You have 39 security groups named “Launch-wizard-x”, half of which allow all from 0.0.0.0 • Your bill is 5x what you were expecting • 2 teams are asking you why their systems disappeared and 8 more are un-reachable • You have 176 instances running and you only know what 7 of them do
• For starters, it’s likely the most expensive way to use AWS • IDS and network access controls are unaware of AWS API activity • Certain low priority vulnerabilities become critical Forklifting isn’t safe either
by the lack of change when you move to Cloud.”* • In reality is it gets worse because of API access and unexpected information leakage – AWS API endpoints are open by default, trumps all existing controls – Private IP’s might be public – Only thing standing between total compromise of your _entire_ datacenter is the secrecy of your API keys What’s your Attack Surface? *Chris Hoff, @beaker
systems that are insecure and not survivable focus on creating environments that are eventually consistent with your security and operational goals ! If your system requires strict change control to maintain order, in the cloud, you will eventually have chaos. EMERGENT INSECURITY
Link-Local Addresses • Metadata contains all kinds of awesome things, like startup scripts and your AWS access credentials • It’s not just AWS, all cloud providers have it – AWS: http://169.254.169.254/latest/user-data – Google: http://169.254.169.254/computeMetadata/v1/ – OpenStack/RackSpace: http://169.254.169.254/openstack – HP Helion: http://169.254.169.254/2009-04-04/meta-data/ – etc… • There is nothing wrong with any of this, as long as you are aware and protect it What is Cloud Metadata?
not all!) of the metadata • To get everything use wget or curl Accessing AWS Metadata $ wget -q -O - http://169.254.169.254/latest/meta-data/! ami-id! ami-launch-index! ami-manifest-path! block-device-mapping/! hostname! iam/! instance-action! instance-id! instance-type! kernel-id! local-hostname! local-ipv4! mac! metrics/! network/! placement/! profile! public-hostname! public-ipv4! public-keys/! reservation-id! security-groups Each one of these represents meta data you can access $ wget -q -O - http://169.254.169.254/latest/meta-data/instance-id! i-0496132e
• Keys locked down to specific IP’s could accidentally find their way in GitHub with less chance of damage • If you don’t need it or use it, you could also block it • route add -host 169.254.169.254 reject Controlling API Access {! "Version": "2012-10-17", ! "Statement":[{! "Effect":"Deny",! "Action":"*",! "Resource":"*",! "Condition":{! "NotIpAddress":{! “aws:SourceIp”:[“YOUR VPC NAT GATEWAY IP/32”]! }! }! }]! }
from GitHub? • Create a key, lock it to only one IP address and watch your CloudTrail logs • You should see failed access attempts in 60 minutes or less API Honeypot Anyone?
exposes EC2 Metadata, revealing AWS API Keys 1. AWS DNS Reveals Private IP of web server 2. Private IP of web server reveals detailed errors or admin interface 4. AWS API Key lets you create new instances where your clone and mount any existing EBS vol. 5. Cloned system gets you SSH keys to app servers and API key with IAM:* giving you access to everything 6. With new root credentials create trust relationship with external account and clone DB for quiet extraction
no access to your servers – Actually, I have access to your servers – Clone the EBS vol’s, mount, extract whatever I need/want • Same is true of RDS, I don’t need your passwords, I just need to snapshot your DB Bypassing Auth with Clones
with a policy that looks like this? EXCESSIVE LACK of ACCESS CONTROL {! "Version": "2012-10-17",! "Statement": [! {! "Effect": "Allow",! "Action": "*",! "Resource": "*"! }! ]! }
of keeping track of things • Tags however often can contain private data that does not have strong access protections • If you use any 3rd party AWS management system like StackDriver, CloudHealth or others, your tag data is replicated to those systems TAGS
public DNS entries to RFC 1918 private address • Good chance of Information Exposure (CWE-200) from web servers listening on private IP’s • A casual poke around the EC2 10.0.0.0/8 address space reveals hundreds of web servers • Remediation: Migrate EC2 Classic environments to VPC PRIVATE IS PUBLIC DNS [ec2-user@heyzeus ~]$ host example.veracodelabs.com! example.veracodelabs.com is an alias for ec2-107-22-197-187.compute-1.amazonaws.com.! ec2-107-22-197-187.compute-1.amazonaws.com has address 10.72.187.67
• So far, most of these people have been pretty damn lucky ! • Don’t be one of these people, turn on CloudTrail • Use LogStash, develop your own or buy a commercial solution to keep track of API activity LACK OF AWARENESS
application • Requires only readonly API access • Free SaaS service for exploring your AWS environment • www.cloudatlas.veracodelabs.com ! • Coming Soon • Web Interface not ready yet, sorry! CloudAtlas
accounts and permissions • Track and alert on changes in near real time • Map out your applications and services • Perform analysis on services in use CloudAtlas
EBS volumes to enumerate applications and systems • IAM Permission Analysis • Complete analysis and reporting of who can do what to what, when and where from Adv. Capabilities
…and a whole ton of other OSS • AWS Trusted Advisor – https://aws.amazon.com/premiumsupport/ trustedadvisor/ • NimboStratus – https://andresriancho.github.io/nimbostratus/ Other Tools
silvexis
akifumi_wachi
verypluming
hachama
de9uch1
.png){kind=avatar}
satai
tsubasashi
moriokataku
chikuwait
yujijs
k141303
gpeyre
lemiorhan
garrettdimon
tammyeverts
gr2m
speakerdeck
chrisshort
kevinliebholz
sferik
davidbonilla
bermonpainter
iamctodd
tanoku
![METADATA CREDENTIAL EXTRACTION [ec2-user@ip-10-0-1-125 ~]$ wget -q -O - http://169.254.169.254/latest/meta-data/iam/](https://files.speakerdeck.com/presentations/57406a7024bd01321f5006622b3e4870/slide_19.jpg){kind=link}
![METADATA CREDENTIAL EXTRACTION [ec2-user@ip-10-0-1-125 ~]$ wget -q -O - http://169.254.169.254/latest/meta-data/iam/](https://files.speakerdeck.com/presentations/57406a7024bd01321f5006622b3e4870/slide_20.jpg){kind=link}
