SESSIONID:SESSIONID:
#RSAC
JavierGodinez
DevSecOps ontheOffense:AutomatingAmazonWebServicesAccountTakeover
IDY-W10
FoundingMemberDevSecOps.org@isomorphix
IanAllisonFoundingMemberDevSecOps.org@iallison
#RSAC
Disclaimer
2
ThisisnotanAmazonWebServices(AWS)issue
ThisisaDevOpseducationissue
Itistheuser’sresponsibilitytounderstandthetechnologybeingused
Withpoweruserprivilegescomegreatresponsibilities
#RSAC
HowourGrandfathersRanaStack
3
GlenBeck(background)andBettySnyder(foreground)programENIACinBRLbuilding328.(U.S.Armyphoto)
#RSAC
©2007Nuno Pinheiro &DavidVignoni &DavidMiller&JohannOllivier Lapeyre &KennethWimer &RiccardoIaconelli / KDE,viaWikimediaCommons
5
aws ec2run-instancesami-12345678 -tm3.large-k$my-key-pair-g$my-security-group
HowWeRunaStack
#RSAC
UnderstandingtheTechnologyYouUse
8
HowfastcanImovewhilestillstayingsafe?
Alwaysdevelopinseparateaccount(BlastRadiusContainment)
Readthedocsforeverythingandmakeconsciousdecisionsanddocumentthosedecisions
Attackerswilltrytoleverageeverything againstyou
Bleedingedgedoesnotmeanstableandsecure.However,itcanbewithenoughtesting
#RSAC
Instance
9
Virtualhost
VirtualenvironmentonXenhypervisor
Feelsverymuchlikeahostrunningonbaremetal
Hypervisor
Instance
OperatingSystem
#RSAC
MetadataService
10
InternalHTTPservicethatprovidesInstancesinformationaboutitsenvironemt
Availablefromhostathttp://169.254.169.254/
Providestemporarycredentialstohostswithinstanceprofiles
Hypervisor
Instance
Metadata
OS
Instance
OS
#RSAC
InstanceProfile
11
AWSconstructthatmapsaroletoaninstance
Instancemayormaynothaveaprofileassociatedwithit
Instance
#RSAC
AWSIdentityandAccessManagementOverview
12
Users
Groups
Roles
PoliciesEffectActionsResourcesCondition
#RSAC
TheGood
13
Policyisspecificallycreatedfortheapplication
Leastprivilege
Madetobeasgranularaspossible
#RSAC
16
WhatDoesUglyReallyLookLike?
Thebestwaytodeterminewhetheryoutrulyhaveanuglyduckisbyexploitingthemostdangerousvulnerabilities.
#RSAC
AWSCreateIAMUser(CIAMU)Module
18
AllowsforthecreationofauserwithAdminPrivilegestotheAWSaccountNeedsaccesstoAWSAccessKeysorInstanceRolewith:iam:CreateUseriam:CreateGroupiam:PutGroupPolicyiam:AddUserToGroupiam:CreateAccessKey
Ifyouhaveinstances/instanceroleswiththiscombinationofIAMprivilegesit’sverydangerous.
#RSAC
AWSLaunchInstancesModule
19
LaunchesanEC2instancewithaPublicIP
RequiredPrivileges:ec2:RunInstancesec2:ImportKeyPairec2:CreateSecurityGroupec2:AuthorizeSecurityGroupIngressec2:Describe*
CanlaunchinstancewithInstanceProfile
CanlaunchclusterofInstances
Canautomatetasksviabootstrap
#RSAC
AWSIAMAccountLockoutModule
20
RequiresanIAMadminrole(createdbyCIAMUmodule)
Enumeratesallusersandaccesskeys
Acceptsausertokeep
Locksoutallotheraccounts
Allowssecurityteamstoprotectpotentiallycompromisedaccounts
#RSAC
UpcomingModulesandOngoingProjects
23
AWSIAMprivilegeenumerationmodule
AWSLambdamodule
AWSs3bucketandaccessenumerationmodule
CumulusCloudAttackToolkitAWSGoogleCloudPlatform
DevSecOps.org Community
https://github.com/devsecops/lambhack
#RSAC
HowApplyThisKnowledge
25
ReadtheAWSIAMBestPracticesDocuments:http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
MonitorIAMactionsusingAWSCloudTrailGetcreativewithAWSservices:Config +CloudWatch Events+LambdaAudityourAWSAccountIAMPoliciesandRolesRedTeamyourapplicationsandinstancesThinktoyourself:“Howwouldanattackerusethisagainstme?”Userepeatablesecurepatterns:https://github.com/devsecopsHelpbuildawarenessthroughcommunity:http://www.devsecops.org