Walkthrough of a compromised AWS Account-InfraCoder-MeetupNov2016

Transcript

1. WALKTHROUGH OF A COMPROMISED AWS ACCOUNT InfraCoders Meetup 8 Nov,

   2016
2. None

3. AGENDA • AWS Primer • How would someone get keys

   to an AWS Account • What I do next • What can you do next

4. AWS PRIMER

5. AWS PRIMER Infrastructure as a Service (IaaS) Ø Root Account

   vs IAM Users vs IAM Roles Ø Key Pairs vs Access Keys Ø VPC vs EC2 Ø CloudTrail vs CloudWatch Ø KMS Ø S3 Buckets Ø Route53
6. None

7. AWS SECURITY • AWS Security Services • AWS Shared Security

   Model • AWS Resources • aws.amazon.com/security • AWS Whitepapers

8. Image Courtesy: AWS

9. HOW WOULD SOMEONE GETS KEYS TO AN AWS ACCOUNT

10. NOT SO LEGITIMATE WAY • GitHub • Reddit • AWS

    Forum • Tech Forums

11. LEGITIMATE WAY • Security Review of AWS Accounts for compliance

    checks • Client site during projects • New AWS Account - 12month free tier

12. WHAT I DO NEXT

13. ATTACK VECTORS • AWS Console + IAM User • AWS

    Cli + Access Keys • SSH Keys + EC2 Instances Metadata Endpoint (Access Keys) • Snaphots + EC2 Instances

14. AWS CLI + ACCESS KEYS

15. WHAT DO WE HAVE Ø aws sts get-caller-identity Ø aws

    sts get-session-token --duration-seconds 129600
16. None

17. AWS CLOUDTRAIL:* Stop Footprint collection!! Ø aws cloudtrail describe-trails Ø

    aws cloudtrail stop-logging --name default Ø aws cloudtrail update-trail --name default --no-is-multi-region-trail -- no-include-global-service-events Note: S3 Bucket Name

18. AWS IAM:* What kind of account do I have? •

    aws iam get-account-summary • aws iam list-users | jq • aws iam get-credential-report | jq -r '.Content' | base64 --decode > output.csv • aws sts get-session-token --duration-seconds 129600 • aws iam list-roles | jq '.Roles[] .RoleName'

19. AWS ROUTE53:* • aws route53 list-hosted-zones | jq • aws

    route53 list-resource-record-sets --hosted-zone-id /hostedzone/ABCD | jq '.ResourceRecordSets[] | .Name' • Google search keyword: site:sitename.com.au

20. • aws configservice get-status • aws configservice describe-configuration-recorder-status • aws

    configservice start-configuration-recorder --configuration-recorder-name defaultrecorder AWS CONFIGSERVICE:*

21. AWS EC2:* • EC2 Instances aws ec2 describe-instances | jq

    '.Reservations[] .Instances[] .PublicIpAddress' • Elastic IPs: aws ec2 describe-addresses|jq '.Addresses[] .PublicIp' • Security Groups: aws ec2 describe-security-groups | jq '.SecurityGroups[] .GroupName' • Key Pair • Route Tables: aws ec2 describe-route-tables | jq '.RouteTables[] .Routes' • VPC Endpoints: aws ec2 describe-vpc-endpoints • VPC Peering • Volume • Security Groups

22. AWS S3:* • Source code • Paid software • Startup

    Script • CloudTrail • Website Code

23. WHAT CAN YOU DO NEXT

24. None

25. THERE IS HOPE • Raise Awareness • CloudTrail Logging to

    SIEM Software • Rotate AWS Access Keys • RBAC – • Deny All • Allow only actions that are required. • Create 3rd party Group or IAM Roles for contractors or employees • Event Driven Security - AWS Lambda - Next talk :)

26. ASSUMPTIONS • The Root account was not compromised • The

    account had Modify access to the mentioned AWS services • No Federation URL was available • No Switch Role URL was available

27. ~FIN~ You can talk nerdy to me: • @hashishrajan •

    https://au.linkedin.com/in/ashishrajan