data center applications and loading them into a cloud provider with little or no changes Often this is the most expensive way to use AWS It is also dangerous IDS and network access controls are unaware of AWS API activity Previously ignored or de-prioritized vulnerabilities can become critical The meaning of availability changes
calls are subject to unpredictable, non-persistent, network latency, system performance and connection interruption Guaranteed Failure - System availability is a factor of redundancy and automation, not the stability and performance of monolithic systems Software defined everything (SDe) - Virtualized networks, network interfaces, file systems, computing power and more can change independent of the underlying system Out-of-band management - AWS API’s operate outside of traditional security controls, can make all existing controls irrelevant
enforce change control which creates brittle systems that are insecure and not survivable, design your systems to be eventually consistent with your security and operational goals If your system requires strict change control to maintain order, in the Cloud, you will eventually have chaos.
you’ll be pleasantly surprised by the lack of change when you move to Cloud.”* In reality is it gets worse AWS API endpoints are open by design, trumps all existing controls Private IP’s might be public, data leaks through 3rd party services Only thing standing between total compromise of your _entire_ datacenter is the secrecy of your API keys *Chris Hoff, @beaker
mining operations within your cloud environment Alter your applications to spread malware Uses your environment as a means to launch additional attacks Downloads all your customers data
system in AWS-VPC, block all network traffic, throw away SSH keys/ passwords, place IDS on VPC Gateway to detect intrusion attempts, log all network traffic to/from system In a traditional data center, system is now inaccessible, any attempt to access would be detected In AWS, use API to snapshot AMI/EBS vol’s, mount snapshots on different system, extract whatever I need/want. Zero indication from traditional controls that any access has taken place Same is true of RDS, I don’t need your passwords, I just need to snapshot your DB
Configuration of IPv4 Link-Local Addresses Metadata contains all kinds of awesome things, like startup scripts and your AWS access credentials It’s not just AWS, all cloud providers have it (except for MS Azure!) AWS: http://169.254.169.254/latest/user-data Google: http://169.254.169.254/computeMetadata/v1/ OpenStack/RackSpace: http://169.254.169.254/openstack HP Helion: http://169.254.169.254/2009-04-04/meta-data/ On Azure, metadata is not dynamic but is copied to /var/lib/waagent (linux) or %SYSTEMDRIVE%\AzureData\CustomData.bin (Windows) There is nothing wrong with any of this, as long as you are aware and protect it
hostname iam/ instance-action instance-id instance-type kernel-id local-hostname local-ipv4 mac metrics/ network/ placement/ profile public-hostname public-ipv4 public-keys/ reservation-id security-groups Accessing AWS Metadata AWS command line tool ec2-metadata will extract some (but not all!) of the metadata To get everything use wget or curl Each one of these represents meta data you can access $ wget -q -O - http://169.254.169.254/latest/meta-data/instance-id i-0496132e
total data center compromise in AWS CWE-918: SSRF CWE-611: XXE CWE-441: Unintended Proxy or Intermediary CWE-77: Command Injection CWE-200: Information Exposure Why? All of these can lead to unintended exposure of metadata
first hand http://engineering.prezi.com/blog/2014/03/24/prezi-got- pwned-a-tale-of-responsible-disclosure/ Andres Riancho demonstrated this in his BlackHat talk “Pivoting in Amazon Clouds” Exploited SSRF vuln to inject malicious AWS SQS messages to then exploit a celery/python vuln and take control
security groups! Keys locked down to specific IP’s (like your VPC gateway) have less chance of damage Doesn’t fully eliminate the problem however { "Version": "2012-10-17", "Statement":[{ "Effect":"Deny", "Action":"*", "Resource":"*", "Condition":{ "NotIpAddress":{ “aws:SourceIp”:[“VPC GATEWAY IP/32”] } } }] }
Be wary of Developers building systems who are new to the Cloud because they might now be the ones configuring the firewall rules and API Access Policies as well Developers and Operations are often pre-disposed to “Just make it work” This is one of the reasons DevOps is such a powerful movement It’s on us as security people to adapt and keep DevOps powerful
means of keeping track of things Tags however often can contain private data that does not have strong access protections I’ve seen API keys and passwords in tags!!! If you use any 3rd party AWS management system like StackDriver, CloudHealth or others, your tag data is replicated to those systems
will resolve EC2 Classic public DNS entries to RFC 1918 private address Good chance of Information Exposure (CWE-200) from web servers listening on private IP’s A casual poke around the EC2 10.0.0.0/8 address space reveals hundreds of web servers Remediation: Migrate EC2 Classic environments to VPC [ec2-user@heyzeus ~]$ host example.veracodelabs.com example.veracodelabs.com is an alias for ec2-107-22-197-187.compute-1.amazonaws.com. ec2-107-22-197-187.compute-1.amazonaws.com has address 10.72.187.67
left open to anyone attempting to access them This might very well be intentional but security through obscurity is a real problem AWS EBS If I have API access, I can clone your running systems and EBS volumes into an external account You can prevent this by encrypting your EBS volumes (you can’t encrypt root volumes however)
EC2 Metadata, revealing AWS API Keys 1. AWS DNS Reveals Private IP of web server 2. Private IP of web server reveals detailed errors or admin interface 4. AWS API Key lets you create new instances where your clone and mount any existing EBS vol. 5. Cloned system gets you SSH keys to app servers and API key with IAM:* giving you access to everything 6. With new root credentials create trust relationship with external account and clone DB for quiet extraction
access Records all services and objects in use Track changes, know what is in your account quickly Image Cracker Crack open AMI and EBS snapshots and extract access keys, user accounts, data Coming Soon Not quite ready yet, sorry!
of other OSS stuff you should check out AWS Trusted Advisor https://aws.amazon.com/premiumsupport/trustedadvisor/ NimboStratus https://andresriancho.github.io/nimbostratus/