Inc. Twitter: @riyazwalikar, Blog: https://ibreak.software • Over a decade of experience in breaking web & mobile apps, networks, wireless, cloud and most recently container and Kubernetes • Have led Product Security and Consulting teams at Citrix and PwC SDC in a past life and was the OffSec Lead at Appsecco before moving on to co-founding Kloudle • Have multiple certifications as a result of my learning curve over the years, including CKA, CKAD, OSCP, CREST etc. (also, because they look cool on LinkedIn ☺) • Speaker at multiple cons, co-author, trainer, security evangelist with a short attention span and attracted to all things shiny
an object in AWS that, when associated with an identity or resource, defines their permissions. • AWS evaluates these policies when an IAM principal (user or role) makes a request. • Permissions in the policies determine whether the request is allowed or denied.
escalation, we work with the assumption that we have gained access to General Tarkin’s AWS credentials • These credentials appear to be non-privileged. • Our aim is to exploit a mis-configuration with the user’s policy definition and gain access to the employee database for the Death Star
will get, explore what else is available within the AWS account • Attackers tend to focus on data theft/destruction and make an attempt to use resources for their own benefit (like crypto-mining) etc. • Some attackers create a shadow admin account and use this as a backdoor • To hide their traces within AWS, attacker may also remove AWS logs (CloudTrail, flowlogs etc.).