There is a lack of tools for testing the security of Cloud deployments; the Cumulus Toolkit is an attack framework for exploiting the Cloud's weak points. The Cloud enables software projects to speed up development because it allows developers to provision infrastructure and make configuration changes to their networks without much friction. This ease of deployment was but a dream in the age of the traditional datacenter. However, the Cloud also brings new attack surface which needs further exploration. Cloud Identity and Access Management (IAM) services (such as Amazon's) are primary targets for attackers, as these typically control access to hundreds of API calls over many services. Over the years there have been various discussions around cloud security, e.g., Pivoting in Amazon Clouds (2013), and few tools have been developed to enable testing the security of Cloud deployments. These tools are standalone, have not attained wide adoption, and/or have not made it into widely adopted toolkits. To fill this void, we have developed the Cumulus Toolkit. The Cumulus Toolkit is a Cloud exploitation toolkit based on the Metasploit Framework. We chose Metasploit because of its wide adoption and its wealth of existing features. The Cumulus toolkit is a set of modules that can be used perform privilege escalation, account takeover, and to launch unauthorized workloads. To illustrate security concerns resulting from lax IAM policies, we present the Create IAM User module which can be used to create a user with administrative privileges. To perform complete account takeover, an attack that we've seen in the wild, we present the User Locker module which is used to lock out all legitimate users out of the account. Finally, we present the Launch Instances module which can be used to launch Cloud hosts on demand.

1. CUMULUS - A CLOUD EXPLOITATION
TOOLKIT
Javier Godinez

2. CUMULUS
2
A Cloud Exploitation Toolkit
• Collection of Metasploit modules
• Creating IAM users
• Launching workloads
• Locking users out
• Techniques for getting a foothold and pivoting in the Cloud
• Currently only supports AWS

3. FOOTHOLD IN THE CLOUD
3
• Demo Cloud Attack Surface
• Weak authentication - SSH
• Insecure configurations - Jenkins
• Misconfiguration - Squid Proxy
• Application vulnerabilities - XXE

4. THE MODULES

5. CREATE IAM USER MODULE
5
• Allows for the creation of a user
with Admin Privileges to the AWS
account
• Needs access to AWS Access Keys
or Instance Role with:
• iam:CreateUser
• iam:CreateGroup
• iam:PutGroupPolicy
• iam:AddUserToGroup
• iam:CreateAccessKey

6. LAUNCH INSTANCES MODULE
6
• Auto detects configuration for
launching EC2 instances
• Can launch one or multiple
instances
• Can execute setup scripts

7. LOCKOUT USERS MODULE
7
• Requires an IAM admin role (created
by previous module)
• Enumerates all users and access keys
• Accepts a user to keep
• Locks out all other accounts

8. DISCLAIMER
8
• This is not an Amazon Web Services issue
• This is a DevOps education issue
• It is the user’s responsibility to understand the technology being used
• With power user privileges comes great responsibilities

9. DEMO
GETTING A FOOTHOLD

10. DEMO
PUTTING IT ALL TOGETHER

11. DEMO NETWORK
11
VPC
Peering
AWS API
Attacker
3
10.0.0.0/16
Jenkins
4
IGWIGW
Account A
Proxy
1
2
SSH API
10.10.0.0/16
Account B

12. DEMO NETWORK
12
VPC
Peering
AWS API
Attacker
10.0.0.0/16
Jenkins
IGWIGW
Account A
Proxy
1
SSH /
API
API
10.10.0.0/16
Account B

13. DEMO NETWORK
13
VPC
Peering
AWS API
3
10.0.0.0/16
Jenkins
IGWIGW
Account A
Proxy
1
2
SSH /
API
API
10.10.0.0/16
Account B

14. DEMO NETWORK
14
VPC
Peering
AWS API
Attacker
3
10.0.0.0/16
Jenkins
4
IGWIGW
Account A
Proxy
1
2
SSH /
API
API
10.10.0.0/16
Account B

15. REFERENCES
15
• Cumulus - A Cloud Exploitation Toolkit
https://drive.google.com/file/d/0B2Ka7F_6TetSNFdfbkI1cnJHUTQ
• See cumulus branch: https://github.com/godinezj/metasploit-framework

16. HOW APPLY THIS KNOWLEDGE
16
• Read the AWS IAM Best Practices Documents:
• http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
• Monitor IAM actions using AWS CloudTrail
• Audit your AWS Account IAM Policies and Roles
• Red Team your applications and instances: https://www.metasploit.com
• Think to yourself: “How would an attacker use this against me?”
• Use repeatable secure patterns: https://github.com/devsecops
• Help build awareness through community: http://www.devsecops.org

17. THANKS FOR WATCHING!
Javier Godinez

18. APPENDIX

19. UNDERSTANDING THE TECHNOLOGY YOU
USE
19
• How fast can I move while still staying safe?
• Always develop in separate account (Blast Radius Containment)
• Read the docs for everything and make conscious choices
• Attackers will try to leverage everything against you
• Bleeding edge does not mean stable and secure. However, it can be with enough
testing

20. INSTANCE
20
• Virtual host
• Virtual environment on Xen hypervisor
• Feels very much like a host running on bare metal

21. METADATA SERVICE
21
• Internal HTTP service that provides Instances information about its environemt
• Available from host at http://169.254.169.254/
• Also provides temporary credentials to host

22. INSTANCE PROFILE
22
• AWS construct that maps a
role to an instance
• Instance may or may not
have a profile associated with
it Instance

23. AWS IDENTITY AND ACCESS MANAGEMENT
OVERVIEW
23
• Users
• Groups
• Roles
• Policies
• Effect
• Actions
• Resources
• Condition

24. THE GOOD
24
Policy is specifically created for
the application
Least privilege
Made to be as granular as
possible

25. THE BAD
25
• ec2:*
• iam:*
• anything:*

26. THE UGLY
26
• All Access
• Great for Development
• Really Bad for Security

27. UPCOMING MODULES AND PROJECTS
27
• Metasploit AWS Lambda module
• Metasploit AWS s3 enumeration module
• Cumulus Cloud Attack Toolkit
• AWS
• Google Cloud Platform
• DevSecOps.org Community

28. EC2 INSTANCE METADATA
28
• Retrieves information from
metadata service
• Includes API credentials
• Account information
• Regional information