SlideShare ist ein Scribd-Unternehmen logo

Here for a good time, not a long time: exploiting AWS loopholes with temporary credentials

C
CloudVillage

"Cloud infrastructure design is complex and makes even the most straight-forward topics, such as Identity and Access Management (IAM), non-trivial and confusing and therefore, full of security risk. While AWS IAM provides for access via console and API/CLI using access keys, there is also a temporary security tokens feature, designed for secure temporary access. However, temporary tokens have multiple security pot-holes that can lead to exploits. I'll explore the limitations of temporary tokens including: - the lack of visibility/management - minimal logging - limited remediation options and how this can be taken advantage of, especially in combination with other techniques such as assuming of roles, pre-signed URLs, log attacks, and serverless functions to achieve persistence, lateral movement, and obfuscation. In addition, I’ll look at common defensive techniques and best practices around lockdown, provisioning, logging and alerting to see whether these are practical and can shift the field."

Technologie
1 von 39
Downloaden Sie, um offline zu lesen
1 jhwong@netskope.com @jenkohwong defcon cloud-village August 10, 2019 Here for a good time, not a long time 1 Exploiting AWS loopholes with temporary credentials
@jenkohwong • netskope threat research team • windows security, vulnerability scanning, routers/appliances, av/as, threat intel, exploits/pen-testing • product / engineering 2
Agenda • Attack Scenario: Temporary Tokens • Defender Viewpoint: Challenges • Do & Don't 3
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Attack Scenario
AWS Cloud compromised access key A Attacker 1 Compromised Credentials
AWS Cloud compromised access key A Attacker 1 Compromised Credentials
AWS Cloud compromised access key A Attacker 1 Compromised Credentials
AWS Cloud compromised access key A Attacker 1 generate temp token B temp token B AWS STS 2 Generate Temp Credentials
AWS Cloud compromised access key A Attacker 1 generate temp token B temp token B AWS STS 2 Generate Temp Credentials
Discovery
Discovery
Discovery
can AssumeRole belongs to compromised access key A jenko-bucket6 jenko_test_user JenkoBucketRole can do Action: “s3:*” on Discovery
can AssumeRole belongs to compromised access key A jenko-bucket6 jenko_test_user JenkoBucketRole can do Action: “s3:*” on Discovery
AWS Cloud access key A jenko-bucket6 AssumeRole JenkoBucketRole Privilege Escalation Details AWS STS temp token B temp token A’ temp token B’Attacker temp token A’ temp token B’
AWS Cloud access key A jenko-bucket6 AssumeRole JenkoBucketRole Privilege Escalation Details AWS STS temp token B temp token A’ temp token B’Attacker temp token A’ temp token B’
AWS Cloud compromised access key A Attacker 1 generate temp token B temp token B AWS STS 2 escalate privileges with compromised access key A or temp token B 3 Privilege Escalation
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5
Defender Viewpoint 20
Defender Viewpoint • Assumptions • AWS experience • CloudTrail/CloudWatch • Less knowledge of temp credentials • Starting Point • External party re: leaked data • Events/Alarms 21
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Detect: 1.CloudTrail/Watch detects Data Exfil (action/destination) 2. Privilege Escalation? 3. Correlation / Anomaly detection?
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Investigate: 1. Logs: access key A AssumeRole
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Investigate: 1. Logs: access key A AssumeRole
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Investigate: 1. Logs: access key A AssumeRole 2. JenkoBucketRole valid, not overprivileged, assigned to correct users 3. user interview => compromised key
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Mitigate/Remediate: 1. Delete access key A 2. Key rotation 3. Change Console password 4. User training
AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Mitigate/Remediate: 1. Delete access key A 2. Key rotation 3. Change Console password 4. User training
Defender Viewpoint: Challenges • GetSessionToken and the returned temp token B are troubling • We're seeing STS and temp tokens • Same fields in AssumeRole actions but GetSessionToken is new • Reading up...we see we have another set of access keys floating around 28
STS Temp Tokens • Expiration/Timing: • 15 minutes to 36 hours • +CloudTrail event latency (from API call to logging on S3) of at least 20 minutes • Temporary tokens generated by AWS (e.g. passing roles to services like EC2) usually have shorter time frames (1 hour). But automatically refreshed, so an attacker who’s gained control of an EC2 instance only needs to refresh their tokens every hour. • API Access • Can use any service that the original user has privileges for, except… • Sessions using temporary tokens cannot create more temporary tokens • Within STS, can only invoke AssumeRole • Many techniques for Privilege escalation (AssumeRole), not a barrier (follow rhino) 29
Defensive Viewpoint: Temp Tokens Assess/Analyze • Untracked, no way to list current active ones or historically generated • Not in Console, no CLI/API command to ListGeneratedTokens • They are logged but you would have to parse and persist from CloudTrail 30
Defensive Viewpoint: Temp Tokens 31 Detect Update CloudWatch/SIEM filters to detect • Creation: GetSessionToken AssumeRole actions • Usage: accessKeyId =~ ASIA*
AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 2 4 Defender Viewpoint: Temp Tokens Mitigate/Remediate: 1. Can’t delete temp token 2. a) Restrict Role b) Delete User 3. Update Remediation Playbook 4. Revoke Active Session for Role AssumeRole JenkoBucketRole temp token B’ 1 belongs to all keys/tokens jenko_test_user 2
AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 2 4 Defender Viewpoint: Temp Tokens Mitigate/Remediate: 1. Can’t delete temp token 2. a) Restrict Role b) Delete User 3. Update Remediation Playbook 4. Revoke Active Session for Role AssumeRole JenkoBucketRole temp token B’ 1 belongs to all keys/tokens jenko_test_user 2
AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 Defender Viewpoint: Temp Tokens Prevention: 1. Can’t prevent GetSessionToken AssumeRole JenkoBucketRole temp token B’ generated from all keys/tokens jenko_test_user
AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 Defender Viewpoint: Temp Tokens Prevention: 1. Can’t prevent GetSessionToken AssumeRole JenkoBucketRole temp token B’ generated from all keys/tokens jenko_test_user
AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 4 Defender Viewpoint: Temp Tokens Prevention: 1. Can’t prevent GetSessionToken 2. No MFA on GetSessionToken 3. IAM permissions boundaries 4. Restrict sts:AssumeRole 5. Revoke active sessions for Role AssumeRole JenkoBucketRole temp token B’ 2 5 3 generated from all keys/tokens jenko_test_user max perms
RED - Generate temp credentials for backdoor access - Combine temp credentials with presigned urls, lambdas, log attacks - Consider lambdas as a means to persist temp credentials - Assess whether logging/alerting for temp credentials is being done 37
BLUE • Get a plan in place ASAP to manage temp token usage esp remediation/recovery • Prevention: lockdown access keys, isolate temp token usage in separate accounts, minimal privileges for AssumeRole/PassRole • Detection: alert on GetSessionToken, alert on temp tokens (ASIA*), harden CloudTrail/CloudWatch/SIEM • Mitigation/Remediation: review/revise remediation playbook, do not use GetSessionToken, use AssumeRole, use revoke active sessions for role, create/test a recovery plan from compromised temp tokens • Provisioning/Inventory: track temp tokens that are created in a datastore, use wrapper code for custom apps that need temp tokens, for AWS-generated tokens (IoT, AssumeRole) have to parse logs 38
Thank you jhwong@netskope.com @jenkohwong Slide deck and recap can be found at: https://www.netskope.com/blog/aws-loopholes-with-temporary-credentials 39

