Tweet
Tweet

Slide 1

Slide 1 text

From ‘huh?’ to privilege escalation Finding vulnerabilities from a bug in the AWS console Ben Bridts

Slide 2

Slide 2 text

who are we building for?

Slide 3

Slide 3 text

Huh?

Slide 4

Slide 4 text

AWS Well- Architected Reviews AWS Professional Services AWS Architecture Design AWS 24/7 Managed Services AWS DevOps Best Practices AWS Migration Expertise & Guidance AWS Public Sector Solutions AWS Workshops & Training AWS Reselling & Cost Optimization

Slide 5

Slide 5 text

AWS Directory Service AWS Directory Service Simple AD AD Connector AWS Managed Microsoft AD Amazon WorkSpaces Amazon WorkDocs Amazon QuickSight Amazon Chime Amazon Connect Amazon Relational Database Service (Amazon RDS) Amazon Elastic Compute Cloud (Amazon EC2) AWS Management Console

Slide 6

Slide 6 text

AWS Directory Services Console

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

Investigation

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

https://docs.aws.amazon.com/directoryservice/latest/admin-guide/UsingWithDS_IAM_ResourcePermissions.html

Slide 12

Slide 12 text

Lessons CloudTrail is not a given, especially for console-only actions CloudTrail is extremly valuable for operations and defense

Slide 13

Slide 13 text

who are we building for?

Slide 14

Slide 14 text

Reproducing the issue

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

https://botocore.amazonaws.com/v1/documentation/api/latest/reference/loaders.html

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

Takeaways Race conditions will happen Nonpublic can still be usable (especially for attackers) client-side is untrusted

Slide 20

Slide 20 text

who are we building for?

Slide 21

Slide 21 text

Privilege escalation

Slide 22

Slide 22 text

Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob Group A Group B

Slide 23

Slide 23 text

Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob Group A Group B Permissions Permissions Trust Relationship Trust Relationship

Slide 24

Slide 24 text

Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob Group A Group B Permissions Permissions Trust Relationship Trust Relationship

Slide 25

Slide 25 text

Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob Group A Group B Permissions Permissions https://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_role.html [docs]/directoryservice/latest/admin-guide/UsingWithDS_IAM_ResourcePermissions.html

Slide 26

Slide 26 text

Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob Group A Group B Permissions Permissions https://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_role.html Group C

Slide 27

Slide 27 text

Existing Directory User Role ds-group-a Alice Bob Group A Permissions Permissions https://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_role.html Group C New Directory

Slide 28

Slide 28 text

Takeaways Nonpublic APIs makes IAM Policies harder to write Make ExternalIds as specific as possible Verify the negative too

Slide 29

Slide 29 text

who are we building for?

Slide 30

Slide 30 text

Conclusion

Slide 31

Slide 31 text

we can’t claim shared responsibility without the right tools

Slide 32

Slide 32 text

there is still low-hanging fruit

Slide 33

Slide 33 text

who are we building for?

Slide 34

Slide 34 text

Please make me happy too Add auditing to your products Create documented, public APIs Use more specific ExternalIds

Slide 35

Slide 35 text

https://fwdcloudsec.org/speakers.html#evading-logging-cloud-aws https://fwdcloudsec.org/speakers.html#ground-shifts-underneath-us https://github.com/benbridts/aws-undocumented-api-models https://github.com/Frichetten/aws-api-models https://www.youtube.com/watch?v=R039RTcy6_w Learn more https://cloudar.be/awsblog/cloudsec2023

Slide 36

Slide 36 text

Thank you! Ben Bridts [email protected] @BenBridts | @WeAreCloudar www.cloudar.be