Security research is not something that’s only done by dedicated teams and companies. Sometimes it will be a developer or platform engineer that makes the jump from “that’s not how I expect it to work” to “that’s not how it’s supposed to work”.
In this talk we’ll walk through the process we took when we found strange behaviour in the AWS console, tried to debug what’s going wrong and ended up finding an API that didn’t check iam:PassRole correctly. We’ll see that in a lot of cases the needs of a person who’s debugging and a security researcher will overlap and that features like CloudTrail and documented APIs are useful resources for everyone.
Presentation given at fwd:cloudsec 2023 (https://fwdcloudsec.org/)