Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Walkthrough of a compromised AWS Account-InfraC...

Avatar for Ashish Ashish
November 08, 2016
120
0

Walkthrough of a compromised AWS Account-InfraCoder-MeetupNov2016

Avatar for Ashish

Ashish

November 08, 2016

More Decks by Ashish

See All by Ashish
Traditional Security is Dead! - NYC-Sep2018
Avatar for Ashish hashishrajan
0
53
Automated Detection and Remediation in AWS
Avatar for Ashish hashishrajan
0
79
Long living creds in Cloud?
Avatar for Ashish hashishrajan
0
69
DevSecOps Meetup - Security Challenges in DevOps - Wynand Viljoen
Avatar for Ashish hashishrajan
0
200
GuardDuty - the non AWS version - Feb2018
Avatar for Ashish hashishrajan
0
98
Security in the world of Cloud and Chaos Engineering
Avatar for Ashish hashishrajan
0
77
Convincing security to let you deploy in AWS
Avatar for Ashish hashishrajan
0
85
Walkthrough of a compromised AWS Account - AWS Meetup Nov2016
Avatar for Ashish hashishrajan
0
110

Featured

See All Featured
AI in Enterprises - Java and Open Source to the Rescue
Avatar for ivargrimstad ivargrimstad
0
1.3k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
287
14k
Are puppies a ranking factor?
Avatar for Jono Alderson jonoalderson
1
3.6k
How GitHub (no longer) Works
Avatar for Zach Holman holman
316
150k
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
59
6.7k
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
Avatar for Tech SEO Connect techseoconnect
PRO
0
190
[RailsConf 2023 Opening Keynote] The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
31
10k
Leveraging Curiosity to Care for An Aging Population
Avatar for Cassini Nazir cassininazir
1
270
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
615
220k
Building Experiences: Design Systems, User Experience, and Full Site Editing
Avatar for Michelle Schulp Hunt marktimemedia
0
540
How to optimise 3,500 product descriptions for ecommerce in one day using ChatGPT
Avatar for Katarina Dahlin katarinadahlin
PRO
1
3.6k
Building AI with AI
Avatar for Ines Montani inesmontani
PRO
1
1.1k

Transcript

  1. WALKTHROUGH OF A COMPROMISED AWS ACCOUNT InfraCoders Meetup 8 Nov,

    2016
  2. None

  3. AGENDA • AWS Primer • How would someone get keys

    to an AWS Account • What I do next • What can you do next

  4. AWS PRIMER

  5. AWS PRIMER Infrastructure as a Service (IaaS) Ø Root Account

    vs IAM Users vs IAM Roles Ø Key Pairs vs Access Keys Ø VPC vs EC2 Ø CloudTrail vs CloudWatch Ø KMS Ø S3 Buckets Ø Route53
  6. None

  7. AWS SECURITY • AWS Security Services • AWS Shared Security

    Model • AWS Resources • aws.amazon.com/security • AWS Whitepapers

  8. Image Courtesy: AWS

  9. HOW WOULD SOMEONE GETS KEYS TO AN AWS ACCOUNT

  10. NOT SO LEGITIMATE WAY • GitHub • Reddit • AWS

    Forum • Tech Forums

  11. LEGITIMATE WAY • Security Review of AWS Accounts for compliance

    checks • Client site during projects • New AWS Account - 12month free tier

  12. WHAT I DO NEXT

  13. ATTACK VECTORS • AWS Console + IAM User • AWS

    Cli + Access Keys • SSH Keys + EC2 Instances Metadata Endpoint (Access Keys) • Snaphots + EC2 Instances

  14. AWS CLI + ACCESS KEYS

  15. WHAT DO WE HAVE Ø aws sts get-caller-identity Ø aws

    sts get-session-token --duration-seconds 129600
  16. None

  17. AWS CLOUDTRAIL:* Stop Footprint collection!! Ø aws cloudtrail describe-trails Ø

    aws cloudtrail stop-logging --name default Ø aws cloudtrail update-trail --name default --no-is-multi-region-trail -- no-include-global-service-events Note: S3 Bucket Name

  18. AWS IAM:* What kind of account do I have? •

    aws iam get-account-summary • aws iam list-users | jq • aws iam get-credential-report | jq -r '.Content' | base64 --decode > output.csv • aws sts get-session-token --duration-seconds 129600 • aws iam list-roles | jq '.Roles[] .RoleName'

  19. AWS ROUTE53:* • aws route53 list-hosted-zones | jq • aws

    route53 list-resource-record-sets --hosted-zone-id /hostedzone/ABCD | jq '.ResourceRecordSets[] | .Name' • Google search keyword: site:sitename.com.au

  20. • aws configservice get-status • aws configservice describe-configuration-recorder-status • aws

    configservice start-configuration-recorder --configuration-recorder-name defaultrecorder AWS CONFIGSERVICE:*

  21. AWS EC2:* • EC2 Instances aws ec2 describe-instances | jq

    '.Reservations[] .Instances[] .PublicIpAddress' • Elastic IPs: aws ec2 describe-addresses|jq '.Addresses[] .PublicIp' • Security Groups: aws ec2 describe-security-groups | jq '.SecurityGroups[] .GroupName' • Key Pair • Route Tables: aws ec2 describe-route-tables | jq '.RouteTables[] .Routes' • VPC Endpoints: aws ec2 describe-vpc-endpoints • VPC Peering • Volume • Security Groups

  22. AWS S3:* • Source code • Paid software • Startup

    Script • CloudTrail • Website Code

  23. WHAT CAN YOU DO NEXT

  24. None

  25. THERE IS HOPE • Raise Awareness • CloudTrail Logging to

    SIEM Software • Rotate AWS Access Keys • RBAC – • Deny All • Allow only actions that are required. • Create 3rd party Group or IAM Roles for contractors or employees • Event Driven Security - AWS Lambda - Next talk :)

  26. ASSUMPTIONS • The Root account was not compromised • The

    account had Modify access to the mentioned AWS services • No Federation URL was available • No Switch Role URL was available

  27. ~FIN~ You can talk nerdy to me: • @hashishrajan •

    https://au.linkedin.com/in/ashishrajan