Compromising AWS® for fun and profit

A presentation at Tech Connect Live Conference in May 2019 in Dublin, Ireland by Simon Whittaker

Slide 1

Slide 1

® AWS Compromising fun and profit Simon Whittaker Cyber Security Director - Vertical Structure Ltd for

Slide 2

Slide 2

Prepare, Protect, Persist® • Prepare • We help you and your partners to understand how to identify and resolve potential security issues at the earliest stages with hands on ‘hack yourself first’, threat modelling and GDPR compliance workshops as well as security training for non-technical colleagues. • Protect • Using automated and manual penetration testing techniques, we provide a comprehensive security report for your Web and mobile applications, including API testing, and networks. The report highlights potential issues and their resolutions. • Persist • We ensure that your organisation benefits from continual improvements in security levels through information assurance processes, auditing and certification including ISO27001:2013 and Cyber Essentials. © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 3

Slide 3

Qualifications © Vertical Structure Ltd where applicable Simon.whittaker@verticalstructure.com

Slide 4

Slide 4

Shared Responsibility Model Image from: https://aws.amazon.com/compliance/shared-responsibility-model/ © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 5

Slide 5

What do attackers want? © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 6

Slide 6

Working fast • Never commit credentials • Never commit credentials • Use principle of least privilege • Never commit credentials https://technodrone.blogspot.com/2019/03/the-anatomy-ofaws-key-leak-to-public.html © Vertical Structure Ltd where applicable Simon.whittaker@verticalstructure.com

Slide 7

Slide 7

Let’s have a play © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 8

Slide 8

Find the user privileges © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 9

Slide 9

Find Instance User Data © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 10

Slide 10

Decode the User Data © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 11

Slide 11

What instances can we manage? © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 12

Slide 12

Stop the instance to modify data © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 13

Slide 13

Start the instance with new User Data © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 14

Slide 14

Find a debug SG to attach © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 15

Slide 15

Reaching the instance © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 16

Slide 16

Reverse Shell © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 17

Slide 17

EC2 Escalation © Vertical Structure Ltd where applicable Simon.whittaker@verticalstructure.com

Slide 18

Slide 18

Show current policy attached to role © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 19

Slide 19

Show the current role policies © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 20

Slide 20

Get Current Policy Version © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 21

Slide 21

Connect in and update policy as default © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 22

Slide 22

Verification © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 23

Slide 23

Version 1 vs Version 2 © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 24

Slide 24

Another way © Vertical Structure Ltd where applicable Simon.whittaker@verticalstructure.com

Slide 25

Slide 25

See what permissions Joe has © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 26

Slide 26

List Joe’s policies © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 27

Slide 27

Inject a lambda script © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 28

Slide 28

Inject a lambda script © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 29

Slide 29

Create a DynamoDB and test it © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 30

Slide 30

Create a table and a stream © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 31

Slide 31

Connect Data stream/lambda © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 32

Slide 32

Inject a record © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 33

Slide 33

Joe is now an admin © Vertical Structure Ltd where applicable simon.whittaker@verticalstructure.com

Slide 34

Slide 34

Fun and Profit © Vertical Structure Ltd where applicable Simon.whittaker@verticalstructure.com

Slide 35

Slide 35

Try for yourself • Cloudgoat https://github.com/RhinoSec urityLabs/cloudgoat © Vertical Structure Ltd where applicable Simon.whittaker@verticalstructure.com

Slide 36

Slide 36

Protection Measures • Ask questions • Some great advice from UK NCSC • Secure users • Reduce privileges • Implement tools to help you © Vertical Structure Ltd where applicable Simon.whittaker@verticalstructure.com

Slide 37

Slide 37

Questions? Simon.Whittaker@verticalstructure.com