3 buckets. In this talk we are going to describe some of the methods that researchers and attackers use to discover and exploit these publicly exposed resources, and how cloud providers and defenders can have taken action to monitor, prevent and respond to these activities.
Presented at DEF CON 29 Cloud Village.
13. Enumerating Subdomains
Ricardo Iramar wrote an article
with a good comparison of 9
subdomain enumeration tools.
Based on those findings, picked
the following for this research:
● Findomain
● Amass
https://ricardoiramar.medium.com/subdomain-enumeration-tools-evaluati
on-57d4ec02d69e
14. Shodan & Censys
We used Shodan and Censys on a few specific
cases. We'll show the results on slides to come.
15. Discarded data sources.
Certstream - AWS is using wildcard certificates for most services, which makes certstream of no use in
identifying individual hostnames.
16. Metrics:
Valid DNS - Means that the hostname resolves to an IP address.
Public IP - Means that the IP resolved from the previous URL are not in the RFC 1918 private IP ranges.
24. Amazon SQS
Amazon SQS are exposed by AWS as an URL:
https://sqs.<region>.amazonaws.com/<AccountID>/<Queue
Name>
That means that Passive URL and subdomain enumeration
techniques were ineffective.
Amass+Findomain 0
Historical Github 471
Github search 210
Security Trails 0
Passive Total 0
26. Amazon RedShift
URL:
<name>.<random>.<region>.redshift.amazonaws.com
Amazon exposes RedShift database through DNS entries
To publicly expose a RedShift database you must:
1. Create an Elastic IP Address.
2. Configure Redshift to use the Elastic IP Address.
3. Change the Security Group to allow 0.0.0.0 inbound
Amass+Findomain 42
Historical Github 7
Github search 192
Security Trails 226
Passive Total 2
30. AWS Managed Elasticsearch.
Security Trails
Amass +
Findomain
Passive Total
Github query
Github historical
Valid DNS per source
Percentage of Valid DNS
32. AWS Managed Elasticsearch.
Security Trails
Amass +
Findomain
Passive Total
Github query
Github historical
Open Public by Source
Open Public Size of data by Source
Amass +
Findomain
Security Trails
Passive
Total
Github
query
30% (1.5TB)
40% (2TB)
33. Closing Thoughts
Take the shared responsibility model seriously, please!
Find IAM resource policies that allow Principal "*" or equivalent. 😱
Use security tools to automatically detect and mitigate misconfigurations
(i.e. CSPM, SecurityHub, AWS Config rules). 🤖
The dynamic nature of the cloud makes historical Github data obsolete. We
spent US$ 250+ in Bigquery searches for almost no valid hits. 💸
Passive DNS has partial visibility of cloud infrastructure but it's a good
source for hunting for AWS Managed resources.