Empfohlen

Build to Hack, Hack to Build
Build to Hack, Hack to BuildBuild to Hack, Hack to Build
Build to Hack, Hack to Build
CloudVillage
 
Phishing in the cloud era
Phishing in the cloud eraPhishing in the cloud era
Phishing in the cloud era
CloudVillage
 
Mining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the CloudMining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the Cloud
CloudVillage
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
CloudVillage
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
CloudVillage
 
Battle in the Clouds - Attacker vs Defender on AWS
Battle in the Clouds - Attacker vs Defender on AWSBattle in the Clouds - Attacker vs Defender on AWS
Battle in the Clouds - Attacker vs Defender on AWS
CloudVillage
 
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
Your Blacklist is Dead: Why the Future of Command and Control is the CloudYour Blacklist is Dead: Why the Future of Command and Control is the Cloud
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
CloudVillage
 
Scaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open SourceScaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open Source
CloudVillage
 

Empfohlen

Build to Hack, Hack to Build
Build to Hack, Hack to BuildBuild to Hack, Hack to Build
Build to Hack, Hack to Build
CloudVillage
 
Phishing in the cloud era
Phishing in the cloud eraPhishing in the cloud era
Phishing in the cloud era
CloudVillage
 
Mining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the CloudMining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the Cloud
CloudVillage
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
CloudVillage
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
CloudVillage
 
Battle in the Clouds - Attacker vs Defender on AWS
Battle in the Clouds - Attacker vs Defender on AWSBattle in the Clouds - Attacker vs Defender on AWS
Battle in the Clouds - Attacker vs Defender on AWS
CloudVillage
 
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
Your Blacklist is Dead: Why the Future of Command and Control is the CloudYour Blacklist is Dead: Why the Future of Command and Control is the Cloud
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
CloudVillage
 
Scaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open SourceScaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open Source
CloudVillage
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Pixlogix Infotech
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 

Weitere ähnliche Inhalte

Kürzlich hochgeladen

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Kürzlich hochgeladen (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Empfohlen

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 

Empfohlen (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Here for a good time, not a long time: exploiting AWS loopholes with temporary credentials

