Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Step by step AWS Cloud Hacking
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
andresriancho
September 25, 2020
Technology
640
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Step by step AWS Cloud Hacking
andresriancho
September 25, 2020
More Decks by andresriancho
See All by andresriancho
Step by step AWS Cloud Hacking
andresriancho
2
3k
Internet-Scale analysis of AWS Cognito Security
andresriancho
1
13k
Threat Modelling
andresriancho
0
1.6k
Automated Security Analysis AWS Clouds
andresriancho
1
3.4k
Injecting into URLs / Breaking URL-Encoding
andresriancho
0
280
Galería de Fallos en Unicornios
andresriancho
1
260
Esoteric Web Application Vulnerabilities
andresriancho
0
1.2k
String Compare Timing Attacks
andresriancho
0
660
Timing Attacks
andresriancho
1
430
Other Decks in Technology
See All in Technology
FPGAの開発コンペでZephyrを使ってみた
iotengineer22
0
140
2026TECHFRESH畢業分享會 - AI 時代的人生存檔點
line_developers_tw
PRO
0
1.3k
【2026年版】 ベクトル検索とEmbedding最前線
mocobeta
18
4.8k
Agent Skills設計で柔軟性と硬さのバランスが難しい話
nassy20
0
150
白金鉱業Meetup_Vol.24_「AIエージェントは分けるほど良い」は本当か? / Is it true that “the more you divide AI agents, the better”?
brainpadpr
1
420
Oracle AI Database@Azure:サービス概要のご紹介
oracle4engineer
PRO
6
2k
手塩にかけりゃいいってもんじゃない
ming_ayami
0
610
いまさら聞けない「仕様駆動開発入門」 〜AI活用時代の開発プロセスを考える〜
findy_eventslides
2
160
[AWS Summit Japan 2026]迷っているあなたへ_小さな一歩が、やがて自分を助けてくれる
sh_fk2
1
170
マルチアカウント環境での コーディングエージェントを使った障害調査が大変なので AIエージェントにReadOnly権限を付与してみた / ReadOnly AI Agents for Multi-Account AWS Incident Response
yamaguchitk333
2
110
入門!AWS Blocks
ysuzuki
1
160
2026 TECHFRESH 畢業分享會 - 開發日常大解密!從領域驅動到企業級上線
line_developers_tw
PRO
0
1.3k
Featured
See All Featured
Measuring Dark Social's Impact On Conversion and Attribution
stephenakadiri
2
220
B2B Lead Gen: Tactics, Traps & Triumph
marketingsoph
0
160
Reality Check: Gamification 10 Years Later
codingconduct
0
2.2k
Navigating Algorithm Shifts & AI Overviews - #SMXNext
aleyda
1
1.3k
Learning to Love Humans: Emotional Interface Design
aarron
275
41k
Self-Hosted WebAssembly Runtime for Runtime-Neutral Checkpoint/Restore in Edge–Cloud Continuum
chikuwait
0
600
Tips & Tricks on How to Get Your First Job In Tech
honzajavorek
1
540
Fireside Chat
paigeccino
42
4k
Leading Effective Engineering Teams in the AI Era
addyosmani
9
2.1k
State of Search Keynote: SEO is Dead Long Live SEO
ryanjones
0
210
Rebuilding a faster, lazier Slack
samanthasiow
85
9.5k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
Transcript
Ekoparty 2020 Andrés Riancho
2
3
None
5
need credentials • • • 6
7
IAM permissions 8
9 http://169.254.169.254/ /latest/meta-data/iam/security-credentials/ /latest/meta-data/iam/security-credentials/{role-name}
10
11 from urllib.request import urlopen from flask import request @app.route('/ssrf')
def handler(): url = request.args.get('url') return urlopen(url).read()
Instance metadata and S3 compromise
13
None
two ways to enumerate permissions IAM service In most cases
this will fail brute-force 15
Get* / List* / Describe* DryRun parameter 16
17 SUPPORTED_SERVICES = [ 'ec2', 's3' ]
18
./enumerate-iam.py
20
many things the attacker doesn't know. 21 { "Statement":[ {
"Effect":"Allow", "Action":[ "s3:*", "lambda:*", "..." ], "Resource":"*" } ] }
try to elevate privileges to a principal with full access
22 { "Statement":[ { "Effect":"Allow", "Action":[ "*", ], "Resource": "*" } ] }
Lambda function will have access to the IAM role 23
Getting * on *
None
existing trust policy in the AdminRole 26
27
28 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::925877178748:root" }, "Action":
"sts:AssumeRole" } { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::925877178748:root", "arn:aws:iam::320222540496:root"] }, "Action": "sts:AssumeRole" }
Never trust the trust policy
30 ARN for the backdoored role
None
32 most resources in the AWS account VPC is completely
isolated from the Internet
None
34 VPN between the attacker's workstation and a VPC
35
vpc-vpn-pivot
None
From zero to full pwn
None
40 • enumerate-iam • pacu • vpc-vpn-pivot Follow @AndresRiancho
None
andresriancho
iotengineer22
line_developers_tw
mocobeta
nassy20
brainpadpr
oracle4engineer
ming_ayami
findy_eventslides
sh_fk2
yamaguchitk333
ysuzuki
stephenakadiri
marketingsoph
codingconduct
aleyda
aarron
chikuwait
honzajavorek
paigeccino
addyosmani
ryanjones
samanthasiow
cassininazir
![17 SUPPORTED_SERVICES = [ 'ec2', 's3' ]](https://files.speakerdeck.com/presentations/964ca4584db1416daa976d4b1a4087a3/slide_16.jpg){kind=link}
