Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Step by step AWS Cloud Hacking
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
andresriancho
September 25, 2020
Technology
640
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Step by step AWS Cloud Hacking
andresriancho
September 25, 2020
More Decks by andresriancho
See All by andresriancho
Step by step AWS Cloud Hacking
andresriancho
2
3k
Internet-Scale analysis of AWS Cognito Security
andresriancho
1
13k
Threat Modelling
andresriancho
0
1.6k
Automated Security Analysis AWS Clouds
andresriancho
1
3.4k
Injecting into URLs / Breaking URL-Encoding
andresriancho
0
280
Galería de Fallos en Unicornios
andresriancho
1
270
Esoteric Web Application Vulnerabilities
andresriancho
0
1.2k
String Compare Timing Attacks
andresriancho
0
660
Timing Attacks
andresriancho
1
430
Other Decks in Technology
See All in Technology
インフラ寄りSREでも 開発に踏み出せる〜境界を越えてユーザー体験に向き合いたい〜
sansantech
PRO
2
3.8k
実装だけじゃない! CCA-F取得エンジニアが教えるClaude Code開発プロセス活用術
diggymo
2
680
「最後に責任を取るのはチーム」— 人間のPRレビューを最小化してアップデートしたメンタルモデル
jnishime_dresscode
0
600
Claude Code 珍プレー好プレー
shinyasaita
0
330
CSに"SLO"は要らない、経営層に"99.9%"は伝わらない - SREを全社に"翻訳"する3原則
cscengineer
PRO
1
4.5k
最適な自走を最小限の支援で — M&Aで拡大する組織で少人数SREが挑んだ1年 / SRE NEXT 2026
genda
0
1.1k
SREとQA 二人三脚で進めるSLO運用/sre-qa-slo
sugitak
0
490
Amazon EVS で VCF 9.0 / 9.1 のサポート開始まとめ
mtoyoda
0
290
ポストモーテム! DDoSからサイトは守れた。 でもビジネスは守れなかった。
bengo4com
0
2.9k
ソニー銀行におけるビジネスアジリティ向上のためのクラウドシフト戦略
srenext
0
190
Terraform共通モジュールをチーム横断で“変えられる”運用へ ― リリースと適用の分離
kekke_n
1
2.9k
誤解だらけの開発生産性 / Myths and Misconceptions about Developer Productivity
i35_267
1
240
Featured
See All Featured
The Straight Up "How To Draw Better" Workshop
denniskardys
239
140k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
10k
SEOcharity - Dark patterns in SEO and UX: How to avoid them and build a more ethical web
sarafernandez
0
220
Reality Check: Gamification 10 Years Later
codingconduct
0
2.2k
A Guide to Academic Writing Using Generative AI - A Workshop
ks91
PRO
1
350
Building a A Zero-Code AI SEO Workflow
portentint
PRO
0
630
Scaling GitHub
holman
464
140k
What does AI have to do with Human Rights?
axbom
PRO
1
2.2k
Building Flexible Design Systems
yeseniaperezcruz
330
40k
RailsConf 2023
tenderlove
30
1.5k
[SF Ruby Conf 2025] Rails X
palkan
2
1.2k
Documentation Writing (for coders)
carmenintech
77
5.4k
Transcript
Ekoparty 2020 Andrés Riancho
2
3
None
5
need credentials • • • 6
7
IAM permissions 8
9 http://169.254.169.254/ /latest/meta-data/iam/security-credentials/ /latest/meta-data/iam/security-credentials/{role-name}
10
11 from urllib.request import urlopen from flask import request @app.route('/ssrf')
def handler(): url = request.args.get('url') return urlopen(url).read()
Instance metadata and S3 compromise
13
None
two ways to enumerate permissions IAM service In most cases
this will fail brute-force 15
Get* / List* / Describe* DryRun parameter 16
17 SUPPORTED_SERVICES = [ 'ec2', 's3' ]
18
./enumerate-iam.py
20
many things the attacker doesn't know. 21 { "Statement":[ {
"Effect":"Allow", "Action":[ "s3:*", "lambda:*", "..." ], "Resource":"*" } ] }
try to elevate privileges to a principal with full access
22 { "Statement":[ { "Effect":"Allow", "Action":[ "*", ], "Resource": "*" } ] }
Lambda function will have access to the IAM role 23
Getting * on *
None
existing trust policy in the AdminRole 26
27
28 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::925877178748:root" }, "Action":
"sts:AssumeRole" } { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::925877178748:root", "arn:aws:iam::320222540496:root"] }, "Action": "sts:AssumeRole" }
Never trust the trust policy
30 ARN for the backdoored role
None
32 most resources in the AWS account VPC is completely
isolated from the Internet
None
34 VPN between the attacker's workstation and a VPC
35
vpc-vpn-pivot
None
From zero to full pwn
None
40 • enumerate-iam • pacu • vpc-vpn-pivot Follow @AndresRiancho
None