  • 1. 1 jhwong@netskope.com @jenkohwong defcon cloud-village August 10, 2019 Here for a good time, not a long time 1 Exploiting AWS loopholes with temporary credentials
  • 2. @jenkohwong • netskope threat research team • windows security, vulnerability scanning, routers/appliances, av/as, threat intel, exploits/pen-testing • product / engineering 2
  • 3. Agenda • Attack Scenario: Temporary Tokens • Defender Viewpoint: Challenges • Do & Don't 3
  • 4. AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Attack Scenario
  • 5. AWS Cloud compromised access key A Attacker 1 Compromised Credentials
  • 6. AWS Cloud compromised access key A Attacker 1 Compromised Credentials
  • 7. AWS Cloud compromised access key A Attacker 1 Compromised Credentials
  • 8. AWS Cloud compromised access key A Attacker 1 generate temp token B temp token B AWS STS 2 Generate Temp Credentials
  • 9. AWS Cloud compromised access key A Attacker 1 generate temp token B temp token B AWS STS 2 Generate Temp Credentials
  • 13. can AssumeRole belongs to compromised access key A jenko-bucket6 jenko_test_user JenkoBucketRole can do Action: “s3:*” on Discovery
  • 14. can AssumeRole belongs to compromised access key A jenko-bucket6 jenko_test_user JenkoBucketRole can do Action: “s3:*” on Discovery
  • 15. AWS Cloud access key A jenko-bucket6 AssumeRole JenkoBucketRole Privilege Escalation Details AWS STS temp token B temp token A’ temp token B’Attacker temp token A’ temp token B’
  • 16. AWS Cloud access key A jenko-bucket6 AssumeRole JenkoBucketRole Privilege Escalation Details AWS STS temp token B temp token A’ temp token B’Attacker temp token A’ temp token B’
  • 17. AWS Cloud compromised access key A Attacker 1 generate temp token B temp token B AWS STS 2 escalate privileges with compromised access key A or temp token B 3 Privilege Escalation
  • 18. AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5
  • 19. AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5
  • 21. Defender Viewpoint • Assumptions • AWS experience • CloudTrail/CloudWatch • Less knowledge of temp credentials • Starting Point • External party re: leaked data • Events/Alarms 21
  • 22. AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Detect: 1.CloudTrail/Watch detects Data Exfil (action/destination) 2. Privilege Escalation? 3. Correlation / Anomaly detection?
  • 23. AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Investigate: 1. Logs: access key A AssumeRole
  • 24. AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Investigate: 1. Logs: access key A AssumeRole
  • 25. AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Investigate: 1. Logs: access key A AssumeRole 2. JenkoBucketRole valid, not overprivileged, assigned to correct users 3. user interview => compromised key
  • 26. AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Mitigate/Remediate: 1. Delete access key A 2. Key rotation 3. Change Console password 4. User training
  • 27. AWS Cloud compromised access key A Attacker generate temp token B temp token B AWS STS escalate privileges with compromised access key A or temp token B S3 Bucket access S3 Bucket data exfiltration 3 1 2 4 5 Defender Viewpoint: Challenges Mitigate/Remediate: 1. Delete access key A 2. Key rotation 3. Change Console password 4. User training
  • 28. Defender Viewpoint: Challenges • GetSessionToken and the returned temp token B are troubling • We're seeing STS and temp tokens • Same fields in AssumeRole actions but GetSessionToken is new • Reading up...we see we have another set of access keys floating around 28
  • 29. STS Temp Tokens • Expiration/Timing: • 15 minutes to 36 hours • +CloudTrail event latency (from API call to logging on S3) of at least 20 minutes • Temporary tokens generated by AWS (e.g. passing roles to services like EC2) usually have shorter time frames (1 hour). But automatically refreshed, so an attacker who’s gained control of an EC2 instance only needs to refresh their tokens every hour. • API Access • Can use any service that the original user has privileges for, except… • Sessions using temporary tokens cannot create more temporary tokens • Within STS, can only invoke AssumeRole • Many techniques for Privilege escalation (AssumeRole), not a barrier (follow rhino) 29
  • 30. Defensive Viewpoint: Temp Tokens Assess/Analyze • Untracked, no way to list current active ones or historically generated • Not in Console, no CLI/API command to ListGeneratedTokens • They are logged but you would have to parse and persist from CloudTrail 30
  • 31. Defensive Viewpoint: Temp Tokens 31 Detect Update CloudWatch/SIEM filters to detect • Creation: GetSessionToken AssumeRole actions • Usage: accessKeyId =~ ASIA*
  • 32. AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 2 4 Defender Viewpoint: Temp Tokens Mitigate/Remediate: 1. Can’t delete temp token 2. a) Restrict Role b) Delete User 3. Update Remediation Playbook 4. Revoke Active Session for Role AssumeRole JenkoBucketRole temp token B’ 1 belongs to all keys/tokens jenko_test_user 2
  • 33. AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 2 4 Defender Viewpoint: Temp Tokens Mitigate/Remediate: 1. Can’t delete temp token 2. a) Restrict Role b) Delete User 3. Update Remediation Playbook 4. Revoke Active Session for Role AssumeRole JenkoBucketRole temp token B’ 1 belongs to all keys/tokens jenko_test_user 2
  • 34. AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 Defender Viewpoint: Temp Tokens Prevention: 1. Can’t prevent GetSessionToken AssumeRole JenkoBucketRole temp token B’ generated from all keys/tokens jenko_test_user
  • 35. AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 Defender Viewpoint: Temp Tokens Prevention: 1. Can’t prevent GetSessionToken AssumeRole JenkoBucketRole temp token B’ generated from all keys/tokens jenko_test_user
  • 36. AWS Cloud Attacker generate temp token B temp token B AWS STS sessions temp token B’ S3 Bucket 1 4 Defender Viewpoint: Temp Tokens Prevention: 1. Can’t prevent GetSessionToken 2. No MFA on GetSessionToken 3. IAM permissions boundaries 4. Restrict sts:AssumeRole 5. Revoke active sessions for Role AssumeRole JenkoBucketRole temp token B’ 2 5 3 generated from all keys/tokens jenko_test_user max perms
  • 37. RED - Generate temp credentials for backdoor access - Combine temp credentials with presigned urls, lambdas, log attacks - Consider lambdas as a means to persist temp credentials - Assess whether logging/alerting for temp credentials is being done 37
  • 38. BLUE • Get a plan in place ASAP to manage temp token usage esp remediation/recovery • Prevention: lockdown access keys, isolate temp token usage in separate accounts, minimal privileges for AssumeRole/PassRole • Detection: alert on GetSessionToken, alert on temp tokens (ASIA*), harden CloudTrail/CloudWatch/SIEM • Mitigation/Remediation: review/revise remediation playbook, do not use GetSessionToken, use AssumeRole, use revoke active sessions for role, create/test a recovery plan from compromised temp tokens • Provisioning/Inventory: track temp tokens that are created in a datastore, use wrapper code for custom apps that need temp tokens, for AWS-generated tokens (IoT, AssumeRole) have to parse logs 38
  • 39. Thank you jhwong@netskope.com @jenkohwong Slide deck and recap can be found at: https://www.netskope.com/blog/aws-loopholes-with-temporary-credentials 39