Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Walkthrough of a compromised AWS Account-InfraC...

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Ashish Ashish
November 08, 2016
120
0

Walkthrough of a compromised AWS Account-InfraCoder-MeetupNov2016

Avatar for Ashish

Ashish

November 08, 2016

More Decks by Ashish

See All by Ashish
Traditional Security is Dead! - NYC-Sep2018
Avatar for Ashish hashishrajan
0
53
Automated Detection and Remediation in AWS
Avatar for Ashish hashishrajan
0
79
Long living creds in Cloud?
Avatar for Ashish hashishrajan
0
69
DevSecOps Meetup - Security Challenges in DevOps - Wynand Viljoen
Avatar for Ashish hashishrajan
0
200
GuardDuty - the non AWS version - Feb2018
Avatar for Ashish hashishrajan
0
98
Security in the world of Cloud and Chaos Engineering
Avatar for Ashish hashishrajan
0
77
Convincing security to let you deploy in AWS
Avatar for Ashish hashishrajan
0
85
Walkthrough of a compromised AWS Account - AWS Meetup Nov2016
Avatar for Ashish hashishrajan
0
110

Featured

See All Featured
Exploring anti-patterns in Rails
Avatar for Elle Meredith aemeredith
3
420
The Hidden Cost of Media on the Web [PixelPalooza 2025]
Avatar for Tammy Everts tammyeverts
2
330
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
21
1.5k
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
32
2.9k
Getting science done with accelerated Python computing platforms
Avatar for Jacob Tomlinson jacobtomlinson
2
240
Abbi's Birthday
Avatar for Violet Bock coloredviolet
2
8.2k
State of Search Keynote: SEO is Dead Long Live SEO
Avatar for Ryan Jones ryanjones
0
210
Fireside Chat
Avatar for paigeccino paigeccino
42
4k
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
12
1.2k
Ten Tips & Tricks for a 🌱 transition
Avatar for Manu Carrasco Molina stuffmc
0
140
The Illustrated Guide to Node.js - THAT Conference 2024
Avatar for David Neal reverentgeek
1
390
Code Review Best Practice
Avatar for Trisha Gee trishagee
74
20k

Transcript

  1. WALKTHROUGH OF A COMPROMISED AWS ACCOUNT InfraCoders Meetup 8 Nov,

    2016
  2. None

  3. AGENDA • AWS Primer • How would someone get keys

    to an AWS Account • What I do next • What can you do next

  4. AWS PRIMER

  5. AWS PRIMER Infrastructure as a Service (IaaS) Ø Root Account

    vs IAM Users vs IAM Roles Ø Key Pairs vs Access Keys Ø VPC vs EC2 Ø CloudTrail vs CloudWatch Ø KMS Ø S3 Buckets Ø Route53
  6. None

  7. AWS SECURITY • AWS Security Services • AWS Shared Security

    Model • AWS Resources • aws.amazon.com/security • AWS Whitepapers

  8. Image Courtesy: AWS

  9. HOW WOULD SOMEONE GETS KEYS TO AN AWS ACCOUNT

  10. NOT SO LEGITIMATE WAY • GitHub • Reddit • AWS

    Forum • Tech Forums

  11. LEGITIMATE WAY • Security Review of AWS Accounts for compliance

    checks • Client site during projects • New AWS Account - 12month free tier

  12. WHAT I DO NEXT

  13. ATTACK VECTORS • AWS Console + IAM User • AWS

    Cli + Access Keys • SSH Keys + EC2 Instances Metadata Endpoint (Access Keys) • Snaphots + EC2 Instances

  14. AWS CLI + ACCESS KEYS

  15. WHAT DO WE HAVE Ø aws sts get-caller-identity Ø aws

    sts get-session-token --duration-seconds 129600
  16. None

  17. AWS CLOUDTRAIL:* Stop Footprint collection!! Ø aws cloudtrail describe-trails Ø

    aws cloudtrail stop-logging --name default Ø aws cloudtrail update-trail --name default --no-is-multi-region-trail -- no-include-global-service-events Note: S3 Bucket Name

  18. AWS IAM:* What kind of account do I have? •

    aws iam get-account-summary • aws iam list-users | jq • aws iam get-credential-report | jq -r '.Content' | base64 --decode > output.csv • aws sts get-session-token --duration-seconds 129600 • aws iam list-roles | jq '.Roles[] .RoleName'

  19. AWS ROUTE53:* • aws route53 list-hosted-zones | jq • aws

    route53 list-resource-record-sets --hosted-zone-id /hostedzone/ABCD | jq '.ResourceRecordSets[] | .Name' • Google search keyword: site:sitename.com.au

  20. • aws configservice get-status • aws configservice describe-configuration-recorder-status • aws

    configservice start-configuration-recorder --configuration-recorder-name defaultrecorder AWS CONFIGSERVICE:*

  21. AWS EC2:* • EC2 Instances aws ec2 describe-instances | jq

    '.Reservations[] .Instances[] .PublicIpAddress' • Elastic IPs: aws ec2 describe-addresses|jq '.Addresses[] .PublicIp' • Security Groups: aws ec2 describe-security-groups | jq '.SecurityGroups[] .GroupName' • Key Pair • Route Tables: aws ec2 describe-route-tables | jq '.RouteTables[] .Routes' • VPC Endpoints: aws ec2 describe-vpc-endpoints • VPC Peering • Volume • Security Groups

  22. AWS S3:* • Source code • Paid software • Startup

    Script • CloudTrail • Website Code

  23. WHAT CAN YOU DO NEXT

  24. None

  25. THERE IS HOPE • Raise Awareness • CloudTrail Logging to

    SIEM Software • Rotate AWS Access Keys • RBAC – • Deny All • Allow only actions that are required. • Create 3rd party Group or IAM Roles for contractors or employees • Event Driven Security - AWS Lambda - Next talk :)

  26. ASSUMPTIONS • The Root account was not compromised • The

    account had Modify access to the mentioned AWS services • No Federation URL was available • No Switch Role URL was available

  27. ~FIN~ You can talk nerdy to me: • @hashishrajan •

    https://au.linkedin.com/in/ashishrajan