Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Step by step AWS Cloud Hacking
Search
andresriancho
September 25, 2020
Technology
0
610
Step by step AWS Cloud Hacking
andresriancho
September 25, 2020
Tweet
Share
More Decks by andresriancho
See All by andresriancho
Step by step AWS Cloud Hacking
andresriancho
2
2.9k
Internet-Scale analysis of AWS Cognito Security
andresriancho
1
12k
Threat Modelling
andresriancho
0
1.4k
Automated Security Analysis AWS Clouds
andresriancho
1
3.2k
Injecting into URLs / Breaking URL-Encoding
andresriancho
0
240
Galería de Fallos en Unicornios
andresriancho
1
230
Esoteric Web Application Vulnerabilities
andresriancho
0
1k
String Compare Timing Attacks
andresriancho
0
580
Timing Attacks
andresriancho
1
330
Other Decks in Technology
See All in Technology
Azure SynapseからAzure Databricksへ 移行してわかった新時代のコスト問題!?
databricksjapan
0
140
GC25 Recap+: Advancing Go Garbage Collection with Green Tea
logica0419
1
400
Flaky Testへの現実解をGoのプロポーザルから考える | Go Conference 2025
upamune
1
420
OCI Network Firewall 概要
oracle4engineer
PRO
1
7.8k
Escaping_the_Kraken_-_October_2025.pdf
mdalmijn
0
130
空間を設計する力を考える / 20251004 Naoki Takahashi
shift_evolve
PRO
3
330
AIAgentの限界を超え、 現場を動かすWorkflowAgentの設計と実践
miyatakoji
0
130
about #74462 go/token#FileSet
tomtwinkle
1
290
多野優介
tanoyusuke
1
420
実装で解き明かす並行処理の歴史
zozotech
PRO
1
320
バイブコーディングと継続的デプロイメント
nwiizo
2
420
GopherCon Tour 概略
logica0419
2
190
Featured
See All Featured
Context Engineering - Making Every Token Count
addyosmani
5
180
Learning to Love Humans: Emotional Interface Design
aarron
274
40k
Reflections from 52 weeks, 52 projects
jeffersonlam
352
21k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3.1k
The Art of Programming - Codeland 2020
erikaheidi
56
14k
Producing Creativity
orderedlist
PRO
347
40k
Automating Front-end Workflow
addyosmani
1371
200k
Art, The Web, and Tiny UX
lynnandtonic
303
21k
For a Future-Friendly Web
brad_frost
180
9.9k
Principles of Awesome APIs and How to Build Them.
keavy
127
17k
Optimizing for Happiness
mojombo
379
70k
Code Reviewing Like a Champion
maltzj
525
40k
Transcript
Ekoparty 2020 Andrés Riancho
2
3
None
5
need credentials • • • 6
7
IAM permissions 8
9 http://169.254.169.254/ /latest/meta-data/iam/security-credentials/ /latest/meta-data/iam/security-credentials/{role-name}
10
11 from urllib.request import urlopen from flask import request @app.route('/ssrf')
def handler(): url = request.args.get('url') return urlopen(url).read()
Instance metadata and S3 compromise
13
None
two ways to enumerate permissions IAM service In most cases
this will fail brute-force 15
Get* / List* / Describe* DryRun parameter 16
17 SUPPORTED_SERVICES = [ 'ec2', 's3' ]
18
./enumerate-iam.py
20
many things the attacker doesn't know. 21 { "Statement":[ {
"Effect":"Allow", "Action":[ "s3:*", "lambda:*", "..." ], "Resource":"*" } ] }
try to elevate privileges to a principal with full access
22 { "Statement":[ { "Effect":"Allow", "Action":[ "*", ], "Resource": "*" } ] }
Lambda function will have access to the IAM role 23
Getting * on *
None
existing trust policy in the AdminRole 26
27
28 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::925877178748:root" }, "Action":
"sts:AssumeRole" } { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::925877178748:root", "arn:aws:iam::320222540496:root"] }, "Action": "sts:AssumeRole" }
Never trust the trust policy
30 ARN for the backdoored role
None
32 most resources in the AWS account VPC is completely
isolated from the Internet
None
34 VPN between the attacker's workstation and a VPC
35
vpc-vpn-pivot
None
From zero to full pwn
None
40 • enumerate-iam • pacu • vpc-vpn-pivot Follow @AndresRiancho
None