2. • Senior Security Consultant in SecuRing
• OWASP member:
• Helping arrange meetups in Wroclaw
• Contributor in OWASP MSTG project
• OSCP, eMAPT holder
• @Rzepsky
Who am I
3. 1. Intro to cloud technology
2. S3 leaks
3. Access keys leaks
4. New life of old vulns in cloud
5. Final recommendations
Agenda
4. Main indicators*:
• On-demand self-service
• Broad network access
• Resource pooling
• Rapid elasticity
• Measured Service
* - based on https://www.nist.gov/sites/default/files/documents/itl/cloud/cloud-def-v15.pdf
What the heck is cloud?!
6. • Amazon Web Services (AWS) – cloud solution provider
• Identity and Access Management (IAM) – a service for
controlling access to AWS resources
• Simple Storage Service (S3) – storage service through web
services
• Bucket – a container to store objects via S3 service
• Amazon Elastic Compute Cloud (EC2) – a service allowing
users to rent a virtual machine instance
Terms we’re going to use today
7. AWS Share responsibility model
Source: https://s3-us-west-2.amazonaws.com/cloudtechnologyexperts/wp-content/uploads/2017/07/08152141/shared-model-21.png
9. 7% of all S3 buckets have unrestricted public access*
* - based on https://www.skyhighnetworks.com/cloud-security-blog/verizon-data-breach-two-easy-steps-to-prevent-aws-s3-leaks/
16. By default accounts are restricted from accessing S3 unless
they have been given access via policy. However, S3 is
designed by default to allow any IP address access. So to
block IP's you would have to specify denies explicitly in the
policy instead of allows.
Setting AWS policies can be tricky
19. • Restrict access to your data, via:
ACLs,
IAM policies,
bucket policies.
• Whitelist IPs
• Test your policies (you may find helpful aws-extender-cli)
• Always refer to object (download/upload) using
encryption
Lesson learned
25. • Delete root user’s access keys and define IAM roles
• Enforce usage of Multi-Factor Authentication (you may
find helpful AWS-recipes)
• Rotate keys
• Create an access keys management process
• Use Cloud Trail
• Set Billing Alarm (e.g. notify me when the bill is over x$)
Lesson learned
26. • Some vulns can be much more dangerous in cloud:
CWE-200: Information Exposure
CWE-441: Unintended Proxy or Intermediary
CWE-611: XXE
CWE-918: SSRF
…because any of them may reveal your metadata.
Old vulns gain new life
27. SSRF in practice
Source: https://www.netsparker.com/statics/img/blogposts/exploiting_ssrf_vulnerability.png
28. Stories from HackerOne
SSRF reported, but
marked as “Won’t fix”,
because the risk was
marked as very low.
08.03.2015
Bounty granted: 0$ Bounty granted: 300$
Same bug reported,
but this time pointing
to exposure of
“meta-data”.
23.03.2015
29. • Data about your instance:
• Accessible only from within the instance
itself via link:
http://169.254.169.254/latest/meta-data/
What is “meta-data”
31. Restrict access to your data (ACLs, bucket policies, IAM roles)
Whitelist IPs
Use encryption for data in transit
Define IAM roles
Use MFA for each role
Rotate access keys
Create an access keys management process
Sum up