Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Step by step AWS Cloud Hacking
Search
andresriancho
September 25, 2020
Technology
0
610
Step by step AWS Cloud Hacking
andresriancho
September 25, 2020
Tweet
Share
More Decks by andresriancho
See All by andresriancho
Step by step AWS Cloud Hacking
andresriancho
2
2.9k
Internet-Scale analysis of AWS Cognito Security
andresriancho
1
12k
Threat Modelling
andresriancho
0
1.3k
Automated Security Analysis AWS Clouds
andresriancho
1
3.2k
Injecting into URLs / Breaking URL-Encoding
andresriancho
0
230
Galería de Fallos en Unicornios
andresriancho
1
200
Esoteric Web Application Vulnerabilities
andresriancho
0
950
String Compare Timing Attacks
andresriancho
0
560
Timing Attacks
andresriancho
1
300
Other Decks in Technology
See All in Technology
Cursorを全エンジニアに配布 その先に見据えるAI駆動開発の未来 / 2025-05-13-forkwell-ai-study-1-cursor-at-loglass
itohiro73
2
480
Azure × MCP 入門
ry0y4n
8
1.7k
Как мы автоматизировали интеграционное тестирование с Gonkey и не пожалели. Паша Егорычев, Кирилл Поляков
lamodatech
0
2.1k
正式リリースされた Semantic Kernel の Agent Framework 全部紹介!
okazuki
1
1.1k
MySQL InnoDB Data Recovery - The Last Resort
lefred
0
110
コードや知識を組み込む / Incorporating Codes and Knowledge
ks91
PRO
0
170
Datadog のトライアルを成功に導く技術 / Techniques for a successful Datadog trial
nulabinc
PRO
0
140
とあるEdTechベンチャーのシステム構成こだわりN選 / edtech-system
gotok365
4
250
計測による継続的なCI/CDの改善
sansantech
PRO
1
270
Coding Agentに値札を付けろ
watany
3
450
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
5.5k
LangfuseではじめるAIアプリのLLMトレーシング
codenote
0
140
Featured
See All Featured
Become a Pro
speakerdeck
PRO
28
5.3k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
The Power of CSS Pseudo Elements
geoffreycrofte
75
5.8k
How to Think Like a Performance Engineer
csswizardry
23
1.6k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
10
790
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
227
22k
A designer walks into a library…
pauljervisheath
205
24k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.7k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
19
1.2k
Adopting Sorbet at Scale
ufuk
76
9.4k
Making Projects Easy
brettharned
116
6.2k
Transcript
Ekoparty 2020 Andrés Riancho
2
3
None
5
need credentials • • • 6
7
IAM permissions 8
9 http://169.254.169.254/ /latest/meta-data/iam/security-credentials/ /latest/meta-data/iam/security-credentials/{role-name}
10
11 from urllib.request import urlopen from flask import request @app.route('/ssrf')
def handler(): url = request.args.get('url') return urlopen(url).read()
Instance metadata and S3 compromise
13
None
two ways to enumerate permissions IAM service In most cases
this will fail brute-force 15
Get* / List* / Describe* DryRun parameter 16
17 SUPPORTED_SERVICES = [ 'ec2', 's3' ]
18
./enumerate-iam.py
20
many things the attacker doesn't know. 21 { "Statement":[ {
"Effect":"Allow", "Action":[ "s3:*", "lambda:*", "..." ], "Resource":"*" } ] }
try to elevate privileges to a principal with full access
22 { "Statement":[ { "Effect":"Allow", "Action":[ "*", ], "Resource": "*" } ] }
Lambda function will have access to the IAM role 23
Getting * on *
None
existing trust policy in the AdminRole 26
27
28 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::925877178748:root" }, "Action":
"sts:AssumeRole" } { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::925877178748:root", "arn:aws:iam::320222540496:root"] }, "Action": "sts:AssumeRole" }
Never trust the trust policy
30 ARN for the backdoored role
None
32 most resources in the AWS account VPC is completely
isolated from the Internet
None
34 VPN between the attacker's workstation and a VPC
35
vpc-vpn-pivot
None
From zero to full pwn
None
40 • enumerate-iam • pacu • vpc-vpn-pivot Follow @AndresRiancho
None